There’s an old saying: What doesn’t kill you makes you stronger.
It’s a morbid thought, but there’s a grain of truth to it. Innumerable organizations — nonprofits, for-profits, NGOs, government agencies — have learned this the hard way since the dawn of the Information Age.
As the victims of unwanted digital intrusions and data theft, they’ve shared front-row seats to the rapidly changing cyber security landscape.
They — and all of us — have learned quite a bit in the process. And many have done well to defend their interests — and their clients’ — amid the uncertainty.
From the 2021 data incident that affected Asiaciti Trust and more than a dozen other providers of legal and financial services to the recent ransomware attack that disrupted the flow of petroleum products to the eastern United States, the importance of proactive responses to digital crises has never been clearer.
What lessons can we draw from these events? Let’s examine five of the most significant data incidents of the past 20 years to find out.
1. Alibaba (2019)
The Alibaba event wasn’t major news in North America or Europe, but it was a very big deal in China, where most Alibaba users reside.
Authorities described the event as “unauthorized scraping” of more than a billion pieces of user data and swiftly prosecuted the perpetrators, who appeared to be acting alone.
The event was notable for the fact that the stolen data wasn’t publicly disseminated but was instead intended for the perpetrators’ own commercial use.
It served as a reminder that many data intrusions have economic rather than political or nihilistic motives.
2. Target (2013-14)
Target, a major U.S. retailer, suffered a massive data intrusion in 2013 and 2014. The event was noteworthy because of the vector — a regional HVAC company that had been granted access to Target’s networks.
It was one of the first publicly disclosed mega-intrusions to use a third party and prompted other large companies to shore up their access protocols.
3. Home Depot (2014)
Shortly after Target, U.S. home improvement retailer Home Depot suffered a similar intrusion that utilized a third-party vendor’s access credentials.
This incident resulted in the loss of millions of customer payment card numbers that had been used at the company’s self-checkout stands over a period of several months.
It prompted other retailers to examine self-checkout security and further clamp down on third-party credentialing.
4. Yahoo (2013)
The Yahoo intrusion was one of the largest such events to date, but its size was secondary. Instead, it served as a cautionary tale about the perils of waiting to disclose adverse data events.
Yahoo discovered the intrusion at some point in 2013 or 2014, around the time it occurred. However, it didn’t publicly disclose what had happened until late 2016, amid a merger with Verizon.
The disclosure — made out of necessity during Verizon’s due diligence process — threatened to scuttle the deal. Ultimately, Yahoo sold for a fraction of what it was worth at the time.
5. LinkedIn (2012 and 2021)
The lesson of LinkedIn’s two major data incidents is that history really can repeat itself. The first was more serious, involving the loss of hundreds of millions of account passwords.
The second involved the scraping of account details but not passwords or payment card information.
Both occurred due to lapses in LinkedIn’s internal security protocols, underlining the importance of maintaining a nimble security posture in a constantly evolving threat landscape.
Take Care of Yourself First
We’ve learned quite a bit from data incidents over the years — from the recent incidents affecting Asiaciti Trust and other fiduciaries to long-ago breaches that temporarily felled consumer products giants. It’s far more than one can fit in a single summary article.
If there’s one lesson to take away from this disquieting history, let it be the importance of getting your own house in order.
Of taking care of your own organization’s security, and your own personal security to boot, before worrying too much about what others are doing.
To be sure, any organization that relies on third parties to get work done — and virtually all organizations do — needs to care about their security as well.
Holding third parties to strict security standards is part of this consideration. It’s the organizations and individuals that you don’t interact with that you don’t need to worry about.
To put it another way: Choose your digital associates carefully, and don’t be afraid to cut ties with those that don’t take cyber security seriously. You have too much on the line.