DAG could have mitigated this Data Breach
Back in 2014, a team of four hackers shook up the biggest bank in the U.S., and sixth biggest in the world. JP Morgan spends around 250 million dollars a year on security and has a team of 1000 people tasked with keeping their networks and data safe, but the hack still resulted in the theft of personally identifiable information (PII) of 76 million households, and 7 million small businesses. That’s twice the population of Canada. You might think that, given the efforts JP Morgan were making, they would be safe - and you’d be wrong. You might also think your organization couldn’t be the victim of a data breach. Guess what, wrong again. The real question is whether there is anything JP Morgan (or your organization) could do to prevent this besides spending more on security? The answer is yes. Data Access Governance or DAG as it’s often called is mostly overlooked but incredibly efficient when it comes to mitigating data breach damages.
A bit of background on this data breach
So, how did those four hackers find their way to sensitive information in a $250 million security maze? It all started on what we assume was a beautiful day in June. A JP Morgan Chase employee received an email, nothing atypical up to this point. But the problems started because that employee clicked a phishing link, which was part of the hackers’ nefarious plan. Malware infected the employee’s personal computer, and the hackers got hold of the employee’s credentials. This led a series of other steps unfolding until the breach was discovered a month and a half later, which left plenty of time for the information of 83 million households and small companies to be viewed, copied, and potentially used by unauthorized people.
What could have been different?
Well, a lot of things could have been done differently but the answer lies in mitigating the effects of the breach rather than adding one more layer of security.
Imagine a castle with really thick walls and scary security gargoyles so it’s rumored to be impenetrable. The only way for residents to get in is with their personal and very complex passwords. Once the password is uttered at the gate, it’s open and residents can access any room in the castle with no restrictions, whether it’s the latrines or the royal treasury. Anyone wanting the treasure basically just needs the password. And the password can be discovered through trickery, or by hiding in the bushes near the gate and eavesdropping.
What is implied here is that when security measures fail, no matter how good, the consequences will be terrible if users have access to most everything, as opposed to strictly what they need to do their job. So more user training and awareness could have prevented JP Morgan’s employee from clicking the link. But applying the principle of the least privilege (POLP) could have minimized the impact of the attack. (For more details on what could have been done to prevent this breach, read this SANS Institute Analysis). Least privilege is one of the core tenets of Data Access Governance. And DAG is the facet of Information Governance that deals with who gets access to what data and for how long.
The bottom line
JP Morgan Chase had and still has a very strong security program. Which goes to show that internal controls like DAG, are vital, but often overlooked because they can be complex to implement. Getting your users’ access rights and permissions in order is a complex project, and keeping them up-to-date is a long-term commitment. It’s definitely not as trendy as the newest security tech, but it works and in more situations than credential theft alone. It’s a very effective measure you can implement to minimize the devastating effects of a data breach.