Briefing: Adobe Data Breach (Oct 2019)
What is happening?
Last week Adobe made the headlines when nearly 7.5 million Adobe Creative Cloud user account information were left exposed on the internet inside an Elasticsearch database that was left connected online without password protection. This is the second major Adobe data breach since 2013 where full records of nearly 38 million Adobe users were breached, resulting in Adobe paying out $1.2 million USD plus settlements.
This time the data breach was allegedly discovered and secured on the same day with IT security experts and journalists praising Adobe’s agility to respond to cybersecurity threats. Moreover, the data that was exposed primarily included customer account information such as email address, subscription status and account creation dates rather than more sensitive information such as financial details and other personally identifiable information that were leaked in 2013. Therefore this particular data breach incident was considered to be less severe compare to not only the previous leak but also when comparing to leaks at other companies in the past.
However despite Adobe IT security team’s quick call-to-action and the speedy recovery, it is unclear if someone has accessed the database and retrieved its content before the patch. Customers who’s email addresses were contained in the database may be prone to receiving spam emails and other online criminal activities such as spear-phishing where fraudsters could pose as Adobe or a related company and trick users into disclosing further personal information such as passwords.
What does this mean for my business?
A simple search on Google reveals the frequency of data breach incidents has skyrocketed in 2019 at an unprecedented rate with social media giant Facebook, graphics design platform Canva, Air Canada, and many other global corporations making the news headline due to their lack of IT security and sprawling illegal activities online.
Businesses owners need to understand that hackers like to pick easy targets and any data breach, whether malicious or accidental by nature, can potentially result in devastating financial and legal consequences for the business.
In an attempt curb the growth of IT security incidents in the age of big data, our advice to businesses is to focus on the basics of data governance and cybersecurity before endeavouring more advanced technological business transformations with AI-driven solutions and blockchain-enabled products.
Data governance and compliance training is the key to success
A new report published in the UK has reviewed that more than half of the Information Commissioner’s Office (ICO) reported 4,856 data breaches this year were caused by human error. Of these reported incidents, 43% were the result of incorrect disclosure, 18% were attributed to emailing incorrect recipients and 5% were phishing-related. Furthermore, data breach incidents are also highly associated with inadequate policies to regulate internal procedures or inability to set up a robust framework to guide and assist with processes involving data. These statistics paint a clear picture that information security must be resilient to both internal and external threats.
In order to protect the business from internal threats, business owners may decide to engage in third-party training providers to educate their staff on data governance and compliance and to boost awareness of information security.
And this is where we come in.
At Aurum (Data Governance) Consultancy, our mission is to mitigate the compliance and technological risks for businesses and communities of those undertaking the course of digital transformation. We regularly organise and provide data protection and governance training and workshops to assist professionals, businesses and communities interested in digital transformation.
Separate to the above, our Transformational Productised Service (TPS) package provides the following:
· Assessment - we advise businesses on their operation, product and/or service coming from data protection compliance angle, security perspective and risk assessment angle.
· Implementation - we help businesses to build and implement programmes which would enhance their privacy & data protection management. We also help businesses to set up policies, procedures and guidelines to mitigate compliance and security risks.
· Monitoring - we monitor the ever changing regulatory landscape on behalf of our clients and ensure their businesses are not exposed to vulnerabilities and threats in terms of compliance and risk issues.
If you would like to understand more about the services we provide, please reach out to firstname.lastname@example.org or Tel: +852 3725 4806.