Hoffman data breach exposes security challenges

The challenges dealing with protecting data have been highlighted in a breach involving Hoffman, one of the largest general contractors headquartered in the Pacific Northwest. 

On December 16, Hoffman "discovered" that an unauthorized individual may have accessed information relating to its self-insured health plan between July 31-August 4, 2020. The breach covered employee names, addresses, dates of birth, Social Security numbers, and benefits information. 

The information was released publically on February 12 2021.

As part of the investigation, an independent computer forensic firm was engaged to help determine "what happened and whether any personal information had been accessed without authorization". 

Hoffman has no indication that any information was actually viewed by the unauthorized person, or that it has been misused. However, out of caution, Hoffman recommends that its current and former employees, and their beneficiaries and dependents, review any statements that they receive from their healthcare providers or health insurer.

According to the Cost of a Data Breach Study | IBM, the average time to identify and contain a breach is 280 days. The US is the most expensive country, at $8.64 million, and the average breach costs $3.86 million, according to the report.

It advises companies to align their security strategy to the business, protect digital assets, users and data, manage defences against growing threats and modernize security with an open, multi-cloud strategy.

A report from Market Research Engine projected that The Data Protection Market is expected to grow from $120 billion by 2023 and to exceed $194.11 billion by 2026, growing at a CAGR of 15.9%. 

Cybersecurity is now firmly positioned as C-suite risk "and should be a regular topic of conversation at Board level," according to AON. It highlights the following key threats:

• Ransomware – a malicious programme which locks access to company files and data until a ransom payment is made, after which time access may be restored.
• Payment interception – criminals are able to compromise the email account or credentials of an individual inside the organization to authorize a change to the bank account details for large payments
• Phishing – malicious emails designed to look like genuine emails which encourage employees to click – infecting their computers in the process.
• Viruses – code which infects computer system, corrupting or deleting data.
• Hacking – an individual or group attempting to gain access to company systems with the intent to steal or destroy data.