Organizations keep making data protection mistakes—what this means for you

Data servers with colourful wires inside a meshed metal cupboard
(Image credit: Unsplash/Taylor Vick)

In this digital age, it’s no surprise that companies choose to store the large amount of data they process in a digital, rather than physical, format.

Cloud storage is an incredibly convenient data storage solution, however it can also come with some downsides. One of the biggest issues is that if a cloud server is misconfigured, the data within it can be accessed and stolen by hackers.

Likewise, while software is responsible for making sure daily processes continue, unpatched software vulnerabilities can open businesses up to hacks, leaks and data breaches. In fact, in 2019 Bitdefender found that 60 percent of data breaches that year involved unpatched software vulnerabilities.

This article explores the true dangers of software vulnerabilities and misconfigured cloud servers, the devastating impacts these issues can have, and how you can protect your personal data.

Government data leaks

Government agencies handle some of the most sensitive data in the world, and a large amount of it. With this in mind, you would think that the protection of this data is of the highest priority, with any potential weak spots resolved before they can be exploited by hackers.

Unfortunately, this is not always the case.

In September 2023, UK election watchdog the Electoral Commission revealed that it had been the victim of a cyber attack that lasted over a year, from August 2021 to October 2022. 

The hackers had gained access to the Electoral Commission’s servers, allowing them to view the watchdog’s email correspondence and potentially giving them access to the 40 million registered voters names and addresses. It has not yet been made public how the hackers gained access to the Electoral Commission’s servers.

It was later revealed that the Electoral Commission received an automatic fail when attempting to achieve its Cyber Essentials certificate in August 2021, the same month the hackers gained access to the organization’s servers. This failure was partially due to more than 200 staff devices using outdated, and therefore potentially insecure, software. This included staff using iPhone models that were no longer receiving security updates. The Cyber Essentials audit is a voluntary qualification that is used by organizations to demonstrate that they are cyber secure.

A similar leak in the US was made public in June 2023. The US Patent and Trademark Office (USPTO) revealed that it had been the victim of a data leak that saw the private addresses of over 61,000 applicants accessed by hackers during this time.

The data leak was caused by an error in one of the USPTO’s application planning interfaces (APIs). APIs allow two pieces of software to communicate with each other, which meant that the error was in the apps used by USPTO staff and those who had filed for patents to check the status of trademark applications. 

The USPTO made a statement about the data breach, which included the fact that the organization did not believe the information had been used by cybercriminals. 

The data governments and critical infrastructure providers hold is incredibly valuable, not only to hackers but to those who the data belongs to. If these institutions suffer data breaches, it may cause citizens to lose confidence in them, as they trust these organizations to take care of their data. It’s clear to me that in order to be worthy of people’s trust and confidence, government and critical infrastructure organizations should focus on protecting this precious data.

Business data leaks

Businesses can also run afoul of these large-scale data leaks. By not keeping on top of their data security or software patching, they open themselves up to data breaches and leaks. This can be especially impactful for businesses that carry a large amount of sensitive information.

If this information is leaked, this has a number of ramifications for the business. For one, its reputation is impacted—not only because it makes it appear as though the brand does not care about their customers’ data, potentially causing customers to switch to a competitor, but also because it makes the business look neglectful and/or negligent in general.

One prominent example of this was a data leak suffered by ENC Security, an encryption provider that provided service for a number of companies including tech company Sony

It was discovered in November 2022 that a server at ENC Security, which contained data used to authenticate users’ identities such as API keys, simple mail transfer protocols (SMTP), hash-based message authentication codes (HMAC) and various access keys.

The information stored in the server had been leaking from May 21, 2021 until November 9, 2022. ENC Security later confirmed that the leak had been caused by a configuration error with a third-party supplier.

This leak was dangerous for a number of reasons, especially because the data contained in the server was so valuable. If cybercriminals had found the leak, they could have used the data held within the servers to commit a number of cyber crimes, including spreading ransomware or attempting to launching phishing campaigns against those who had personally identifying information stored in the server.

Data breaches and leaks can have a number of consequences for businesses, from losing customers to having to temporarily shut down operations to deal with hackers. No matter what, data breaches and leaks can lead to lost revenue, with the average loss caused by a data breach reaching US$9.48m in 2023. With the financial ramifications so high, businesses cannot afford to not look after their customers’ data.

Data leaks from third-parties

Many companies outsource their data processing and storage to third-party providers. While this can work well for companies in terms of saving both time and money, it can open them up to data leaks caused by these third parties having misconfigured software that leads to data leaks.

One of the most notorious examples of the risks posed by third-party data leaks is the MOVEit series of data breaches. On May 31 2023, a vulnerability in software company Progress Software’s MOVEit file transfer app was discovered. While a patch was released for the vulnerability on the same day, by June 1 evidence that the vulnerability had been exploited by cybercriminals to gain access to some MOVEit customer environments was revealed. This exploitation led to a number of large-scale data breaches. Data from both companies that used MOVEit directly, as well as other companies who employed the services of organizations that also used MOVEit (for example Ernst & Young (EY), an accounting firm and professional services network) was leaked.

The data was posted online by ransomware gang Cl0p, who claimed responsibility for the series of leaks. As of the time of writing, 2611 organizations and between 85.1-89.9 million individuals have had their data leaked due to the MOVEit software vulnerability exploitation.

This cyber attack demonstrates the importance of data protection and making sure that software vulnerabilities are kept on top of and patched swiftly. The far-reaching consequences, and the third- and fourth-party data breaches caused by a single software vulnerability, serve as a crucial reminder of why it is so important that companies that host data protect it properly.

How to tell if your data has been exposed in a leak

 

If your data is exposed in a data breach, this can have some nasty ramifications. From an increased risk of cyber attacks like phishing to having your identity stolen, having your data exposed is dangerous and should be treated seriously.

After a data breach, companies and organization should notify you to let you know that your data has been compromised. This does not always happen with the speed victims would like, however. It may even be the case that companies themselves do not discover the extent of the data leak for months or even years after the breach. In this case, there are other ways to discover whether your data has been exposed in a data leak.

HaveIBeenPwned.com is a free resource that allows you to see what, if any, of your data has been leaked. While it won’t tell you how this data was exposed, it will give you a good idea of how cybercriminals may try to target you, so you are prepared in case phishing attempts do start to come your way.

Speaking of phishing, another way to tell if your data has been exposed or sold recently is if you see a sudden influx of phishing attempts, whether this is by email, phone call or text message. Again, this won’t tell you how your data has been exposed but it will give you a reason to be on your guard.

Thankfully, there are ways for you to better protect your personal information, including:

Recent updates

This article has been updated to add more information and clarification about the MOVEit software vulnerability and related data breaches.

Olivia Powell
Commissioning Editor for Tech Software

Olivia joined TechRadar in October 2023 as part of the core Future Tech Software team, and is the Commissioning Editor for Tech Software. With a background in cybersecurity, Olivia stays up-to-date with all things cyber and creates content across sites including TechRadar Pro, TechRadar, Tom’s Guide, iMore, Windows Central, PC Gamer and Games Radar. She is particularly interested in threat intelligence, detection and response, data security, fraud prevention and the ever-evolving threat landscape.