Last week, Morningstar announced that it had been the subject of a data breach, in which users’ credit cards and personal data were presumed to have been stolen by as-yet unknown criminals.
First and foremost, we hope that the stolen data does not result in a significant number of identity theft-related issues for the affected individuals, and that Morningstar can quickly act to both identify the lost data and secure their systems so as to prevent future breaches.
That said, there are three important lessons that we can learn from looking at Morningstar:
- PII and PCI need to be stored in highly-secured systems, ideally audited regularly for breach events; this breach was discovered long after the event occurred, which is a trend we have talked about in other blog posts and in webinars previously.
- PII and PCI need to be the focus of algorithmic content analysis, so that their presence and potential exposure can be identified in near-realtime, ensuring that there are as few potential points of loss as possible, as part of a robust defense in depth strategy.
- The cost of this data breach, as with many (arguably all) security incidents, is enormous (it may be “immaterial” in Morningstar’s words, but that largely means that it won’t appear in the next annual report or impact investors, not that it isn’t significant internally). That accounting is not even considering the regulatory and reputational damage.
We believe that there is an on-going discussion to be had around data security, and as this and other major data breaches have demonstrated, this is increasingly important for organizations that store personal or credit-related information on behalf of their customers and users.