As you may have heard, Sony Pictures was recently breached. Today’s story in the Wall Street Journal and other media outlets indicates how bad the Sony breach was. If you haven’t heard about this breach, it initially looked like Sony’s intellectual property was the only sensitive data stolen: a number of their unreleased Christmas “blockbusters” were posted online with millions of downloads/views on all the sites that people are using to share media. It turns out, however, that movies were only the beginning of Sony’s sensitive data breach nightmare: more than 33GB of sensitive data belonging to the firm was also posted by hackers.
The folks here at Identity Finder used our enterprise software, Sensitive Data Manager, to discover that more than 600 files that contained social security numbers (these included Acrobat PDFs, Excel spreadsheets, and Word docs) with more than 47,000 unique SSNs were publicly available as recently as Wednesday. In total, those same SSNs were referenced over 1.1 million times in the files, making it quite easy for hackers hoping to steal SSNs to be successful.
Most files containing SSNs were accompanied by other personally identifiable information, such as full names, dates of birth, and home addresses, which creates a clear path for criminals intent on committing identity fraud. Much of this data belonged to more than 15,000 current or former employees of Sony. Through no fault of their own, deeply personal information such as salary and termination dates and reasons (where applicable) is in the wild and there is very little that these victims can now do about it.
Unlike other forms of sensitive data, such as debit and credit card numbers, Social Security numbers cannot be easily replaced or reissued once compromised. Organizations that experience such a breach are exposing employees and customers to potential identity fraud, which can take many years for victims to remediate. This particular breach serves as yet another example of the importance of proactively discovering and classifying or remediating unprotected sensitive data to prevent theft by cyber criminals.
There’s a good chance that in addition to the employee data, you will also hear something about “celebrity data” that was stolen in this breach because that’s what gets the headlines. It’s certainly unfortunate that their data was also leaked. However, the takeaway from this is that in 2014, the so-called “Year of the Breach,” it has become even more apparent that breaches are inevitable, but what doesn’t have to be a foregone conclusion is that this very important, very sensitive information will be stolen. A comprehensive sensitive data management program that addresses data discovery, data classification, and data protection will minimize the sensitive data footprint and shrink the target. Managing sensitive information can easily keep the crown jewels of an organization right where they belong: safe and secure, no matter who breaks into the network.
Although this was terrible news to find, it doesn’t lessen Identity Finder’s commitment to furthering research that promotes the mission-critical nature of sensitive data management. In 2014 alone, Identity Finder utilized Sensitive Data Manager to uncover more than 630,000 Social Security numbers exposed on IRS Form 990 tax returns and commissioned a Javelin Research survey that examined post-breach customer attrition in three critical industries.
We certainly hope we don’t find any more data out there. If you are one of the victims whose SSN was made public during this data breach, you can freeze your credit so that it cannot be used, or sign up for credit alerts when your SSN is used.