Lost, leaked or inaccessible company data is not always caused by cyberattacks. Cases of mislaid USB sticks, destructive noise and hardware failure prove that the causes of data loss are numerous.
No less than a third of all Swiss SMEs have been hit by cyberattacks. So says a 2017 study by the market and social research institute gfs-zürich, for which 300 CEOs of Swiss SMEs were surveyed and the results then extrapolated for the whole of Switzerland. The majority of companies wrongly believe that they are well protected from cyber threats. The risk of falling victim to a cyberattack or suffering data theft or data encryption, including extortion, is still considered to be low – as long as one is actually aware of the threat. The results of the study are undoubtedly worrying and other surveys indicate that the majority of Swiss SMEs have suffered cyberattacks. However, among all these warnings, one thing is easily forgotten – in companies, data is not lost only through viruses or Trojans. etc.
Our six examples show that the causes of data loss and leaks are varied – and the cause can even remain undetected.
1. London Heathrow Airport: fine issued as a result of lost USB stick
In London, close to Queen’s Park, an unemployed man found a USB stick lying in the street – containing ‘revealing’ information about Heathrow Airport. The unencrypted data disclosed the locations of surveillance cameras and escape routes, and the operating times of police patrols. Even the route taken by Queen Elizabeth to the airport and measures taken for her protection and that of high-ranking politicians were on the stick. The man gave the data carrier to the Sunday Mirror newspaper, which then forwarded it to the airport authorities. All security measures at the airport were reviewed as a result. The investigations discovered that a security instructor had compiled all the information on the stick and had then lost it on his way to work. His negligence proved costly for the airport operator – Heathrow Airport Limited paid a fine of GBP 120,000.
2. Security loopholes bring Yourtaxi to its knees
The Zurich start-up Yourtaxi, founded in 2017, was a serious competitor to Uber in Switzerland – but less than a year later, the business had ceased operating, all due to a gross data breach. As a result of security loopholes, sensitive data relating to thousands of customers could be accessed easily via the internet, or, with the use of a few tricks, via the smartphone app. The data included names, journey logs, phone numbers, email addresses and profile photos. The cause of the data leak: the app was programmed by the Indian company Moon Technolabs and was unencrypted, even though ID cards and account details for Yourtaxi drivers were stored within it. The security loopholes even allowed these to be changed. Some of the problems were fixed, but an update of the app failed to materialise. Shortly afterwards, the company disabled its service and shut down its website.
3. Radio 3Fach loses 16 years of broadcasting history
3Fach was forced to learn that even local radio is not immune from IT catastrophes. In 2014, the Lucerne youth radio station’s entire server system crashed, including the backup mirror server. The problem came to light when a song would only play in a loop and 3Fach employees could no longer access the drives. The host concerned tried to retrieve the data, but without success. It resulted in a huge loss of data – output from 16 years of broadcasting history, the membership list and a music library of 35,000 songs were all gone. ‘We are back at square one,’ 3Fach announced and transmitted in a slimmed-down form under the name ‘Absturz 3Fach’ (Crash 3Fach) for a while. What exactly had caused the server to crash could not be identified. At least 3Fach had saved some output on the online music service Soundcloud, so this was preserved for the station.
4. Digiplex: noise in the server room delays stock market trading
Even noise can trigger data mishaps – as the Swedish data centre operator Digiplex now knows. A loud sound emitted by the nozzles on an active gas extinguishing system destroyed numerous hard disks. The pressure waves caused by the noise deformed the hard disk housing, which in turn damaged the magnetic particles inside and the sensitive read and write heads. The hosted systems of the Nasdaq Nordic stock exchange platform were affected, as well as those of two Scandinavian banks. The outcome: the start of Nasdaq stock market trading in Sweden, Finland, Denmark, Iceland and the Baltic states was delayed by several hours until the backup system was booted up. As Nasdaq leases space in the data centre and not enough servers were available in Sweden to replace the old ones, the stock exchange had to have new hardware flown in.
5. Old people’s home gives in to cyberattack
Hackers don’t even spare old people’s homes – in 2017, the electronic data of the Regionales Alterszentrum Schöftland care centre was encrypted by an embedded Trojan and could therefore not be accessed. One bitcoin – then equivalent to about CHF 7,500 – was demanded by the extortionist for the decryption. Even though people are always advised not to give in to cyberattack demands, the care centre paid the amount. In comparison to the loss of data which the centre would have faced, payment of this sum seemed the lesser evil. No individuals were adversely affected as a result of the attack. And as the old people’s home had always backed up patient records manually on record cards, the business was not severely affected – even if a backup in the cloud would have been a more modern and practical solution.
6. UBS employee sells customer data
In 2012, a former UBS employee collected the data of 233 customers and sold it to the authorities of the German state of North-Rhine Westphalia for more than EUR 1 million. The banker allegedly searched for the beneficial owners of foundations and trusts – where the German authorities carried out house searches or investigations just a few months later. But it was discovered that some of the data concerned had only been accessed by the employee. When his house was searched, illegal ammunition was found and he also tried to destroy a SIM card that contained information about a house purchase in Spain. He sold the property exactly a year later – at a loss, which prompted suspicion of money laundering. The judgement was given on 21 January 2019, in the accused’s absence – 40 months in prison, a conditional fine of 270 daily rates of CHF 50 and a claim for damages of CHF 1.4 million. In addition, the defendant must pay court costs of around CHF 110,000. The judgement is not yet final.
Five strategies to avoid loss of data
1. Create backups according to the 3-2-1 rule: three copies using two storage media, with one copy kept off-site. With one backup stored outside the company, you ensure that your data is preserved even in the event of fire or theft. Cloud services are particularly suitable for this.
2. Specify responsibilities: to avoid misunderstandings, it should be clearly defined who in the company is responsible for the storage of data. This person is also the contact person for any queries or problems. By using authorisations, you can also restrict your employees’ usage rights.
3. Specify the frequency and timing of backups: they should be created at fixed intervals (hourly, daily, etc.), as is appropriate for your company. If data is generated every 10 minutes, then hourly backups are not very helpful. Conversely, creating too many backups incurs unnecessary cost and effort.
4. Encrypt any particularly sensitive data, especially if the backups are outsourced, to protect the data from being accessed by third parties.
5. Test your data backups regularly: a backup is no use if data restoration fails. Therefore, check the storage method, the functionality and the storage media itself. Practice an ‘emergency’, to see whether it is actually feasible to restore the data from your backups.