A major data leak in the US has exposed sensitive political data on over 198 million US citizens after a firm contracted by the Republican National Committee stored files on a public Amazon server.
The data leaked contains highly sensitive personal information on approximately 61% of the US population. Information includes home addresses, birth dates, phone numbers and individual beliefs on controversial issues such as gun control etc. The data sets also contain information on suspected religious affiliation and ethnicity.
This type of data can easily be used for nefarious purposes, from identity fraud to harassment or intimidation of people who hold an opposing political view. Worst of all, if bad guys have gotten hold of this data, they can send highly personalised phishing attacks that look like something totally legit.
It also appears that the data had been available online for 12 days before discovered, meaning the bad guys had ample time to get their hands on the data.
While it’s unclear what repercussions this will have for the Republican National Committee and the firm it contracted, an attack of this magnitude reminds us to always be vigilant with our data and the responsibilities business owners have in protecting our personal details.
With the Mandatory Notification Laws set to come into effect in Australia soon, a data breach of this magnitude would have major consequences, both financially and on reputation. An organisation deemed not to comply with the notification requirements can be fined up to $340,000 per individual and $1.7 million as a company.
Can you prevent data leaks?
You should be taking a proactive approach to cyber risk, conducting regular security health checks around where and how your data is secured, what applications are in use within the network and who has access to what areas of the network.
Training programs around cyber risk should be implemented with particular attention given to training employees on identifying and protecting their organisation from cyber-attacks.
How do you respond?
You must respond swiftly in the event of a breach. A well-documented and annually tested business continuity and disaster recovery plan should be in place and understood by key members of the business who are required to act at the time of an incident.
A cyber insurance policy should also be in place and form part of your overall insurance programme. The proactive nature of the first party cover provided within a cyber policy will ensure that the costs associated with responding to an eligible data breach are met via a panel of expert vendors arranged by the insurer. Such costs include important notification related costs such as legal costs, forensic IT costs, public relations costs and credit monitoring related expenses.