“While these numbers are incredibly large, this information does not age well. Companies should issue a mandatory password change immediate to take themselves out of the running. This also goes for all your personal passwords. Just do it.
The more alarming issue is that security folks are not ready for this type of infiltration because they wait around for security violations but the attacker here will not trigger an alarm, they will just login as the person - it could even be senior management! Without telemetry in place to be made aware of behavioural changes, the attacker goes undetected and sets up the next phase of their attack.”
Andy Heather:
“This is another example of the frequency of occurrence and volume of sensitive data that is being stolen. In these breaches, quite often organisations simply do not know that have been breached and when they do it is too late, trying to add another lock to the door after the event has taken place. Traditional security approaches continue to fail to protect the real assets - which is the sensitive data. Only a data centric approach, which neutralises the data and makes it valueless to the hackers, can ensure that when these inevitable breaches occur the data remains safe and secure.
The fact that this involved account information and not just credit card numbers highlights that the criminals will take the path of least resistance to compromise consumers credit card details and bank accounts. Tokenizing the PAN provides excellent protection for the PAN itself but it’s not enough to protect the consumer’s account as a whole. Companies must also use strong encryption to protect all personally identifiable information, especially if it can be used to gain access to consumers’ hard earned money.”