Securing the Human Factor: Wells Fargo’s Accidental Data Breach
It’s more challenging than ever to secure the human factor in cybersecurity. Here we share two recent examples of how human error directly resulted in large data breaches, corporate liability and damage to corporate reputations. The breaches at Wells Fargo and Verizon were the result of simple errors that anyone could have made. And that’s the point.
Earlier this month, Wells Fargo accidentally leaked the financial assets of 50,000 of its wealthiest clients. Wells Fargo was being sued by a former employee and had been using an outside law firm to handle the case. Opposing counsel requested documents from Wells Fargo, related to his client, and he was expecting a small number of documents. Instead, he received a 1.4 gigabyte file containing financial information for at least 50,000 of Wells Fargo’s high net worth investment clients. The leaked data included customer names, social security numbers, and financial account details including the amount of money they had invested with Wells Fargo.
Can it be that easy to accidentally send a huge amount of confidential data to an outside party? Actually, it can be that easy. A lawyer or someone on their staff could have dragged a few extra electronic files into the folder they sent. They could have forgotten to restrict access on a link to a drive file, or an outsourced developer hired to create a script to pull the data could have input incorrect parameters. Given the time it takes to review large sets of data, sometimes people just hit the send button assuming the information is limited to what was requested. There are lots of ways to accidentally create a data breach.
Who can access your client files?
Can employees send a data link to someone, copy these files, or access these files remotely?
What access is provided to outsourced contractors – especially remote ones that your team has never met?
Do employee mobile devices have access to your electronic files?
The worst part of the entire disaster is that the attorney who received the files is refusing to destroy them. He can legally include them in his legal filings, making them part of the public record. Imagine what a criminal could do with this information. Wells Fargo must notify each of its clients of the potential data breach. Meantime, the lawyer who received the data and his client are keeping their options open and keeping the data.
Human error causes 95% of all cyber breaches according to IBM’s 2015 Cyber Security Intelligence Index. And it’s true in every industry, especially financial services and healthcare.
Verizon’s latest data breach exposed the phone numbers and PIN codes of 6 million customers. In this case, an outside vendor hired by Verizon made the security settings on its storage drive public instead of private. After Verizon was notified, it still took over a week for the settings to be fixed. So, anyone with a public link could have accessed the data and attempted to gain access to the account. Criminals can sometimes use a PIN and mobile phone number, along with some social engineering, to gain access to your mobile account. They can also sell phone numbers to criminals for smishing attacks.
In today’s environment, you should not only consider your security, but the security practices of the recipient of your information (and their systems). Next time you send your strategic information by email, consider sending it in a manner in which it remains encrypted while in the recipient’s inbox; keeping it private from prying eyes even while at the recipient…and keeping it private from the recipient email provider (such as Google).
The easiest way to send messages securely, is to stick to email and use RMail® Registered Email™ services. Messages can be sent with encryption and can stay encrypted even after they reach the recipient’s inbox, requiring a password if the sender selects this option. Messages can be sent from a desktop, laptop or mobile device.