DraftKings, a popular sports betting company, suffered a cyber attack in November that leaked the data of over 67,000 people. According to the reports, the breach revealed sensitive information including the account holder's name, address, phone number, email address, last four digits of a payment card, profile photo, and information about prior transactions.
The data breach notification did reveal there is no strong evidence that the attackers accessed Social Security numbers, driver's license numbers or financial account numbers. However, DraftKings has already gone ahead and refunded up to $300,000 to users with funds withdrawn.
Gal Helemski, co-founder & CTO/CPO, of PlainID shared her thoughts on the incident and how organizations can protect themselves from similar threats.
In attacks such as this, identity is the solution for finding the adversary and eliminating it from systems. Organizations must adopt a “Zero Trust” approach, which means trusting no one – not even known users or devices – until they have been verified and validated. Access policies and dynamic authorizations are a crucial part of the zero-trust architecture, as they help to verify who is requesting access, the context of the request, and the risk of the access environment.
Instead of pouring more money into a shotgun approach to security, organizations need a more focused strategy oriented on purchasing the highest reward tools. Identity and authorization are where the smart money should be going. If we assume hackers are already in the network, it makes sense to focus budgets on technologies that restrict movement inside the network.