To: Reader

From: Andrew Ta, Chase Reed

Date: 12/1/18
Letter of Transmittal

Hello there! So, you have asked for a detailed report on data breaches in society today.
This report demonstrates just that. Filled with information from several reliable sources,
this report allows you to find out what really is the problem with data breaches, why they
are relevant in today’s networking and electronic based society, and why we as a
society should be aware of the occurrences of this type.

As you have been aware, in the world today, there are many dangers surrounding the
topic of a data breach. This report touches on the history of the problem and constructs
a plan to cease the damage that a data breach may cause to a company as well as
trying to prevent a data breach from happening once and for all.

With all the sources gathered through many hours of research, we hope you would find
some of the information fascinating and insightful in order to counter the sustaining fear
of a data breach happening right before your eyes and your company. However, don’t
be afraid. Data breaches have been going on since the early 2000s and will keep going
on for years to come. However, this report will show you effective ways to ultimately
prevent data breaches from happening frequently.

We wish the best in your quest of overcoming data breaches. Good luck!

Sincerely,
Andrew Ta
Chase Reed

1
 Hacker Alert! - The Ultimate Plan to
Prevent Data Breaches

By: Andrew Ta, Chase Reed

Recipient: Charlene J. Keeler

800 N State College Blvd, Fullerton, CA 92831

CPSC 311

12/1/18

TABLE OF CONTENTS

2
Executive Summary……………………………………………………………………………………..4

Introduction…………………………………………………………………………………………….....5

History of Data Breaches………………………………………………………………………………..7

Long and Short Term Goals of the Industry…………………………………………………………...8

Previous Attempts to Solve Data Breaches……………………………………………………….......9

Possible Solutions with Pros and Cons……………………………………………………………….10

Course of Action…………………………………………………………………………………………10

Conclusion……………………………………………………………………………………………….11

References……………………………………………………………………………………………….12

EXECUTIVE SUMMARY

Due to the innovations of computer based technology in the world today, people
are more likely to transfer or share files within groups of people such as employers,

3
managers, or even friends and family. Due to the high demand of being able to share
files among others, data breaches have been shown to become a threat in society’s
landscape and the world overall.
Started through just simple file transfers, data breaches have been a detriment to
the computer science world since many companies today are suffering from the loss of
records and data that could put the company’s relevancy in danger. Companies such as
Facebook and Equifax suffered from these attacks, angering many consumers and
leaving them in shock and disbelief that their identity has now been stolen.
However, the industry today is not just letting these data breaches happen and
not do anything about it. Instead, we have come up with some goals in order to limit
these attacks from happening. One of our short term goals could be to try to strengthen
security and protect sensitive data while one of our long term goals is to limit the
number of data breaches over time.
Some previous attempts to try to contain data breaches are the passing of many
bills such as the Data Security and Data Breach Notification Act, which is supposed to
help reduce cyber crime and to protect vulnerable information from criminals.
Some solutions that we had come up with could be: doing monthly password
changes, increased training of employees regarding security and breach prevention,
and quarterly security evaluations. These solutions all have their pros and cons such as
the monthly password changes could offer more security and could resist attackers, but
it will be hard to keep track of all the password changes that have been made through
the whole year.
Our course of action to overcome these attacks is quite simple. We want to first
give employees a training section regarding the dangers of data breaches. We believe
this changes the culture to a more security based, so over time, it would eventually limit
mistakes, especially careless ones. Then, we want to hire more employees to do more
vulnerability checks. Although it could be money consuming at first, it could end up
benefiting the company in the long term since with more employees doing the checks,
more bugs will be found and the process will be more efficient as opposed to just one
person handling all the security duties. And finally, we thought of hiring a CISO (Chief
Information Security Officer) as well. This officer/employee is already trained and will
assist in creating response plans for the company in case an outbreak breaks loose.
He/she will monitor the response team and prepare them in the most righteous way.

