The Most-Ignored Data Security Practice: A Lesson From Twitter’s Data Breach Nightmare
“We’re embarrassed, we’re disappointed, and more than anything, we’re sorry.”
Just last week, Twitter revealed a major hack involving a bitcoin scam that targeted dozens of high-profile accounts, including former President Obama, Michael Bloomberg, Apple, and more. On Wednesday night, the company said the hackers successfully targeted employees who had access to its internal systems in what it believes to be a coordinated social engineering attack.
While the company declined to provide further details about how this happened, it's a cautionary tale of what can happen when trusted privileged access falls prey to insider attacks and the consequence of weak data security practices. Although many companies have strengthened security controls to ensure only the right people have access to sensitive data, redacting and obfuscating data in all environments is equally critical to effectively managing risk—especially when losing chain of custody to third parties or in today’s world of remote work.
Not Every Insider Threat is Malicious, But All are Dangerous
Anyone with trusted access to data can exploit vulnerabilities that lead to millions of dollars in damage. In Twitter’s case, the hacker was able to access its internal systems after first gaining entry into Twitter’s Slack account, where allegedly, he found unspecified Twitter credentials that gave him access to the company's servers, according to The New York Times.
The attack broke into the Twitter accounts of world leaders, celebrities, and tech moguls, and sent out tweets from those accounts offering to pay a sender double any payment they made to a Bitcoin wallet address. The hackers also reset the passwords of 45 of the 130 accounts targeted.
The real question is: why did Twitter’s internal staff have access to live systems and data in the first place?
Too often, employees either aren’t aware they could be violating security policies or don’t understand how shortcuts can put customers’ data (and their company, too) at risk. But the technology exists for companies to keep customer data safe; it’s called data masking.
Data masking technology, powered by DataOps, can automatically identify where sensitive data resides—across every system including non-production environments for development, testing, and analytics. It then applies algorithms that replace the original value with a fictitious but realistic equivalent in an irreversible way. Teams can also define a policy that controls data access and integrate it into governance workflows. That way, internal teams only have access to masked versions of data and always operate in compliant environments.
Data Breaches Are a Matter of When, Not If
Data breaches are nothing new. And breaches are inevitable if you’re in the data business. A lot of the data that businesses regularly collect, manage, and store is sensitive data that is vulnerable to a breach and subject to regulations, such as the GDPR or CCPA.
In fact, research estimates that for every production instance of an application, there are typically over 10 copies of non-productions. Insiders, such as developers, analysts, and testers, often have broad access to these lower environments—that contain a vast majority of sensitive data—in order to carry out their responsibilities.
Unlike production systems that are highly protected, non-prod environments carry more risk and are generally less protected. In order for companies to minimize footprint and enhance their security posture, data masking provides a way to continuously deliver de-identified data to internal teams and mitigate the risk of a breach.
While hackers and malicious attackers are mostly to blame, organizations can do a better job protecting their data rather than inadvertently leaving their sensitive data vulnerable or exposed.
Because at the end of the day, the more masked data your company has, the less there is for bad actors to steal.
Every Company Needs Data Responsibility
Despite a worldwide pandemic, hackers are continuing to unleash cyber attacks on businesses. Just in 2020, Microsoft, Estée Lauder, T-Mobile, Marriott, U.S. Small Business Administration, Nintendo, and EasyJet were hit by data breaches.
The main takeaway from this most recent incident is that attackers were able to defeat the intrusion detection systems and gain access to production. Why the internal staff had access to live systems and its data is not known at this time, but this is an important lesson in the cyberworld—employees continue to be the biggest weakness in IT security. There is absolutely no justification in the modern world for keeping backdoor access to customer data. Because if there’s a way to do it, malicious actors will exploit it.