There is a trend in the number of data breaches that reach the news and there is a reason for it. Almost on a daily basis new data breaches are reported in the news especially if the data breach is related to a public or well known company.

But what is a data breach and why do data breaches keep happening?

When the media reports about a data breach, they most often mean that personal data from users of the system (most often a website or mobile application) has been accessed in its raw format in an unauthorized way.

In the European Union the GDPR is a law describing how companies should handle privacy related information and in the United States there are more specific laws either on Federal or on State level like the CCPA and the CPRA.

All these laws are created to protect the normal people’s privacy by defining strict rules on what companies that obtain personal information can do with it and how they should store this information.

Many companies having a website think that implementing these rules, can be done by placing an explicit Cookie disclaimer window in which they inform the visitor that they collect cookies and ask them for permission. Although this is legally correct it’s in my opinion the least important part of protecting privacy information.

How does that data breach?

There is not a simple answer since it can happen in many different ways of which I will explain some of them in more detail.

Lack of software engineers?

Many companies having a website or web application are using an open source system or have a company develop a system for them to meet their specific needs.

Software engineers are people trained to think about software architecture in all aspects including security, storage, legal matters, scalability etc. In my opinion they have a Master of Science degree in computer science and at least 5 years of practical experience.

Many companies don’t employ software engineers but software developers, which are people trained to write code based on specifications from a software engineer, analyst or product manager.

95% of programming capacity is estimated to be a software developer where only 5% is considered to be a software engineer.

As a result these systems have no attention for security nor privacy but have a strong focus on user experience and user interface instead.

Basic software design errors?

When most people think about privacy and personal the attributes that come to the top of their mind are things like a date of birth or a social security number and password, which is valid but far from complete.

Most people have one email address they use for almost everything they do on the web.

That email address used for login or access to a website is used on many sites and therewith it allows the identification of an individual.

Other important attributes are address, marital status, gender, children, employer information, credit card information and we can go on for some time.

All this information is stored in a database but reviewing hundreds of IT systems and databases in 99% of the cases only the password is stored in an encrypted format and all the other information is not.

Sensitive information should be encrypted meaning that an algorithm is used to encrypt the information and to make it visible in its original value it should be decrypted again.

Most common errors:

• Only encrypting the password field and not all the other fields
• Using a non-secure algorithm like MD5 (used by WordPress) which can be hacked in minutes)
• Storing the key for the encryption and decryption in the database or on the file system of the server.

Don’t lock your doors

When you own a house or a car you know you need to lock the doors to keep uninvited people out. With computer systems it’s the same, you need to lock your server, your database and your software code.

Many data breaches happened because the system had doors without a lock. On a server a door is called a port and with a firewall you can control who can access the lock on the door (they still need to have a matching key to open the lock).

Another major problem happens when the system manager of the website is using a hosted platform for their server and a remote database like Amazon’s AWS RDS.

When a remote database (RDS) is created there are two areas requiring special attention.

• Allow remote access, this means that the remote database can be accessed from any computer in the world. To get access to the data of course the username and password need to be entered.
• Have a public read-only replica. The read-only replica is often created to have a replica which can be used for reporting without having the extra load on the production system, but when it’s open, anyone can view the data.

Using common passwords

An open door but still a problem in 2021. People including software developers and system managers are using passwords which can be guessed in minutes.

The default admin, administrator or replacing your vowels in your company name with a ! like !ppl! are still happening. A hacker will have full access in minutes and can do whatever they please.

If you’re interested to find out if and how your systems are secured, you can reach out to me for a consult.

First published on my medium page https://medium.com/@petervandeput/why-do-data-breaches-keep-happening-47ba2986c072.