I recently received an email from one of our customers asking, “My data from AT&T is now on the dark web. Suggestions?”.
A message for consumers:
If you’re an identity theft victim like me, you can imagine my quick and prolific response providing my advice. Also, as an AT&T customer myself, I received the same notice that was sent to 73 million AT&T current and prior customers. In short, AT&T’s notification highlighted that every sensitive data point needed by a malicious actor to target these impacted customers for identity theft “may have been included” in the breach. That implies there was enough evidence to force AT&T’s legal and communications teams to include that in the disclosure. So (allegedly) 73 million more SSNs, date of births, emails, mailing addresses & phone numbers are now available for use on the dark web.
If you have yet to experience identify theft first-hand, you should consider yourself lucky…so far. I’m not just talking about the risk that we all incur from our sensitive personal data floating around in the deepest, darkest places of the interwebs. I’m talking about hard credit applications for Mercedez and BMW purchases in other states hitting my personal credit. The process of remediating identity theft, which still gives me PTSD some six years later, is diabolical. I was extremely lucky that the family that purchased our previous home received the auto loan documents and reached out to me to let me know they received some of our mail. However, the months of extraordinary stress, frustration and hassle to clear up my credit still raises my blood pressure today.
I find it incredibly frustrating that these data breach events are so commonplace that we’ve become desensitized. I can count at least 3 data breach notifications that I have received over the past year, so I’m guessing the odds are that you’ve received at least one recently too. When I receive these now, I can at least sleep a little easier knowing that I have a credit monitoring service in place that will notify me of any credit applications. However, there are many types of identity theft to be mindful of that won’t simply show up on a credit report.
I encourage you to do your own research to understand the different fraud types and methods, and adopt proactive protective measures. If you’re involved in a data breach, most companies will compensate you with a free credit monitoring subscription for at least a year. Given the likelihood of a future data breach, it’s possible to have this service paid for into perpetuity without spending any of your own money. Let’s hope that’s not the case though!
A message for business leaders:
The person that reached out for advice is in fact the founder & owner of the company. As I was preparing my response, I contemplated the immense cost of this data breach to AT&T. This doesn’t just include the direct costs of remediation, legal fees, regulatory fines and preparing the notifications. This also includes indirect costs such as reputational damage, increased insurance premiums, the operational disruption, impact to employee morale and potential recruiting challenges. How many customers received the same notice that I received and considered that the “last straw” that sends them down the street to a competitor? Cyber security reports now that estimate the average cost of a data breach to be over $4 million USD. The cost is 2.5x higher in heavily regulated industries like healthcare and financial services.
I used this opportunity to remind our customer of the value the services that NOVO provides every day. Here’s a portion of my response:
“I do want to take this opportunity to reinforce our commitment to cyber security for [CUSTOMER]. One of NOVO’s core values centers on the reduction of cyber risk for you. If you consider the multitude of risks and associated impacts of a single data breach of [CUSTOMER]-managed data (interest owners, geo-technical, vendors, etc), the mitigation costs and reputational impacts would be significant. What’s more frightening is that studies show 40% of data breaches actually come from internal actors (employees/contractors).
You may assume that we’re just your “IT helpdesk”, but we actually spend most of our time managing and mitigating your cybersecurity risk. This is VERY different from our typical “IT Managed Services” competition who installs antivirus software on their customer computers and crosses their fingers that you don’t call their helpdesk. Here’s a quick graph that highlights the past rolling 3 months of our service work we performed for [CUSTOMER]. Of the nearly 500 incidents we worked, approximately 90% of our time was spent responding to or preventing cyber threats.”
Ultimately, the best approach for business leaders is to invest in strong cybersecurity measures and employee training to minimize the risks and costs associated with a data breach…and I’m proud to say that’s the service we provide to our customers.
NOVO has a track record of protecting our customers’ data through the implementation and management of Microsoft solutions that mitigate data exfiltration risks.
Cornerstones of protection include:
- Azure Information Protection enables data classification and labeling, ensuring sensitive data is recognized and handled securely.
- Microsoft Defender for Cloud provides advanced threat detection and alerts, helping identify suspicious activity within cloud and on-premises environments.
- Endpoint security through Microsoft Defender for Endpoint safeguards devices by identifying and isolating potential threats, while Microsoft Intune manages and secures devices across the organization, enforcing security policies and limiting data transfer.
- Microsoft Purview, with its data loss prevention (DLP) capabilities, monitors and controls the movement of sensitive data, preventing it from being shared inappropriately or leaving the organization’s control.