INTRODUCTION

Birds. That’s the first thing you hear as you lay on your bed, covered in your soft
and utterly cozy blanket.They can be spotted on the tree next to your house as they call
out to their friends with the happiest joy, but you don’t pay attention about that. With

4
your eyes closed, you can hear the neighbor’s dog barking and the sounds of children
giggling and laughing to each other as they climb upon the bus to go to school. You
smile. While opening your eyes, you struggle to get out of bed and into the shower.
Minutes after inhaling the warm steam of the hot water, you began to remember about
what you did yesterday at the company. Yes, you accomplished a lot didn’t you? As you
began to get ready for work, memories of what the company have accomplished
throughout the following weeks gave you a little smile. A sense of happiness. That
ultimately made you excited to get to work everyday. The opportunity to produce for a
great company even if it means answering phone calls or reading emails all day. All is
well. As you drive into the company’s parking lot with great enthusiasm, you look around
and all you see are faces of horror. They look like they have seen an alien or an
extraterrestrial monster or some sort. As you walk out of your car, you ask your
company friend George what’s going on. With a face that’s white as snow, he replied.
“Our company has experienced a data breach.”
Data breaches have been a long overdue problem in the world for as long as
they come. But one may ask, “What is a data breach?” According to Margaret Rouse, a
data breach is “confirmed incident in which sensitive, confidential or otherwise protected
data has been accessed and/or disclosed in an unauthorized fashion. Data breaches
may involve personal health information (PHI), personally identifiable information (PII),
trade secrets or intellectual property” (Rouse, 2016).
These incidents, and not limited to, come in many different shapes and forms
such as viruses, malware, and other instances of dangerous technology, which could
eventually hurt a company if they’re not careful. Hackers could steal identities or other
sensitive data through a data breach, which could lead to stolen identities and a huge
impact onto one’s credit score due to the fact that hackers can basically do anything
with the secretive and sensitive information that they have stolen under that person’s
name. Other incidents could include “the loss of critical data, business interruption,
burdensome disclosure requirements, regulatory scrutiny, third party litigation, and loss
of reputation” (Perri, 2018).
An example of a data breach could be 2017’s Equifax data breach, in which
Equifax, a company that specializes in gathering personal information from consumers
and translating it into a credit score, apparently leaked more than 146 million
consumers’ sensitive and personal information out for the whole world to see. Social
security numbers, identities, personal information, etc. have all been accessed and
stolen by hackers. This huge outbreak caused a huge concern within the consumers
since the likelihood of being affected while being apart of the company is well...99%. As
mentioned before, with the accessibility of many Social Security numbers and identities
at hand, the hackers could damage one’s credit score so far that the person that got
their identity stolen might never have the ability to rent a house or buy a car, all the

5
while, debit/credit companies are breathing down their neck for new payments that they
didn’t even make.
So why is this important? As mentioned before, data breaches could lead to
various things such as stolen identities and a permanent damage onto one’s credit
score. Not only that, data breaches are also money consuming. As shown on the image
below, the average total cost of all samples in 2018 is 3.86 million dollars!! This is huge

indicator that data breaches are hugely money consuming and that is just the average
of all the countries combined. As one can see, a data breach that happened to a
company in the US costs an average of 8 million dollars as compared to Brazil, which
costs about 1 million dollars (Ponemon, 2018).

