According to a recent report by IBM, the cost of data breaches and security incidents averages a staggering $3.86 million per occurrence. Just try and put that number into perspective - $3.86 million PER occurrence. It’s sobering! Let’s face the facts. Businesses are embracing the potential of cloud storage and it’s only going to grow. Yet, behind the conveniences of scalability and accessibility, lurk the shadows of data loss risk. In a world where data is the currency of trust, safeguarding it becomes paramount.
Here are 3 primary ways to lose your data in the cloud. For inspiration, we turned to the CIA triad—Confidentiality, Integrity, and Availability, which serves as the cornerstone model for shaping information security policies within any org.
Let's take a closer look at each of these risks and some real-world examples of each.
As business owners, when creating cloud environments, the ultimate mission is crystal clear - deliver uninterrupted service. When that lifeline falters, your business is malfunctioning. It's no different with data; accessibility is king. Lose that, and you're paralyzed - no new data, no processing of existing info, and your business model grinds to a standstill. Common types? Inadequate or nonexistent BCDR, corrupted backups, and network blockage.
Below are a few real-world examples of such risks that we encourage everyone to analyze and review lessons learned:
Type: Cloud Infrastructure Risk
Incident: Power outage causing extensive data loss
Example: Nov 2021 - AWS outage hit sites like Apple Music, Disney+, TikTok
Impact: Widespread data loss, user disruption
Type: Cloud Server Failure
Incident: Hardware failure causing data loss
Example: Mar 2020 - Google Cloud outage. Gmail, Google Drive, Google Meet inaccessible
Impact: Some customers lost critical files despite data restoration
Type: Data Leak
Incident: Hackers accessed and leaked sensitive data
Example: Jan 2023 - Aflac & Zurich Insurance Breach
Impact: Risk of identity theft, phishing, and financial fraud for affected customers, alongside reputation damage for the companies
Type: Data Exposure
Incident: Classified military emails were exposed online
Example: Feb 2023 - Sensitive US Military Emails Exposure
Impact: Severe national security risks due to exposed operational plans and confidential discussions
Type: Customer Data Leak
Incident: Misconfigured server led to customer data exposure, including personal information and payment details
Example: Feb 2023 - Cutout.pro data leakage
Impact: Customer privacy risks, potential identity theft, and reputational damage for the service provider
Keeping your environment safe is an ongoing battle against evolving threats, tech advancements, and sophisticated attack methods. To win this race, you must establish clear visibility, robust procedures, and strict controls for sensitive environments.
Common types of misconfigurations and human errors include orphan data repositories and backups, unrestricted access controls, inadequate delete protection, and subpar monitoring.
Below are a few real-world examples of such risks that can be easily identified and mitigated using cloud security tools:
Type: Misconfiguration and human error
Incident: Incorrect backup setup, data inaccessibility
Example: Jul 2020 - Microsoft leaks 38TB of private data via unsecured Azure storage
Impact: Personal information of MS employees publicly exposed
Type: Data store misconfiguration
Incident: Cloud setup misconfiguration leading to breaches
Example: Aug 2021 - LinkedIn breach due to cloud misconfig
Impact: Theft of 700M user records
Type: Inadequate access control settings
Incident: Poor access control leading to data theft
Example: Apr 2020 - Unauthorized Zoom video call access
Impact: Hackers got hold of 500,000 passwords
Type: PHI exposure
Incident: Misconfigured cloud storage exposed PHI for 6 years
Example: Nov 2022 - Mscripts Cloud Storage Misconfiguration
Impact: Compromised patient data, potential HIPAA violations, and reputation damage
Type: Data sharing
Incident: The US no-fly list was shared on a hacking forum, raising concerns of security breach
Example: Jan 2023 - TSA no-fly list shared on a hacking forum
Impact: Compromised national security, public panic, and the need for an urgent investigation by government agencies
Data security is one pillar of an organization's security posture. Attackers typically hone in on sensitive data as their prized target. In the face of incidents, pinpointing exposed data and its security safeguards is pivotal for assessing impact and safeguarding against exposure.
Common types of security gaps are security gaps, like weak encryption, unpatched vulnerabilities, unrecoverable data stores, and excessive access privileges.
Below are a few real-world examples of such risks that we recommend to review and create periodic review procedures to identify similar risks:
Type: Inadequate security controls
Incident: Poor security causing breaches
Example: Jul 2021 - Kaseya breach due to vulnerability
Impact: Downtime, financial loss for Kaseya's customers
Type: Insufficient data backup
Incident: Inadequate backup leading to data loss
Example: 2021 - Fastly outage affected Amazon, Reddit, NY Times
Impact: Websites lost data due to poor procedures
Type: Loss / theft of data
Incident: Physical theft or deletion
Example: 2021 - T-Mobile breach, cybercriminal access
Impact: 50M customers' PII exposed
Type: Data breach
Incident: Exposed Elasticsearch server that was not protected with a password
Example: Jan 2021: TruthFinder & Instant Checkmate confirm gata breach affecting 20M
Impact: Hackers leaked a 2019 backup database containing personal info including name, email, telephone number in some instances, as well as securely encrypted passwords and expired and inactive password reset tokens
Type: Data theft
Incident: Unauthorized access to the API and query it for customer data.
Example: Nov 2022 - T-Mobile API Data Breach
Impact: 37 million records stolen including SSNs and names, increases risk of identity theft, scams, and fraud for the affected users
To avoid these risks, it's important to take proactive steps to protect your cloud data. By implementing the right data protection strategies and utilizing a trusted data protection solution, you can keep your cloud data secure and avoid the frustration and cost of data loss. Without the appropriate tools to protect cloud data, businesses may prioritize business needs over security concerns or spend significant efforts implementing scattered point solutions and manual processes.
At Eureka Security, we're your ally on this journey of securing sensitive data in the cloud.
Delivering cloud data security to companies is what Eureka Security is all about. If you store sensitive data in the cloud (any cloud!) Our DSPM solution will help your security team understand where data is, whether it’s sensitive and what type of data it is, learn who and what can access it, and keep it continuously secure. Our SaaS platform is easy-to-deploy and can be spun up in minutes for value and actionability on day one.