At a glance.
- Data from MGM Resorts breach shows up in a hacker forum.
- Misconfigurations remain a leading source of privacy issues.
- Google will move British users' data out of the EU, post-Brexit.
- Businesses adapt to shifting privacy regulations (with surprising confidence).
2019 breach data published to a hacker forum.
MGM Resorts sustained a data breach last summer that affected almost ten-million-six-hundred-thousand guests. This week much of the personal information lost was posted to a hacker forum. ZDNet and Under the Breach confirmed that the data were indeed from the MGM Resorts incident. MGM Resorts says it notified affected guests last year. The data posted this week included names, home addresses, phone numbers, emails, and dates of birth, but MGM Resorts emphasizes that no paycard information was compromised. Threatpost sees the incident as affording a good example of the ways in which data breaches can continue to affect organizations long after they've been stopped, disclosed, and remediated.
Misconfigurations expose data with no need for any hacker action.
All too often, the data are just left out there, ready to be seen, taken, and used by anyone who comes across them. DivvyCloud's 2020 Cloud Misconfigurations Report puts a very high price tag indeed on unsecured databases--$5 trillion, if their figures are to be believed. They find that badly handled Elasticsearch implementations cause the most trouble, with poorly configured AWS S3 buckets and MongoDB misconfigurations coming in at second and third:
- "Elasticsearch misconfigurations accounted for 20% of all breaches, but these incidents accounted for 44% of all records exposed. The number of breaches caused by Elasticsearch misconfigurations nearly tripled from 2018 to 2019."
- "S3 bucket misconfigurations accounted for 16% of all breaches, however, there were 45% fewer misconfigured S3 servers in 2019 compared to 2018."
- "MongoDB misconfigurations accounted for 12% of all incidents, and the number of misconfigured MongoDB instances nearly doubled YoY [year-over-year]."
Post-Brexit, Google will move UK data out of EU jurisdiction.
Since it's unclear where UK privacy and data protection laws will settle, post-Brexit, Google intends to move British users' data out of the EU to avoid unnecessary GDPR complications, Reuters reports.
Privacy compliance under conditions of uncertainty.
Scale Venture Partners has published a survey of how businesses are dealing with not only relatively well-established privacy regulations like GDPR, but with newer and still unsettled regimes like the CCPA. They outline their findings as follows:
- "Privacy regulations prompt change. GDPR and CCPA have altered approaches to data privacy. Ninety-six percent of respondents have changed their strategy around data privacy compliance."
- "Organizations continue investing in both on-prem and cloud security solutions. Over two-thirds of respondents are investing in both data center or server security (68 percent) and cloud application security (67 percent). A majority of security executives are planning to invest more in cloud infrastructure security (62 percent) and cloud application security (58 percent) in the next 12 months."
- "Executives remain confident that their organizations are equipped to manage security risks. Seventy-three percent of executives feel equipped to handle risk, a slight decrease from 2018 (78 percent) but a 12 percent increase from 2017. Eighty-seven percent of executives feel they are at least somewhat more equipped than they were a year ago to handle risks."
- "Despite confidence, hackers remain top of mind for businesses. The top issues keeping executives up at night are threats from hackers using machine learning to attack businesses and hackers generally. Security issues related to migration to the cloud ecosystem follows closely behind, reflecting the complexity and nascency inherent in hybrid cloud environments."
- "Legacy technology continues to be an obstacle. For the second year in a row, respondents see complex legacy data center infrastructure (50 percent), outdated security technology and processes (44 percent), and too many alerts or false negatives with detection software (44 percent) as the top obstacles holding their organization back from achieving the security posture it needs. This has forced 65 percent of executives to build security solutions in-house, a 15 percent increase from 2018."
- "Accountability remains in the C-suite. Sixty-five percent of executives say a member of the C-suite is ultimately responsible for the security of their organization, a 7 percent increase from 2018. For the first time, CEOs topped the list of executives with primary responsibility."