HISTORY OF DATA BREACHES

6
 Data breaches did not start when companies started to upload their information
digitally. In fact, data breaches have been here longer than we have expected. Ever
since man started uploading, transferring, and maintaining files, data breaches have
always existed, with hackers lurking for a way to access these personal files for their
own greedy personal good. Data breaches, as stated by David F. Perri, “could be
something as simple as viewing an individual's medical file without authorization or
finding sensitive documents that weren't properly disposed of” (Perri 2018). Eventually,
people started to upload and access content more frequently, which made acquiring
massive loads of content at once possible. Therefore, it attracted the attention of many
hackers, which then used their skills to acquire these documents, at the same time,
knowing that they could be arrested if they were ever caught doing this.
Over time, data breaches started occurring more frequently as the day of the
computer has came to fruition. According to digitalguardian.com, the number of data
breaches increased every year since 2013, with 614 data breaches reported in 2013 to
1,579 data breaches reported in 2017 (2018). Not only that, according to Niall McCarthy
from Forbes.com, there are about 300 data breaches that had resulted in a theft of
100,000 or more records (McCarthy, 2018). The growing phenomenon of data breaches
had caused companies to panic and became paranoid state as they try to track down all
the hackers and hacker attempts throughout the world.
Many big companies also are not immune to data breaches. Companies such as
Facebook suffered from these data breaches. In 2018, one year removed from when a
British analytics firm got access to the private information of up to 87 Facebook million
users, which caused a whole controversy in which users of Facebook questioned
whether the information is “projected” by Facebook is politically correct and if the
information affected the 2017 elections, Facebook faced their biggest dilemma.
Apparently, hackers were able to exploit Facebook’s code and effectively access private
information of Facebook users from across the globe. This allowed attackers to
manipulate conversations of Facebook users as well as control their accounts (Isaac
and Frenkel, 2018).
Not only have Facebook experienced these attackers, but Target as well. The
retail giant had to pay up to 18.5 million dollars to cover up the expenses from a data
breach caused in 2013. Affecting nearly 42 million people with card payment accounts,
the data breach also affected nearly 60 million Target customers. Through use of the
credentials to exploit weaknesses in Target's system, attackers are said to have “gained
access to a customer service database, installed malware on the system and captured
full names, phone numbers, email addresses, payment card numbers, credit card
verification codes, and other sensitive data” (McCoy, 2017).
As history shows us, no one company can be 100% immune to the dangerous
nature of a data breach, especially ones that are big today. However, by having a plan

7
of action, we can limit the amount of data breaches per year and have the ability to stop
the leak as soon as it becomes noticeable.

LONG AND SHORT TERM GOALS FOR THE INDUSTRY

As we think of what solutions we can bring to solving data breaches or
preventing them as long as we can, we need to have some goals first. By having short
term and long term goals, we can figure out what exactly we want to do with this
problem.
The short term goals in the industry today is quite simple. Prevent major
leaks/data breaches from happening. By preventing major leaks from happening, we
can have confidence that we are heading in the right track. If a major leak happened
such as the Facebook example or the Target example above, we will most likely lose
confidence and won’t have the motivation to try to fix the problem. The mentality is to
bend, but don’t break. By only bending, we can come back stronger and the fixing time
for a small data breach when compared to a large data breach will be significantly
smaller. We can accomplish this by strengthening security. We want to focus on
preventing big leaks from happening, so by addressing the problem with security could
be a great start. Also, adding a few employees to check for any bugs and hacker
attempts could be reasonable as well.
Another short term goal is to protect sensitive data. We want to focus on not
allowing attackers access to the company’s sensitive information because by focusing
on protecting sensitive data, we can achieve the first short term goal as well. We can
prevent a major leak from happening if we made the sensitive information a priority.
As for long term goals, our long term goal is to prevent data breaches from
occurring at a rapid speed. As stated in the section above, History of Data Breaches, it
can be depicted that in each coming year, data breaches are increasing and are at an
all-time high. By decreasing the number of data breaches per year, this could be the
right step in ultimately finding the solution to stop data breaches from happening. Of
course data breaches couldn’t ultimately be contained, but reducing the number from
the hundreds and thousands to maybe inside one hundred in a few years will be quite
an accomplishment.
In addition to trying to reduce the number of data breaches per year, another
long term goal is to build an effective and ready response team. By having a team full of
prepared individuals, when a huge data breach was to happen, they can address the
situation immediately instead of frightened and inexperienced employees trying to fix
the problem.

