What you can learn from the Marriott and Yahoo data breaches

It seems like a day doesn’t go by without news breaking of another data breach plaguing another company. A recent news story reported that data was stolen from up to 500 million guests who made reservations at Marriott’s Starwood properties. Cybersecurity experts claim that during a smaller 2015 breach, Marriott should have noticed unauthorized access to the Starwood network that had been there since 2014.

It’s hard not to be shocked by the number of people affected in breaches like this one. Thankfully, those numbers and news stories offer more than just shock value. They also offer valuable lessons to consider as you work to protect your company’s and your customers’ data. In the case of the Marriott data breach, the lesson to be learned is that data breaches should not go undetected for four years.

As big as the Marriott data breach is, it’s not the biggest ever. The largest data breach to date occurred when 3 billion Yahoo user accounts were breached in 2013. That ginormous number (which just so happens to also be the number of all existing Yahoo user accounts at that time) was not disclosed until three years later, in October 2017. User names and email addresses were stolen, but passwords were not. The lesson here is not to wait three years, or even three months, to notify your stakeholders of a data breach.

Keep these lessons in mind when your company contemplates its risk for a data breach. Let’s face it, most if not all companies should anticipate the risk of a data breach. Also keep in mind that the risk of a data breach occurring starts as soon as data is stored and lasts as long as that data sticks around. Usually companies focus on keeping their data safe while they’re using it but, once they no longer need the data, they forget about keeping it safe. Just because you’re not actively using information, doesn’t mean you’re off the hook to keep it protected. That’s why it’s very important that if you no longer need data, you completely destroy it.

Simply deleting files from hard drives does not erase data; it only removes the file name from the file directory. Any data—including personally identifiable information and protected health information—is still very much recoverable. Physical destruction is the most secure and only sure-fire way to completely remove data. It’s one area where you most likely need professional help. Stevens & Stevens’ verifiable hard drive destruction services offer a secure and complete method for the disposal of your organization’s hard drives. No matter the media format, our destruction method leaves behind an unreadable pile of debris. Learn more here.