Gary Palgon
Vice President, Product Management
nuBridges
Gone are the days when hackers broke into companies as a challenge to themselves to prove they can do it. More fashionable in recent years has been to steal credit card and other personally identifiable information (PII) so that it could be resold on the black-market. And now for the next wave, stealing the data so that it can be resold or ransomed back to the rightful owners!
As Dan Kaplan of SC Magazine reported on May 5th, “Hackers seek payment after break-in on state health care site.” Ccyber-thieves did just that demanding $10 million to return patient data to Virginia’s Department of Health.
This isn’t the first time it’s happened and surely it won’t be the last.
I can think of a couple of solutions to solve it – take out insurance in case it happens (assuming someone’s willing to write you a policy) or follow the suggestion of the Payment Card Industry’s Data Security Standard (PCI DSS) and many regulatory laws like the State Breach Notification laws which suggest rendering the data useless if it ends up in the wrong hands. In other words, get rid of it if you don’t need it, encrypt it if you do, or hash or tokenize it if you don’t need the original values all of the time but can work with “surrogate data.”
Do you have other suggestions?