PREVIOUS ATTEMPTS TO SOLVE DATA BREACHES

There have been a few attempts at solving this issue. According to
digitalguardian.com, ever since the early 2000s, data breach insurance has become

8
much more popular (2018). First party insurance, more for big businesses, covers
expenses including notifying all affected parties, covering the cost of investigation of the
breach, fielding inquiries from all affected parties, and tools to help affected parties,
such as credit reporting. There’s also third party breach insurance, which is more for
contractors and IT professionals. This kind of insurance helps cover those who work
with companies who could be hacked. The covered expenses for this may include
services such as lawyer/court costs and settlements. This is little more than a band-aid
for the problem though, as it doesn’t do anything to prevent breaches, it just makes sure
there’s help if breaches occur.
Another attempt was a bill that was advanced by the house of representatives in
2015, which was the Data Security and Data Breach Notification Act.
Digitalguardian.com states that the bill is to help reduce cyber crime, and to protect
vulnerable information from criminals. The bill provides a nationwide regime for data
protection and breach notification (2018). This helps to discourage cyber crime, but this
is more for preventing breaches via hacking, rather than leaks.
Companies are also trying to incorporate more preventative efforts. According to
thenextweb.com, these include getting better tech, not just the barebones technology,
raising awareness for employees to make sure they don’t make preventable human
errors which could lead to breaches, and creating more reliable and faster acting
response plans just in case all else fails (2017).
Other data leak prevention and protection (DLPD) systems are split into two
categories, content-based and context-based according to onlinelibrary.wiley.com
(2017). Content-based DLPD searches known sensitive information that reside on
laptops, servers, cloud storage, or outbound network traffic, which is largely dependent
on data fingerprinting, lexical content analysis, or statistical analysis. Methods to help
with this have been to make the fingerprints of this more strict and robust as well as
making the rules that packets need to pass require more checks, which has made it
harder to get in. Context-based DLPD has to do with how the user normally behaves
while logged in, this is to prevent people who have hijacked someone else’s account. A
solution to help this was brought in which was to have a pattern recorded for each
user’s normal behavior, and if the started to deviate from it too much, then it would start
raising flags. However, this isn’t perfect either, as the normal user may just be doing
something slightly different, resulting in a false alarm. Or the hacker may just do
something similar to the normal user, resulting in no alarm when one is needed.
As we can see, there is no perfect solution in place for this issue yet. But our
solution should be able to at least help this issue.

POSSIBLE SOLUTIONS WITH PROS AND CONS

There are a possible solutions to help deal with this problem that have their own
pros and cons. Our possible solutions are: doing monthly password changes, increased

9
training of employees regarding security and breach prevention, and monthly security
evaluations.
Doing monthly password changes is already done in some companies, but many
do either biannual or annual password changes. This can cause a problem, because
the longer your password remains the same for a long time without changing, the easier
it becomes for hackers to guess it. This can be mitigated by doing monthly password
changes. Monthly changes are the best way to go, since it isn’t often enough to be
annoying or confusing, but it’s often enough to help prevent breaches. However, it isn’t
completely foolproof, as hackers could still guess your password, it’s just much more
unlikely.
Increasing employee training for preventing and raising awareness for breaches
will also be beneficial. This is because, increased training will lead to employees doing
more careful work, and will thus lead to fewer breaches. This is also a good solution,
because there will be little to no cost to the company to do this increased training, since
there is already employee training at most companies. However, this also doesn’t
necessarily prevent people from being lazy, or doing their jobs poorly.
Performing monthly security evaluations would likely be the best option, but may
also be the least feasible. This is because, doing monthly security checks will likely
reduce the amount of breaches the most. This is because evaluating security every
three months or so, will catch more breaches as they’re happening, or prevent breaches
from happening that would have. However, doing these security evaluations this often
will likely slow down production for these companies, and, since they would be every
three months or so, it could lead to lost time for these companies. That’s why i believe it
will be the least feasible of the three solutions, despite it being the best solution.

