There is No Such Thing as a Minor Data Breach

After suffering a data breach that yielded customer names, physical addresses, and product ordering history, computer company Dell sent out a customer notice that said that no financial or highly sensitive information was obtained and that Dell believed there was “not a significant risk” for customers.

In an article on the TechRadar website, Dirk Schrader, a resident CISO and VP of Security Research at cybersecurity company Netwrix, takes issue with that conclusion. 

Enterprising cybercriminals, he writes, “have proven adept at leveraging seemingly innocuous data to orchestrate more extensive attacks or combine it with other compromised information for nefarious purposes.” 

There are numerous ways to make hay out of this kind of information, according to Schrader, Even relatively innocuous data is potentially valuable for cross-referencing, but, more specifically, the type of data in this case could be used for something like sending out fake “special offers” to old customers, including, for example, a QR code they could use to extend a warranty. 

The type of hack suffered in this case is called “data scraping.” Schrader notes that whether or not it eventually gets used by criminals, it may subject the target organization to penalties based on compliance mandates like HIPAA or the EU general data protection regulation.

Even if no compliance violations are forthcoming, there surely will be reputation damage, and with it possibly serious financial consequences.  

“Regardless of how a data compromise unfolds, data theft is data theft, and the damage is real,” Schrader concludes. “Accordingly, organizations need to have a resilient cybersecurity architecture and a robust incident response plan in place. Being able to mitigate the likelihood and impact of a breach and ensure fast recovery will pay major dividends down the road.”