Disney, Macy’s & T-Mobile were Just Hacked: Learn to Live with It!
Over the past few weeks significant data breaches involving three very well-known and respected brands were reported. The Macy’s breach, which resulted in stolen customer PII and payment information, seems to be the result of a targeted website breach. The T-Mobile breach method was not disclosed, but it did disclose PII for over 1 million customers. Disney, however, reported that they saw no evidence of hacking in the theft of PII from “thousands” of customers. Many are speculating it was the result of “credential stuffing.” This approach essentially uses a large set of previously stolen usernames and passwords to try to access accounts at a particular provider. Because we tend to reuse usernames and passwords, many of the stolen credentials are effective across multiple provider sites. Advanced credential stuffing tools can be used to manage the attack and make multiple access requests look legitimate.
Listen folks. No matter how much we have been trying to prevent data breaches, they still occur. I, and many others, have reached the perhaps obvious conclusion that we simply cannot prevent data breaches. Macy’s, Disney, T-Mobile and many other breached organizations have highly capable staffs working diligently to protect their customer data, yet it still happened. The “error surface” is simply too large with far too many variables to prevent breaches from occurring. We have to learn to live with the inevitable.
Sure, we should still try to prevent breaches, but let’s not kid ourselves into thinking we can. They’re unavoidable and, when at another company, completely out of our control. We just have to learn to live with it. Simply being numb to the perpetual onslaught of data breaches, however, is not the answer. There is something you can do about it!
The only thing you *can* do, the only action you *can* take is to protect your company against the use of the stolen data. That is within your control. You don’t need to know what data was stolen, although that would help. Your organization needs a way to *effectively* detect when someone is trying to open a new account or take over an existing account with stolen identity data. You can’t prevent the rain, but you can certainly invest in an umbrella.
Effectively and consistently detecting the use of stolen identity data is not easy, but it is doable. It requires more than the newest authentication technology, more than two-factor authentication (2FA), more than the myriad of fraud detection tools that are available. It requires a company-wide approach that coordinates and automates everything you’re doing into one cohesive strategy and fully integrated platform. Every protection mechanism in place must be integrated and coordinated to maximize effectiveness and eliminate chinks in the armor.
Cybercriminals know how to skirt our defenses, leveraging their ability to circumvent point solutions step by step. They know how to leverage our lack of cross-channel coordination and slide under our fraud detection radar. They know how to mix advanced technical attacks with old-fashioned social engineering attacks to breach our defenses.
But, when we harness and leverage the troves of data we have on every prospect and customer interaction, when we see all activities associated with an entity across the organization, when we take advantage of the latest authentication technologies, when we have highly agile processes that can adapt to inevitable changes in the threat landscape – we can fully protect ourselves, even in light of millions of stolen PII records.
Transmit Security’s customers care about data breaches, but they are now less concerned about the breached PII being used to compromise their institutions. Contact Transmit to learn how to live with the fact that stolen PII is being used to target your institution.