Data security, three cases of inefficiency in user and access management

Articles

  • IAM
  • identity access management
  • Safety

Data security, three cases of inefficiency in user and access management

Data breaches are an increasingly critical problem for companies and public organizations. The number of attacks is constantly growing and hackers are increasingly focusing on stealing user credentials to access the system, block it, and blackmail companies.

In 82% of cases (source Verizon data breach 2022), attacks are carried out using internal network user accounts due to weak or standard passwords. For these reasons, the importance of secure and automatic tools for digital identity and access management to applications and systems is growing.

Let’s now talk about three important cases that show how a lack of care in digital identity and access privileges management can cause serious damage.

What happens if a hospital, a company or a public entity is violated?

The problem is real and must be faced. You need to equip yourself with tools and procedures that allow you to protect the sensitive data of your organization. Imagine the damage that could be caused by a data breach in a hospital, a large company or a public entity.

First example: The case of the ASL (Local Health Authority) in Friuli Venezia Giulia

What could happen if someone had the ability to access the data of a hospital or an ASL (Local Health Authority)? In the worst case, they could modify it, deleting important information about patients and operators or selling it to other people or companies. The consequences could be irreparable. Recently (July 2022), the ASLs of western and central Friuli were fined by the Privacy Guarantor for violation of patient privacy. What happened?

Employees of both entities had the ability to view confidential files that they should not have had access to. It became possible for both healthcare companies to obtain information about any patient (present or not in the facility). Employees of a local jail could view the data of all patients of the ASL and not just of their detainees.

The extent of the damage to privacy was immediately clear, and for this reason the ASL of Pordenone was fined € 50,000 and that of Udine € 70,000.

Second example: The GoDaddy Case

Corporate data breach cases are numerous and increasing in number every year. This is because a company’s information is extremely important and has economic value. It could be sold to competitors or access to the company’s network and applications could be blocked, with the intention of asking the company for a ransom to return to normal operations. Finally, the users who had their information stolen could be attacked using phishing techniques in an attempt to steal additional data, such as bank information.

This is where the GoDaddy case fits in. In November 2021, GoDaddy had to report a data leak of information for 1.2 million users who used the WordPress hosting service. This meant that the email addresses and phone numbers of 1.2 million users were at the mercy of hackers who could try to acquire additional sensitive information from these individuals. The flaw? A weak password stolen from someone within the company.

Corporate data breach cases are numerous and GoDaddy is only the latest. Consider that it is estimated that 83% of companies have been breached at least once in their lives.

Third example: the INAIL (National Institute for the Insurance Against On-the-job Injuries) case

Finally, take the INAIL case, which was recently sanctioned for three data breaches that occurred in 2019 and 2020. The first and second times, private information such as the nature of the case (occupational illness or injury), the bank account, the amounts of benefits provided, and the processing status of each case were viewed by various people. The third data breach allowed PDF documents with sensitive personal information and data of other workers to be downloaded. All extremely sensitive and private data.

How to protect and improve data security?

How to solve the problem? How to be more protected?

A series of applications, procedures, and authorization must be in place in order to prevent and mitigate these risks. They range from antiviruses to IAM (Identity and Access Management) systems.

An IAM (Identity and Access Management) solution in particular becomes crucial when the number of users within the organization is high. Keeping track of all access and all credentials becomes complex and increases vulnerability.

IAM software, in addition to improving security, allows you to:

  • Simplify the restoration of user accounts on various applications;
  • Automate provisioning processes;
  • Integrate digital identity approval and release processes with existing systems.

How do you manage user and access security in your company? Contact us for a free consultation!