The past few weeks has seen an epidemic of user identity data breaches sweep through the United States. Facebook’s continually mounting troubles surrounding their data-mining scandal is the most prominent tip of the iceberg, but it is only a tip to the digital identity security failures on display. Panera Bread, Saks Fifth Avenue, Lord & Taylor, Delta Airlines, and Best Buy have all suffered in the public eye as a result.
It’s easy for other enterprises and outside observers to engage in schadenfreude over this wave of breaches, but a digital identity security failure could affect any enterprise of any size and in any industry. Instead of simply pointing fingers, we should be learning from these data breaches and finding new ways to secure customers’ and employee’s digital identity data.
What digital identity and access management lessons can we take away from the latest headlines and studies?
Panera Bread: Never Ignore or Reject a Digital Identity Vulnerability
Identity management studies found that customers care more about how a company treats their data and how they handle a cybersecurity breach rather than if they suffered a breach. Panera Bread’s reaction to discovering a network vulnerability leaking customer identity data highlights poor handling.
Panera’s cybersecurity professionals at first accused security researcher Dylan Houlihan, who discovered the breach, of running a scam or a product promotion. But when they discovered digital identity leak for themselves, they did nothing to correct the issue for eight months. The real-world results of such behavior has become evident in the wake of the public revelation of the Panera leak. Customers are infuriated, the chain’s reputation has taken a serious hit, and both may result in lost profits and customer trust down the line. Lawsuits from outraged customers may be forthcoming, and Panera will face both definite legal fees and possible payouts as those cases move forward.
The major takeaway for other enterprises, therefore, is to never handle their own digital identity security failures the way Panera Bread did. Treat security researchers that reach out to you with respect (they’re only trying to help you) and look into their discoveries seriously. And if you do discover a legitimate network leak or identity vulnerability, you must respond to it and resolve it as quickly as possible. A digital identity security flaw will not go away on its own, and every moment of hesitation and denial only compounds the damage to your data and ultimately your enterprise.
Best Buy: Third Parties Are Still a Dangerous Identity Attack Vector
Major retailers Sears and Best Buy, and airline corporation Delta all suffered data breaches that exposed leaked customer identity and financial data. What did they all have in common? They all used the same third party, (24)7.ai, to provide their online chat support services.
(24)7.ai actually suffered the initial breach, but that breach allowed the cybercriminals to enter into the other networks and steal customers’ identities—including customers that never used the chat services.
This story is a brutal reminder about the danger third party actors can represent to your enterprise—they are essentially an insider threat that straddles being a part of and not a part of your network. We’ve spoken before about the danger of third party threat actors, and it is still important to make sure that third parties only have as much access to your network as they need to accomplish their jobs. Giving them too many permissions can result in severe damage if their credentials are ever stolen. Additionally, you should consider making verifying your vendors’, third parties’, and digital partners’ cybersecurity platforms a condition of your working relationships.
Nextgov Study: Biometrics Not Always Welcome?
A recent study from Nextgov of D.C. consumers found that women are twice as likely to state reluctance or outright refuse to give up their biometric identity data to the government, including fingerprint or facial recognition data. Men are also more comfortable sharing their biometric identities and their social security numbers. Men are twice as likely to be comfortable with retina scans as women.
Nextgov’s findings were focused on sharing biometric authentication data with the government, but they carry heavy implications for customer-enterprise relations and digital identity security. Part of the call for more women in cybersecurity is a recognition that limiting the people involved in identity and access management means limited designs and platform capabilities. There is no such thing as a one-size-fits-all identity security solution or biometric authentication platform. Building an identity security process that is based on an imagined “average” employee will fail by default.
Instead, consider using biometric authentication as a singular factor in a larger multifactor authentication identity management solution for your enterprise. Under MFA, users might be able to choose what factors they feel most comfortable securing their network connections and data. This could translate into better security for your enterprise overall, and certainly a more comfortable user experience.
Facebook: Digital Identity Security Failures Can Truly Result in Staggering Fines
Regardless of the more-than-likely class action lawsuits Facebook is sure to face in the near future, the Federal Trade Commission recently stated “we intend to monitor closely Facebook’s compliance with the order and will not hesitate to seek civil penalties for any violations.”
And that can prove a major financial punishment for the social media giant. Facebook was warned, and signed a consent decree in 2011, about their digital identity security; they were told to keep their users’ data secure. At time of writing, it does not appear they have done so. And the charge for 70 million American exposed users’ identities with Facebook’s $15.9 billion in profit could be astronomical.
This story is a harsh warning for enterprises of what is at stake for failing to practice digital identity security. A data breach of your user’s identities can result in not just lost revenue, legal fees, and paying for the affected’s credit monitoring. The regulatory financial penalties could cripple, if not outright kill, your enterprise.
Stay smart when it comes to identity and access management. Learn from others. Don’t let the past repeat with you at the center of it.
Latest posts by Ben Canner (see all)
- 2020 Vendors to Know: Identity Governance - July 9, 2020
- 2020 Vendors to Know: Privileged Access Management - July 7, 2020
- 3 Authentication Myths to Avoid In Your Identity Management - July 1, 2020