1.2 Risks of data loss
As the case studies showed, there are serious consequences of losing data.
These consequences can be expressed as a series of costs, such as:
- the cost of recreating the lost data – either by buying new hardware and software or re-entering the lost data (which may not always be possible)
- the cost of continuing without that data (availability)
- the cost of informing others about the loss.
The costs cannot just be expressed in terms of money. For instance, the last cost, of informing others, is not just limited to, for example, postage and email charges. A company that suffers a data loss can also suffer a loss in its reputation as a professional organisation. This problem is greatly magnified if personal data belonging to other people has been lost.
Case study: Norsk Hydro
In March 2019, Norsk Hydro, one of the biggest aluminium producers in the world, was targeted by a ransomware attack using LockerGoga which encrypted a wide range of files.
Norsk Hydro had detailed plans in place and was able to limit the spread of the attack and revert to manual operation. It also had secure backups of critical files. In spite of that, the latest estimates in May 2019 put the cost at between $45.6m and $51.3m.
While they were recovering from this attack, Norsk Hydro were also aware of phishing attempts being made on their trading partners that attempted to spread the malware, and to divert payments to criminal accounts.
Norsk Hydro did not pay any ransom and provided detailed updates on its response to the attack.
Case Study: American Medical Collection Agency (AMCA) and Quest Diagnostics
AMCA was a company that ran billing and payment services in the US. In August 2018, hackers gained access to its servers and remained undetected until March 2019. The data obtained by the hackers included social security numbers, some credit card and banking details and medical data.
Quest Diagnostics was a medical company that used the services of another company called Optum360 to collect payments due. Optum360 had outsourced this operation to AMCA. Quest Diagnostics was first to report the security breach after customer details were involved in many fraudulent transactions.
LabCorp, BioReference and Opko Health were other medical companies that used the services of AMCA. AMCA filed for bankruptcy but the financial impact on the medical companies that used AMCA services is not yet clear.
The risk of data loss cannot be completely eliminated, but it can be minimised. In 2019, Verizon reported that 34% of breaches involved people inside the business, and 15% of all breaches were the result of misuse by authorised users. However, errors were the cause of 21% of all breaches.
A significant number of security threats are caused inadvertently by employees who are unaware of the risks of their actions, such as copying data to external devices or websites, opening infected emails, clicking malicious links, installing software and so on. Better staff training could reduce the risk of accidental data loss.
The Infosecurity Europe survey revealed that while a slight majority of companies had implemented an internal information security policy to secure computers, networks and data, only a minority had provided staff training to raise awareness of potential security risks. Another important way of minimising the effect of any loss is by backing up data – making secure copies of data either on to a separate device, to a separate disk, or even to a different location.
Think about identity theft and loss of data. Have you ever been affected by these issues? How would you know? Reflect on your personal experience.
- Have you checked your email on https://haveibeenpwned.com/ ?
- How would you recover if your live data was encrypted by ransomware, or simply destroyed?