The importance of cybersecurity cannot be overstated in the current highly tech-driven landscape – for individuals as well as private businesses and government departments. According to the Identity Theft Resource Center, 2018 saw 1,244 total breaches in the U.S., which led to the exposure of more than 446 million records. Although the number of breach incidents fell from the previous year, by 23%, the number of records exposed rose from 2017 to 2018 by a staggering 126%. Considering that 2017 was the year of the infamous Equifax hack that exposed more than 150 million Americans' financial data on its own, 2018's drastic uptick in data exposure should appear especially alarming.
It's not quite clear yet what direction 2019 will go, whether the general state of U.S. cybersecurity will improve, decline or remain static. As of May 7, 2019, the latest date for which the ITRC has data available, this year has seen 146 hacks or breaches and 4.5 million records compromised, with nearly half of them (44.5%) affecting the business and professional services sector. With 146 averaging out to about 37 a month, that would put organizations on track to experience 444 by the year's end if that rate held – but cybersecurity isn't exactly the easiest field to handicap. We could just as easily see a total of 1,444 breaches when the clock strikes midnight on 2019.
Two large-scale hacks that occurred in the first two weeks of June illustrate many of the dangers posed by data breaches to both the public and private sectors. Businesses considering a broad IT modernization initiative would do well to examine the following accounts as they consider the security-related aspects of their plans.
Health care collection agency experiences breach affecting up to 20 million
American Medical Collection Agency, an organization based in Elmsford, New York, provides a broad range of collection services for hospitals, private doctor's offices, testing laboratories and numerous other firms involved directly or tangentially in the field of health care all over the U.S. Its website claims that AMCA has handled the medical records of at least 25 million people, delivering approximately 1.4 million letters of collection each month.
According to Bloomberg, the agency experienced a serious breach in early June, one that could have adverse ramifications affecting 20 million of the individuals whose health care debts it attempts to collect. Two of the biggest AMCA clients, Quest Diagnostics Inc. and Laboratory Corporation of America Holdings, stated that the collector had been hacked in separate statements, with the former claiming 11.9 million of the people identified in its records could be exposed and the latter citing the compromise of 7.7 million patients' accounts.
The business news provider reported that the breach announcement prompted inquiries by several U.S. senators not long after word got out: New Jersey senator and 2020 presidential candidate Cory Booker, along with the state's senior senator Bob Menendez and Mark Warner of Virginia, sent letters demanding information on the breach's specific events and how it was being handled by Quest and Laboratory Corporation. (Somewhat oddly, they did not pose these queries directly to AMCA.) Both of the clients most notably affected by the breach said that the collection agency had not informed them how it occurred. Mounir Hahad of cybersecurity firm Juniper Networks told Bloomberg the AMCA site didn't use a number of security features common to modern corporate web pages, while Warner expressed concern about AMCA clients' monitoring of third-party data usage and supply chain management.
Individuals affected by this breach could have numerous pieces of financial and personal information compromised as a result of this hack – addresses, names, dates of birth and other data – but likely wouldn't have seen their test results or other medical information exposed. (The degree to which that fact comforts or outrages any affected person will necessarily vary on a case-by-case basis.)
CBP hack compromises travelers' information
The federal government of the U.S. has focused notably on enforcement of immigration law as one of its key priorities. But some fear that agencies like U.S. Customs and Border Protection, Immigration and Customs Enforcement and other Homeland Security departments tasked with mitigating unauthorized immigration could end up creating cybersecurity risks through their efforts.
According to The Washington Post, just under 100,000 people who entered and exited the U.S. over a 1.5-month period in 2019, through a particular land border entry port, could have photographs of their faces and their vehicles' license plates circulating on the web for possible misuse. (CBP didn't identify the crossing in its acknowledgment of the hack, but a federal official told the news provider it was along the Canadian border. There are 328 total points of U.S. entry manned by CBP.)
Perceptics, a data management firm subcontracted to CBP and other agencies, was the apparent source of the breach – an outside malware attack. Although Border Patrol didn't name the subcontractor in the official text of its press release, the document emailed to news outlets, including the Post, had "Perceptics" in its subject line. Reports note that Perceptics was attempting to devise algorithms that could match facial photos to specific license plates. If this company is the focus of a hacker's interest, all of the information involved in those data calculations and the algorithms themselves could be fair game for malicious actors throughout the internet. Although CBP's statement denied the compromised data was vulnerable to exploitation on the so-called "dark web," The Register stated in May that information stolen from Perceptics was freely available as a single-batch download in that criminal corner of the internet.
Implications for security planning
Security is tangential to one of the key paradoxes affecting companies' legacy system modernization efforts: Organizations can become set in their ways regarding how their information is kept under wraps – fearing the vulnerabilities that certain new technologies possess – or more generally about the ways in which they use their IT infrastructure. While this attitude is understandable to an extent, it can also end up being a serious thorn in the side.
The looming threat of catastrophic data breaches, whether caused by human error or malicious outside action, is serious enough. But there are also less immediately insidious dangers to consider, such as the vulnerability of applications and platforms made with open-source programming languages like Java, which has been noted numerous times in the cybersecurity community as a major risk. Thus, prudent alternatives are necessary for digital transformation efforts.