Loyola University Chicago School of Law, JD 2018
In the last month, multiple large-scale data breaches were reported by various entities, with 3 breaches reported in the past week alone. Unfortunately, even the most well-known entities do not stand a chance against increasing technological abilities of bad actors. Since the Equifax breach in early September, Whole Foods, Sonic, Deloitte and the Securities Exchange Commission, among others, had similar large-scale breaches affecting consumers across the country.
Securities and Exchange Commission
Luckily, the Securities and Exchange Commission’s (“SEC”) data breach did not affect millions of Americans like some of its predecessors. With initial discovery of the breach in 2016, it was not until August 2017 that the SEC realized hackers did more damage than initially thought. Originally, officials believed hackers retrieved no illegal data when infiltrating the EDGAR system, the SEC’s new system for companies to file earning reports and other financial information. However, during the testing phase of EDGAR, some companies used its actual financial data unbeknownst to the SEC.
Unfortunately, instead of using “dummy data,” as companies are supposed to, hackers gained access to protected company information. SEC officials only realized hackers breached such protected company information when its Enforcement Division detected suspicious patterns in trading. These suspicious trades always occurred right before a company’s large disclosure, prompting investigation. The SEC found that the illegal trading corresponded with the companies that used its actual financial information for EDGAR testing. As of now, the SEC insists that no personally identifiable information or SEC operations, in general, were compromised in this breach.
Deloitte, a leading multinational professional services firm, recently discovered a data breach that is particularly embarrassing for the entity. Rated the “best cybersecurity consultant in the world” by Gartner in 2012, hackers breached Deloitte’s system after it failed to employ two-factor authentication. Once hackers uncovered one administrative password, they gained access to Deloitte’s entire email system, leaving Deloitte’s top clients vulnerable. Deloitte’s insists that the beach affected few of its clients, only notifying six clients that sensitive information such as usernames and passwords, among other things, were obtained by hackers. While remaining diligent of the breach, Deloitte is keeping it heavily under wraps.
Sonic Drive-In suffered the worst of the recent data breaches. The fast food chain’s financial institutions started seeing fraudulent transactions on cards recently used at the restaurant. While it is unknown which of the chain’s nearly 3,600 locations were affected, reportedly millions of consumers’ payment data has been compromised. Furthermore, a security firm detected a “fire sale” on the dark web selling millions of stolen credit and debit card information to top bidders. With information regarding this massive breach slim, investigations are ongoing to determine exactly which Sonic locations were hit, and how many consumers were actually affected by this breach.
On September 28, 2017, Whole Foods released a statement that the company launched an investigation into unauthorized access of payment information. The grocer giant, recently acquired by Amazon, found the potential hack in its locations with taprooms and full-scale restaurants. Although the company does not know the full extent of the breach yet, it stated that it is likely most Whole Foods locations are not affected because the taprooms and restaurants use a different checkout payment system than the primary grocer side. Additionally, Whole Foods mentioned that the Amazon retail site also uses a different checkout payment system and is therefore, also likely not affected by this breach.
How Can Consumers/Companies Protect Themselves?
Overall, both consumers and companies need to be more aware of self-protection when it comes to credit cards and other sensitive data. Companies can learn from the SEC breach to recheck the requirements and/or recommendations prior to releasing any type of personal company information, even to government entities. Future data breaches like that of the SEC are entirely preventable. Additionally, as consumers in times of increasing data breaches, we need to be more vigilant than ever about taking measures to protect our own data. Consistent monitoring of payment cards and reporting of suspicious activity is the best and easiest way to be proactive.