At a glance.
- Data breach at California Pizza Kitchen.
- Forget about it.
- Former insider says Amazon neglected data security.
The price of a slice.
US pizza purveyor California Pizza Kitchen (CPK) disclosed this week that in September intruders gained unauthorized access to the private data of over 100,000 former and current employees. The exposed data includes names and Social Security numbers. TechCrunch notes that although CPK first detected the suspicious activity on their systems in September, it took the company two months to notify the authorities. The Murphy Law Firm, based in the state of Oklahoma, announced it will be investigating claims on behalf of compromised individuals from the breach for a possible class action lawsuit.
A number of security experts wrote in to comment on the breach. Erich Kron, security awareness advocate at KnowBe4, sees a dark legal crowd around the incident:
"Unfortunately, data breaches have become the new normal these days. The fact that this particular data breach involved employees' personally identifiable information is unfortunate because of the potential legal ramifications that it can cause for the company. Social security numbers, such as the ones that were lost here, are very valuable to attackers, especially around the end of the year. Cybercriminals can use the information lost here, along with other information they may be able to find out about a person, to file fraudulent income tax returns or to otherwise steal the identity of data breach victims. The employees of California Pizza Kitchen should monitor their credit reports closely over the next few months for any fraudulent activity and report anything suspicious immediately."
Trevor Morgan, product manager with data security specialists comforte AG, urges businesses to learn from the incident and take appropriate security measures:
“Enterprises definitely have an obligation to their customers to keep private and sensitive data safe and secure. We take for granted the assumption that they will also protect PII gathered from current and former employees, most of whom have rendered good and faithful service to the organization. Good employees deserve no less. Such is not the case, unfortunately, in light of the recently disclosed data breach involving California Pizza Kitchen (CPK). Threat actors gained access to CPK’s data environment and ultimately to files containing highly sensitive information including the SSNs of employees and other types of PII. Over a 100K data subjects ultimately could be negatively affected.
"The incident demonstrates the dangers in assuming that traditional controls such as perimeter security alone can protect against unwanted access to and subsequent disclosure of PII. Only data-centric security is able to ensure that hackers can’t leverage, profit from, or even weaponized sensitive data. By protecting the data itself through tokenization or format-preserving encryption, organizations can make sure that even if protected information travels outside of protected boundaries or falls into the wrong hands, sensitive data is still safe and secure in an obfuscated state. While CPK got burned on this incident, your organization doesn’t have to be—the special of the day for any enterprise wanting to avoid this situation should be data-centric security.”
And, as Bassam Al-Khalidi, Co-CEO and Co-Founder of Axiad, points out, personal data are always attractive to criminals.
“Every business like California Pizza Kitchen possesses valuable PII data which makes them a prime target for attackers. To help protect against attacks, enterprises need to ensure their employees practice good cybersecurity hygiene. Ongoing training can help defend against threats such as phishing or other social engineering attacks that often lead to breaches.
"Breaches can also stem from credential-based attacks. If enterprises are still using passwords, the likelihood of a breach only grows. Businesses need to eliminate passwords for good and move to multi-factor authentication solutions that defend their essential data.”
Danny Lopez, CEO of Glasswall, urges businesses not to overlook the value of security training:
“The California Pizza Kitchen (CPK) data breach is yet another reminder that employers need to take action in order to protect their employees from having their critical information stolen.
"The solution to preventing incidents like this is two fold: training and technology. Training plays a vital role in any rounded approach to cybersecurity by arming as many users as possible to be alert to risks and follow best practices. The problem is, much of these training efforts are little more than an exercise in box ticking, covering the basics with employers then assuming their staff will remember what they need to do on every single occasion in the future when they are exposed to risk.
"People should understand that protecting their organisation from the impact of a security breach isn’t just about always applying every element of their training on every single occasion, it’s also about raising the alarm if a breach may have occurred without fear of punishment. Whether they are right or wrong, employees should be encouraged to always raise the alarm if something doesn’t feel right.
"On the technology side, taking a proactive, zero trust (never trust/always verify) approach to cybersecurity and having the measures in place to prevent attacks from penetrating your systems is critical. It’s also far more efficient and cost-effective than relying solely on your employees.”
Alex Pezold, CEO of TokenEx, seeks consolation in mathematics:
“We are always discouraged to see businesses become victims of sensitive data breach. For California Pizza Kitchen and plenty of other businesses, there is a solution that eliminates much of the risk of storing sensitive data like social security numbers—cloud tokenization. True cloud tokenization removes personal, transaction and other types of data from an organization’s IT business environment, replacing it with mathematically unrelated tokens, so that when breaches inevitably occur, only the unusable tokens are exposed to fraudsters.”
Adir Gruss, vice president of systems engineering at Laminar, reminds us that data protection lies at the heart of security:
“All security practices are about protecting the data. That is why best practices are to take a data-centric approach. One of the biggest challenges is, as companies shift towards digital transformation and move more and more of their computer infrastructure to the cloud most security teams have lost track of where their sensitive data resides in the cloud. The old adage is true, you can’t protect what you don’t see. An IDC survey recently found that 98% of companies experienced a cloud data breach in the last 18 months. We have found that data protection has fallen behind data democratization, but newer, “cloud-centric” security solutions are emerging to help.”
New tech makes it easier to forget.
The Right to be Forgotten, a standard tenet of many modern privacy laws including the General Data Protection Regulation, can be a major headache for data suppliers. While the right for users to have their private data deleted is recognized as important, the process of detecting and erasing that data can be tedious and costly for the organization. Tokenization offers a possible solution, but requires processing power that some organizations simply don’t have. Security Week discusses a possible solution from start-up firm Rixon Technology: a cloud-based, vaultless tokenization engine. With this approach, raw text never has to be stored on the client’s network; instead, the text is sent directly to the engine and returned as tokens. Joseph Demarest, a former assistant director for the cyber division of the FBI who reviewed Rixon’s tech, said, “The technology is durable, very fast, flexible and customizable. The customer retains ownership of the data and can decide on its security policy based on its own risk tolerances.” As they say in New Jersey, forget about it....
Amazon said to have neglected user data security in favor of concentrating on customer experience.
In an exposé by Wired, Amazon's former vice president of information security Gary Gagnon says that when he started his tenure, the tech giant’s customer security infrastructure was severely lacking. Indicating that the company grew too big too quickly, Gagnon says Amazon’s security systems were “all put together with tape and bubblegum,” and in an internal memo to former Amazon consumer CEO Jeff Wilke, he explained, “We lack visibility into the data we are charged with protecting. We do not systematically know the data flows and storage locations of sensitive data.” Though Gagnon tried to sound the alarm, allegedly his requests for funding and staff to improve security were ignored. “They wanted to delight the customer...And that was at the expense of everything else,” he says. Amazon spokesperson Jen Bemisderfer disputes Gagnon's claims, asserting the company’s track record in data protection was excellent, and that they’d "invested billions of dollars over the years to build systems and processes to keep data secure, and are constantly looking for ways to improve."