On the surface, Equifax and Lord & Taylor may seem to have little in common.
The unwelcome distinction they share? Along with several other major companies, the worldwide credit-reporting agency and the nation’s oldest department store both were struck by data breaches in 2017.
2017 was the worst year to date for data breaches affecting major corporations, according to Burton Kelso, a tech expert with Integral Computing Consultants in Kansas City. In a recent CLE session, Kelso advised attorneys of steps they should take to protect their companies’ information and that of their clients.
“There are all kinds of large companies that have been victim to a data breach,” Kelso said.
Kelso said becoming victim to a data breach is “the worst day ever” for any entity, regardless of size.
“You’ve got to tell all your clients, ‘Hey, we’ve been victims,’” he said. “You have to go through a whole bunch of things to make sure your firm’s not going to become a victim of another data crime.”
Kelso said data breaches can occur through several different means. Someone may obtain your employees’ emails, or a disgruntled former employee may target your company. Too often, he said, it’s easy for companies to forget about employees’ access to sensitive data.
“A lot of people don’t think about that, but if you fire somebody, they can just take all your stuff and give it to their next employer,” he said.
Kelso said data breaches executed through external providers are also common. He said it’s a good idea for lawyers to ask their external providers about what they’re doing to keep their data and clients’ data safe.
Additionally, he said, it’s good to determine the scope of access granted to a vendor or other party, and likewise, what they’re doing to secure data as well.
“Sometimes with data breaches, that’s what happens — that there’s a third-party vendor out there that’s not really doing what they’re supposed to do, and somehow that [shared] information gets hacked,” he said.
‘Engineered to elicit a reaction’
Kelso said there are a few common ways hackers can access data.
One is malware, or the use of malicious software. This can come in the form of viruses. Kelso said there are several types of viruses, including those that pop up on your computer and others that log your key strokes.
Another is phishing, or the use of emails that appear to be legitimate but are sent by people who intend to steal their targets’ personal information.
“They’re engineered to elicit a reaction,” he said, noting they may appear to be legitimate emails from reputable companies such as UPS, FedEx or the U.S. Postal Service.
He said phishing is one of the top causes of data breaches because it convinces people to voluntarily give up information.
“That’s why phishing emails are still going around,” he said. “It doesn’t matter if it’s from your bank or from UPS, they come in all forms. It’s just socially engineered so we all fall victim to it.”
Kelso said password attacks also are a common source of breaches, noting that programs exist to help hackers try to crack your password.
“That’s why it’s very important for you to find out if your email [address] has been part of a data breach because hackers will get those emails, and they will try to figure out the most commonly used passwords,” he said.
Kelso suggested the site HaveIBeenPwned.com to check if your email address has been compromised in a data breach. He noted “pwn” is a gamer term for someone misspelling the word “own.”
Data breaches can also occur through ransomware. Ransomware comes in different forms, but each essentially locks users out of their computers and devices, blocking users’ access until they pay a ransom.
Kelso said this type of breach doesn’t appear to be slowing anytime soon.
“It’s an effective way for cybercriminals to make money, so it will continue to happen,” he said.
Examples of ransomware included scareware, where a message might pop up on a user’s screen that scares users into taking some action, such as calling a number or visiting a site with software intended to disable or damage one’s device.
To minimize the damage of data breaches, Kelso stressed the importance of backing up one’s data. He suggested products such as Carbonite, which continually backs up information and uses encryption.
If a breach occurs or if one’s computer is affected by ransomware, Kelso said data can be easily retrieved.
He also emphasized the importance of keeping computer software up-to-date, and to use only internet browsers that are still being supported by web companies with security updates.
“If you’re still using Internet Explorer, you need to stop,” he said, noting that Microsoft no longer provides support for the browser.