Stories about data breaches are becoming commonplace these days, with one of the latest involving Monsanto subsidiary, Precision Planting, which had unencrypted customer data stolen recently. This has not only prompted comment from security industry pundits, but also some indication of the ramifications that follow such a data breach.
Martin Sugden, CEO of security specialist, Boldon James, is one such a commentator.
“The concern with data breaches such as the Monsanto incident is that companies are still failing to adequately protect and secure sensitive data. Ultimately, if Precision Planting had taken a data centric security approach and classified their customers data as confidential, they could have selectively applied more robust security measures to protect this sensitive information.
“There is a lot of data being created every day, having the ability to differentiate between highly sensitive information such as customers’ financial information and the more mundane stuff is complicated. Your users understand the context of what they create and can apply a relevant classification. The Classification enables organisations to understand what information they must prioritise in terms of protecting and securing against data losses.
“Data breaches are an increasingly common occurrence and there are many ways in which data losses can occur, whether it is through accidentally emailing sensitive information or by hackers breaching internal systems. Being able to identify and understand what data has been lost and the sensitivity of it can help lead the incident response investigations and mitigate future risks from occurring through employee education and security best practices. Any organisation, whether public or private, has a responsibility to protect their customer’s data. Boosting user-awareness and employee education in data security practices, is obviously good practice. Tools such as data classification achieve this and help organisations add an extra layer of security to protect sensitive documents.”
Another view of the Monsanto breach came from Jody Brazil, President and CTO at FireMon.
“The Monsanto data breach is interesting in that it was one of the company’s subsidiaries that was actually targeted, Precision Planting. It is commendable that Monsanto have informed the relevant parties about the data breach, but what is of concern is the underlying data security practice that was brought to light. The data breach is said to have impacted both customer and employee data, and it begs the question; why was all this data held on one server?
“Organisations hold vast amounts of information in their systems, and having sensitive data of customers and employees combined on the same server is a simple mistake that is made all too often. Segmenting a network and distributing sensitive information across different servers on appropriate network sub-segments can and will limit the damage of a data breach – the cybersecurity equivalent of not putting all your eggs in the same basket.
“It is easy to reprove companies for bad security practices, but as information on data breaches is made public, it can serve as a learning point for other organisations. What is clear is that Monsanto has done everything in its power to limit the damage of the data breach by informing relevant government organisations, calling in forensics experts, and contacting the FBI to assist in dealing with the breach.”
An interesting addendum to the Monsanto data breach story from sheds some light on the costs and regulatory burden that is likely to follow. The company has conducted an incident response and regulatory analysis, which indicates that the following actions currently be pursued to resolve the current potential exposure.
Based on the results of the event analysis, the assessment has established the following list of minimum recommended actions.
Under jurisdictional regulatory requirements there is now a need to notify nine state attorneys general, notify 1,202 consumers in 49 jurisdictions, notify credit agency of 25 exposures in one jurisdiction, and notify six special offices in four jurisdictions.
The estimated potential fine liability alone, in default of meeting the above regulatory requirements is a not inconsequential $1,800,000.