Sensitive data exposure
What is sensitive data exposure?
Sensitive data exposure refers to the accidental or deliberate disclosure of critical information such as personally identifiable information (PII), payment card information (PCI), electronic protected health information (ePHI), and intellectual property (IP). Organizations with inadequate data protection measures create vulnerabilities within the system, leading to sensitive data exposure.
What causes sensitive data exposure?
Regardless of whether the data is in storage or in transit, its exposure can always be traced back to one of the following root causes:
No encryption or weak encryptionApplications, NAS devices, database servers, and other repositories that are unencrypted or have weak encryption protocols are vulnerable to data exposure. In such cases, attackers can view vital information readily or crack the weak encryption in place easily.
Insecure passwordsWhen user credentials are stored as plain-text documents without being hashed and salted, they can be easily misused. Hashing and salting convert passwords to cipher texts that are difficult to decipher.
Unsecure webpagesWeb applications and cloud storage with misconfigured SSL/HTTPS security protocols can lead to data being uploaded or downloaded without any encryption. Such unencrypted data in transit can be easily intercepted and exposed.
Poor access controlsProviding excessive permissions to users who don't need them and a lack of visibility into who has access to what files, empowers users to access and share data without any accountability.
Misconfiguration errorsApplications' default permissions settings are meant for maximum usability, not security. When administrators fail to update the settings according to their data security requirements or miss security updates, it can lead to data exposure.
Sensitive data exposure examples
Yahoo! (2013)Over three billion users' personal data were exposed through a phishing scheme. However, poor security practices like storing security questions and answers without encryption were also given as reasons for the data breach.
Government of India (2018)Over one billion Indian citizens had their personal information, such as addresses, photos, phone numbers, and biometric data, exposed through Indane, the state-owned utility company's website. The database that was supposed to be accessed only by authorized dealers and distributors was misconfigured to allow public access, leading to the exposure.
Atlassian Jira (2019)Employees’ names, email addresses, and confidential details about internal projects across more than 100,000 organizations and government agencies were exposed due to an authorization misconfiguration in the Global Permission settings in the project management software Jira.
What is the impact of sensitive data exposure?
Failing to protect sensitive data can be crippling to most organizations. Listed below are the most common consequences.
- Loss of reputation
When an organization faces a data breach, its integrity is naturally thrown into question, and customers tend to lose faith. This may lead to a significant loss in the customer base and, in turn, revenue.
- Operational outage
Detecting and remediating data exposure vulnerabilities is costly, and when a data breach occurs, the organization's day-to-day activities essentially come to a halt until the issue is addressed. Such operational outages heavily affect the financial future of the organization.
- Compliance penalties
In addition to an organization's financial losses due to data breaches, they often must also pay hefty penalties and fines imposed by regulatory boards such as PCI DSS and the GDPR when they fail to protect sensitive personal data.
How to prevent sensitive data exposure
Organizations can prevent sensitive data exposure by undertaking the below-listed best practices:
- Enable sensitive data classification
Locate and classify files containing PII, PCI, or ePHI, based on their level of sensitivity and identify files that need elevated security measures. Analyze highly sensitive data at risk of exposure and implement controls to mitigate risks.
- Enforce access controls
Implement a role-based access control policy to ensure that the principle of least privilege is enforced. Such policies help ensure excessive permissions are not given to users automatically, and this minimizes the risk of unauthorized users accessing sensitive data.
- Encrypt personal data
Instead of storing user credentials and other sensitive personal data in plain-text documents, organizations must encrypt them so that the information can only be accessed by authorized individuals with proper decryption keys.
- Implement endpoint DLP
Endpoint devices like computers, mobile devices, external storage devices, etc., often serve as the potential entry point for cyberattacks. Organizations must always monitor endpoints to make sure sensitive data is not accessed, stored, or shared without proper authorization.
- Develop a data breach response plan
Starting from faster detection and response times to transparent disclosure of the breaches, having a predefined remediation plan helps mitigate the extent of data exposure.