App security, and breach reports from government agencies
Reports on data breaches and concerns over data security only increase in number and magnitude as time goes by. All you have to do to see the evidence is examine any data security incident.
This is especially true in Canada, where reports occurred six times more in 2019 than in 2018. Thanks to the Personal Information Protection and Electronic Documents Act (PIPEDA), which serves as a new notification requirement for Canadian companies that experience breaches, more companies were compelled to file any incident. One of the more glaring reports is that there were almost 8,000 data breaches across several government departments, compromising the information of 144,000 people (I’m actually surprised it wasn’t more). The greatest of these belonged to the Canadian Revenue Agency (CRA), which totaled almost half of the data affected.
Of course, Canadian government agencies aren’t the only ones fighting against this threat. It’s been some years now since the Office of Personnel Management (OPM) experienced its unsurpassed breach, and now the Defense Information Systems Agency (DISA), an agency at the US Department of Defense (DoD), is facing something similar. Earlier this month DISA sent out notifications that it was facing a potential breach that could compromise the personally identifiable information (PII) of thousands of military and civilian personnel in its employ, including Social Security numbers. According to the agency, there is yet no evidence that the information has been misused.
Meanwhile, application security continues to frustrate IT teams and users alike. Noam Rotem and Ran Locar, security researchers who we’ve covered multiple times, have discovered another data breach, this time in the photo printing App PhotoSquared. Upwards of 100,000 customers had their information exposed, such as pictures, print labels, addresses and invoices. The breached database that stored the information was on Amazon Web Services (AWS) with an unsecured client S3 bucket, which we have also observed in past security incidents. One of which was likewise uncovered by the Rotem and Locar duo and affected British citizens and a host of their data, from job applications to emails to tax documents.
“It’s important to note,” add the researchers, “that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket,” and that “owners at times fail to implement basic security protocols.”
The trend of data breaches, and naturally the notifications that follow, only looks to further increase. This is why it’s more important than ever to take stock of your resources, your data collection and protection policies, and cyber insurance.