5 Cyber Security Mistakes That Led to the Dow Jones Security Breach

In early October, publisher and financial news and information firm Dow Jones & Company announced that it was apparently the latest victim of hackers trying to steal sensitive consumer information. In the case of Dow Jones & Company, it is believed that the hackers were out to get contact information that could be used for phishing scams. As soon as the company became aware of the breach, it issued a letter to its customers, which was also made public for anyone to read. How did this happen? More importantly, what can we learn from Dow Jones’s mistakes?

1. Insufficient Systems Monitoring

According to the letter to its customers, Dow Jones’s systems were breached on multiple occasions between August 2012 and July 2015. This, however, was determined by cyber security forensics specialists after the fact. The reality is, Dow Jones never found the intruders at all—they were only made aware of the breaches when law enforcement called their attention to it. Which brings us to Dow Jones’s second mistake ...

2. A General Unawareness of System Security

Modern data analytics is a powerful tool for setting a baseline for normal system or network activities and using that baseline to detect anomalies in traffic or data access that indicates a potential breach. When anomalies are detected, more advanced incident response techniques can be deployed to shut down the hackers’ access to the system. This didn’t happen at Dow Jones. The company and their customers could have been left vulnerable indefinitely if law enforcement agents hadn’t done their work for them.

3. Neglecting to Pay Attention to Similar Breaches in the Industry

It isn’t as if Dow Jones was hit out of the blue. Not only have the majority of businesses experienced a data breach at least once, but there have been recent reports of breaches in businesses similar to Dow Jones & Company that could indicate a widespread problem in that realm. Even if your systems don’t seem to be under attack, if others in your industry are having problems, your systems deserve a closer look.

4. Being Less Than Transparent About the Attack

As usual, the customer letter released by Dow Jones was woefully short on details. Though many would argue that giving out too much detailed information tells the general public too much about their security systems and too much about how to breach such a system, the other side of that coin is that more information can help other businesses stay safe. The fact is, hackers and would-be hackers get all the information they need and want from the dark web—they aren’t likely to learn anything in a mainstream news article or customer letter that gives them the edge on hacking systems.

5. Not Being Forthcoming in Providing Potential Victims With ID Protection

Dow Jones & Company has promised to send individuals who may have been affected by the breach (which was likely 3,500 or fewer people) a letter outlining what identity protection they plan to extend to them. This is likely to be too little, too late. Companies like Target and Home Depot are learning that the public’s memory when it comes to businesses who allow their private data to be compromised is indeed long and unforgiving.

Will Dow Jones suffer for these mistakes, or can they overcome? The future will tell, but in the meantime, you can get started with a better, more secure data storage solution today at Bigstep.