Organizations collect massive amounts of sensitive information, and the rash of recent data breaches has demonstrated that many do not know how to protect this collected personal data adequately. As a result, calls for increased data security protections have arisen as consumers and governments try to hold organizations accountable for protecting the data entrusted to them.
However, providing the necessary level of protection may be more difficult for organizations than would be expected. Most organizations acknowledge the need to modify their own internal data collection and processing habits and to improve their cybersecurity to comply with the requirements of new regulations. Recent research has demonstrated that this may not be enough as even trusted enterprise software has been detected performing unauthorized exfiltration of data outside the company network.
The Need for Data Security
The call for organizations to improve how they protect sensitive data is coming from all directions. Consumers and governments have both taken steps or expressed their support for increased protection of customer personal data.
The Consumer Reaction
As the number of breaches of users’ personal data has grown, it has had a significant negative impact on consumers’ willingness to do business with a breached company. In some cases, consumers don’t have a choice of whether or not their sensitive data is sent to a breached company, similar to how Equifax is sent credit data from all major card providers.
However, when a consumer has a choice, many will leave a company that has failed to protect their sensitive data adequately. In fact, a 2017 survey found that 70% of customers claimed that they would stop doing business with an organization after a data breach. While the failure of the #deletefacebook movement and negligible impacts on other companies demonstrate that this is probably not the case, companies can expect to lose at least some customers and revenue post-breach.
The wave of high-profile data breaches in current years have also prompted several governments to take action to help protect the privacy of their citizens’ personal data. Recently passed data protection regulations include the EU’s General Data Privacy Regulation (GDPR), the California Consumer Privacy Act (CCPA), and a variety of less famous regulations passed in specific US states and other countries.
While many countries already had some form of data protection regulations in place, the new laws have taken these to the next level. The GDPR is especially famous for its efforts to expand the definition of personal data, to change the rules of the game by forcing businesses to move from “opt-out” to “opt-in” for data collection and processing, and enforce much larger fines for non-compliance.
Data Leaks in Enterprise Software
As a result of pressure from consumers and governments alike, companies have been working hard to improve how they protect their customers’ personal data. In the months leading up to (and after) GDPR coming into effect, there was a mass scramble to implement protections that would make an organization compliant with the new regulations. While regulators were relatively lenient in levying fines against organizations for the first year after GDPR came into effect, the announcement of intended fines for organizations like British Airways and Marriott in 2019 demonstrated that they intend to enforce the new regulation.
However, protecting against leaks of sensitive data is more complicated than most organizations expected. Changing internal protections and beefing up cybersecurity defenses to protect against attack are logical steps, but recent research has demonstrated that even trusted enterprise software may pose a threat to an organization’s GDPR compliance.
A security advisory released by ExtraHop in July 2019 drew organizations’ attention to the fact that some enterprise software was “phoning home” information to its manufacturer without the owner’s knowledge or consent. While ExtraHop did not reveal the identity of the companies or software in question, they did state that this trusted software was found to:
- Send encrypted data to a public cloud instance after the end of a trial period
- Send data to the cloud without authorization
- Forward data to a Chinese IP address known to host malware
- Send data (over 1 TB) from US customers to a UK server
While all of these actions, with the possible exception of the third, could be legitimate parts of the software’s core business model, the fact that this is occurring without the owner’s knowledge or consent is potentially a serious issue. Without visibility into the exfiltrated data, an organization could be leaking customer’s personally identifiable information (PII) and violating data privacy regulations without even knowing it.
Securing Your Data
The exfiltration of information from a company network without consent or knowledge can be a serious issue regardless of the information being sent. However, the problem becomes much more significant if the information contains customer PII, which could put an organization in violation of GDPR and other data privacy regulations.
While research into these unauthorized data flows is definitely necessary, trying to find and fix these issues is doing too little too late. By the time an organization determines that a data leak contains PII, the sensitive data is already outside the organization’s control.
Dealing with this type of issue requires the deployment of a strong data security solution. By detecting repositories of potentially sensitive data and monitoring and controlling access to them, such a solution can ensure that even trusted applications like this enterprise software can’t collect and exfiltrate sensitive data without detection.