Ten months after the New York Attorney General's office fined EyeMed $600,000 for a data breach under NY General Business Law, the New York State Department of Financial Services (NYSDFS) resolved its case Wednesday against the company for $4.5 million for the same incident, for violation of 23 NYCRR Part 500, New York's first in the nation cyber security regulation.
EyeMed Vision Care is just the latest in a growing list of companies that have been held responsible, here in New York and around the country, for being too passive about their cybersecurity practices.
NYSDFS said EyeMed failed to implement three key protections against cyber attacks in violation of the law: have strong and secure email and passwords, adopt company data minimization practices, and perform its own internal security risk analyses.
Like so many other businesses, EyeMed was hacked by an outside bad actor. Hackers were able to break into EyeMed company email and phish in it for a week before being detected, only after customers contacted EyeMed to complain about receiving more phishing attempts from the hacked account. The sensitive personal data of 2.1 million EyeMed customers was exposed to cyber criminals.
Evidence reportedly showed EyeMed's company email security was weak, did not implement adequate password management, and was not protected by multi-factor authentication. It allowed six failed attempts before lockout, allowed short 8 character passwords when they were aware that a minimum of 12 character passwords was recommended, and allowed at least nine employees user access privileges to the same hacked email, adding to possible explanations for why it took so long to be noticed.
NYSDFS investigators also said EyeMed did not adopt required data minimization practices, and as a result, 6 years' worth of personal data on millions of customers was sitting dormant in the email account, and all of it got exposed in the hack. Proper data retention and disposal practices would have reduced this number significantly.
Finally, investigators said EyeMed had not reviewed its own security practices, nor conducted a security risk analysis, both required by New York's cyber security regulation. Investigators said if EyeMed had performed such an internal review, these obvious holes in their systems would have been spotted, remedied, and the breach could not have occurred.
EyeMed conducts business in several states, and is facing similar legal battles from law enforcement officials in those jurisdictions as well.
If multifactor authentication had been implemented, the data breach could have been prevented, and proper data retention and disposal practices would have lessened the severity of the data breach if it was not possible to prevent it.