Hello Kitty Data Breach Leaks 3.3 Million User Account Details
By David Gibson
It was reported on Monday that SanrioTown.com, the online community for Hello Kitty fans, suffered a data breach, with information for 3.3 million users exposed, including first and last names, dates of birth, country or origin and email addresses.
This is another example of businesses, just like individuals, who are still struggling to get the basics right when it comes to securing their data. This data breach is similar to others we have already seen this year, including VTech just last month. While CIOs and security professionals may feel safe with large investments in firewalls, virus detection and other perimeter defenses, the on the ground reality is that today’s hackers continue to get better at their jobs and will easily get around these protections through a virtual side door without ever being spotted. There are so many basic vulnerabilities that organizations need to address, and because of this, it is increasingly important for companies to lock down internal access controls and protect the data from inside.
Organizations need to change their approach from perimeter and system focused to a data focused approach. More inside out. If you don’t know where your critical data resides, or can’t see who can and can’t access it, you won’t be able to prevent much of anything. It’s too easy for insiders to access and steal data without being noticed and it’s too easy for outsiders to get in through phishing and other basic attacks.
It’s time for organizations to shift priorities and assume that some of their employees (and even their administrators and executives) will be duped into giving up information (like their password) and/or downloading malicious code. If an attacker steals an employee’s password (and you’re not using multi-factor authentication) then the attacker gets access to wherever they can use the password: Any external or public facing systems or applications where the employee used the same password are easily accessible.
If an employee is able to snoop around and access data they shouldn’t, then so can an attacker that steals their credentials or system. While pure human nature makes us more biased towards fearing the more dramatic of risks, in truth, the frequent mundane threats that stare us in the face every day will be the ones that take us down. Monitoring and analyzing access will help detect the majority of attacks and give you a better chance to detect more sophisticated ones, or at least make their jobs a little harder.
Companies should prepare as if user accounts and their workstations will be compromised, whatever data they can get to is at risk. In the short term, deploy technologies that can analyze user behavior inside the perimeter under normal conditions to create a baseline that will enable early detection of unusual data access and other anomalies. At the same time, make sure that employees have access to only the information they need to do their jobs, that sensitive information is stored in the right places, and unneeded information is locked down or disposed of in a timely manner. With these protections, the inevitable penetration may not result in the exposure of sensitive data.
David Gibson has been in the IT industry for over fifteen years, with a breadth of experience in data governance, network management, network security, system administration, and network design. He is currently Vice President of Strategy at Varonis Systems, the leading provider of comprehensive data governance software. David holds many certifications, including CISSP. As a former a technical consultant, he has helped many companies design and implement enterprise network architectures, VPN solutions, enterprise security solutions, and enterprise management systems.