DETAILED COURSE OF ACTION

Our course of action has three steps. They are: raising employee awareness,
hiring more employees to be able to do more security checks, and hiring a new Chief
Information Security Officer.
We will raise employee awareness by, requiring they have a rigorous training
section regarding how serious data breaches are. Then, establish a security-centered
culture which would eventually lead to employees making fewer mistakes, thus causing
fewer breaches overall. Lastly, any violations of the company’s security policies, such
as accessing sensitive material without permission, will result in the termination of said
employee.
Next we will hire more employees, so we will be able to do more frequent
security evaluations. Since most companies only do security evaluations quarterly,
doing these evaluations monthly should help to reduce the amount of breaches
experienced. This will be easier to accomplish with the hiring of new employees to help
do this. This may result in a higher cost for companies at first, but it will pay off in the

10
long run if they avoid a lawsuit by doing these checks more often. This will also show
that security is important to the company, and it will bring more credibility to the
company’s name.
Lastly, hiring a qualified Chief Information Security Officer (CISO) will reduce
these breaches as well. This is because the trained employee that has this job will be
responsible for developing, executing, and maintaining an effective security strategy.
They will also create emergency incident response plans to ensure that the team is
prepared, and know what to do if there is a breach.
That’s our plan of action step by step for how we would choose to tackle this
issue. Data breaches are no joke, and should be tackled with a sound strategy.

CONCLUSION
The dangerous nature of data breaches have been around society for very long time
and despite several attempts in stopping the damage from happening, no one is able to
prevent data breaches from happening. However, with our course of action taking place,
we might be heading into the right direction in eventually limiting data breaches to a
minimum because this problem is everlasting. There may never be a cure for data
breaches, but it is never too late to try.

References

● Calculating the Cost of a Data Breach in 2018, the Age of AI and the IoT. (2018,
September 18). Retrieved from
https://securityintelligence.com/ponemon-cost-of-a-data-breach-2018/
● Enterprise data breach: causes, challenges, prevention, and future directions
(2017, June 9). Retrieved from
https://onlinelibrary.wiley.com/doi/full/10.1002/widm.1211
● Isaac, M., & Frenkel, S. (2018, September 28). Facebook Security Breach

11
 Exposes Accounts of 50 Million Users. Retrieved from
https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-
breach.html
● McCarthy, N. (2014, August 26). Chart: The Biggest Data Breaches in U.S.
History. Retrieved from
https://www.forbes.com/sites/niallmccarthy/2014/08/26/chart-the-biggest-
ata-breaches-in-u-s-history/#74929e367735
● McCoy, K. (2017, May 23). Target to pay $18.5M for 2013 data breach that
affected 41 million consumers. Retrieved from
https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-
2013-data-breach-affected-consumers/102063932/
● Perri, D. F., & Perri, E. D. (2018). Acknowledging the "M" in MIS: Managing a
data breach crisis. Journal of the Academy of Business Education, 19, 9-
32. Retrieved from https://search-proquest-com.lib-
proxy.fullerton.edu/docview/2021690561?accountid=9840
● Sullivan, R. J. (2014). Controlling security risk and fraud in payment systems.
Economic Review - Federal Reserve Bank of Kansas City, , 5-36.
Retrieved from
https://search.proquest.com/docview/1585485479?accountid=9840
● The History of Data Breaches. (2018, November 12). Retrieved from
https://digitalguardian.com/blog/history-data-breaches
● What companies are doing to stop big data breaches-not just react to them
(2017, October 31). Retrieved from
https://thenextweb.com/contributors/2017/10/31/companies-stop-data-
breaches-not-just-react/
● What is data breach ? - Definition from WhatIs.com. (n.d.). Retrieved from
https://searchsecurity.techtarget.com/definition/data-breach

12