By: limor2019
March 27, 2019
Preventing Cybersecurity Disaster: Learning from the Top Security Breaches in 2018
By: limor2019
March 27, 2019
Interestingly, where some data leaks are intentional attacks by hackers, other instances are merely down to databases being neglected. In case the organization is lucky, security auditors will unearth them living on an unsecured network asking for trouble.
Unfortunately,
cybersecurity in the corporate world is not developing at a pace to match and counter attempts at data invasion. Business critical infrastructure hangs in the balance as does an organization's network security. At the same time, state-sponsored hackers across the globe are getting emboldened with more sophisticated tools in their arsenal.Many prominent, well-known organizations had to face the ignominy of a data breach during the past year where sensitive and personal data was leaked and users affected. However, some have stood tall by standing by planning resources up ahead for
incident reporting and SIEM (Security Information and Event Management). We’ll have a look at that towards the end of the article.Here is a countdown of some of the worst of these instances that took place in 2018.
British Airways:380 thousand
How - Malicious code was injected into a less secure page on the company's website to steal personal and payment information subtly.
What -
Names
Addresses
Email addresses
Payment Card Details
When - Aug 21, 2018 - Sept 5, 2018
Discovered - Sept 6, 2018
Reported - Sept 7, 2018
Orbitz:880 thousand
How - An outdated company system (not orbitz.com) was accessed, and customer data was compromised.
What -
Names
Addresses
Phone Numbers
Email Addresses
Payment Card Details
Other Personal Information
When - Jan 1, 2016 - June 22, 2016, and Oct 1, 2017 - Dec 22, 2017
Discovered - March 1, 2018
Reported - March 20, 2018
T-Mobile:2 million
How - Company servers were accessed via an API. The servers did not contain any sensitive or financial data.
What -
Names
Account Numbers
Email Addresses
Billing Information
Encrypted Passwords
When - Aug 20, 2018
Discovered - Aug 20, 2018
Reported - Aug 23, 2018
Saks and Lord &Taylor:5 million
How - A hacking group managed in to infect the point of sale systems of retailers. The malware was able to steal credit card details of customers.
What -
Payment Card Details
When - May 2017 - March 2018
Discovered - Unknown
Reported - April 1, 2018
Cathay Pacific:9.4 million
How - Unauthorized access was gained to select Cathay Pacific information systems. No further explanation was provided.
What -
Names
Nationalities
Date of Birth
Addresses
Phone Numbers
Passport Numbers
Credit Card Numbers
Frequent Flier Numbers
When - Unknown
Discovered - Early March 2018
Reported - October 24, 2018
Sacramento Bee:19.5 million
How - The voter registration database that the Sacramento Bee had obtained was seized by hackers along with personal information of the Bee's subscribers.
What -
Names
Email Addresses
Date of Birth
Addresses
Phone Numbers
Party Affiliations
Places of Birth
When - Jan 2017
Discovered - A week before public disclosure
Reported - Feb 7, 2018
Timehop:21 million
How - A hacker gained access to the organization's cloud computing environment that wasn't protected with 2-factor authentication.
What -
Names
Email Addresses
Date of Birth
Phone Numbers
Other Personal Information
When - July 4, 2018
Discovered - July 4, 2018
Reported - July 8, 2018
Ticketfly:27 million
How - A hacker accessed Ticketfily's platform via a 'malicious cyber attack.' of the Bee's subscribers.
What -
Names
Email Addresses
Addresses
Phone Numbers
When - May 2018
Discovered - May 30, 2018
Reported - June 7, 2018
Facebook:29 million
How - Hackers exploited a loophole in the platforms 'View As' feature which allowed them to steal Facebook access tokens. They could then take over control of an individual's Facebook account.
What -
Names
Email Addresses
Phone Numbers
Other Personal Information Collected by Facebook
When - July 2017 - Sept 25, 2018
Discovered - Sept 25, 2018
Reported - Sept 28, 2018
Panera Bread:37 million
How - The exposure of customer records as a result of a database leak. Panera had earlier ignored repeated requests by researchers to fix the problem.
What -
Names
Email Addresses
Date of Birth
Addresses
Last 4 Digits of Credit Card Numbers
When - Aug 2, 2017 - April 2, 2018
Discovered - Aug 2017
Reported - April 2, 2018
Chegg:40 million
How - Unauthorized access to a database containing user data. Forty million customer's passwords were reset by the company. Chegg disclosed the leak to the SEC but not to the public.
What -
Names
Email Addresses
Shipping Addresses
Usernames
Passwords
When - April 29, 2018 - Sept 19, 2018
Discovered - Sept 19, 2018
Reported - Sept 25, 2018
Google+:52.5 million
How - The breach occurred in two phases. The first phase the personal data for 500 thousand G+ users, first reported in Oct 2018. The second breach occurred in Dec. of the same year with 52.5 million users affected.
What -
Names
Email Addresses
Date of Birth
Other Personal Information collected by G+
When - 2015 - March 2018;Nov 7, 2018 - Nov 13, 2018
Discovered - March 2018;Not Provided
Reported - Oct 8, 2018;Dec 10, 2018
Facebook (via Cambridge Analytica):87 million
How - A loophole in Facebook's API was exploited by Cambridge Analytica to allow external developers to harvest user data from Facebook apps as well as individual's friends' networks on Facebook.
What -
Facebook User Profile Data
Facebook User Preferences and Interests
When - 2013 - 2015
Discovered - Unknown
Reported - March 17, 2018
MyHeritage:92 million
How – A researcher identified a file with email addresses as well as hashed passwords held on a private server outside the MyHeritage domain. The company retroactively added a two-factor authentication option for users to prevent account takeover.
What -
Email Addresses
Encrypted Passwords
When - Oct 26, 2017
Discovered –June 4, 2018
Reported – June 4, 2018
Quora:100 million
How – A third party was able to access Quora's systems and compromise user data.
What -
Names
Email Addresses
Encrypted Passwords
Data Imported from Linked Networks
When - Unknown
Discovered –Nov 30, 2018
Reported - Dec 3, 2018
Under Armour (MyFitnessPal):150 million
How – An unauthorized party gained access to data associated with user accounts for MyFitnessPal.
What -
Usernames
Email Addresses
Encrypted Passwords
When – Feb 2018
Discovered - March 25, 2018
Reported – March 29, 2018
Twitter:330 million
How – The organization discovered a bug that was able to store unmasked passwords within an internal file. Twitter requested users to reset their passwords.
What -
Plaintext Passwords
When - Unknown
Discovered - Not Provided
Reported – Not Provided
Exactis:340 million
How – The organization was informed of a comprehensive data leak. Exactis secured the database but didn't publicly declare the breach. A New York-based national law firm, Morgan &Morgan filed a class action lawsuit against Exactis.
What -
Names
Email Addresses
Addresses
Phone Numbers
Other Misc. Personal Information
When - Unknown
Discovered – Early June 2018
Reported – June 27, 2018
Marriott:500 million
How – An internal security tool informed Mariott about an unauthorized attempt to access the Starwood guest database. On investigation, the company unearthed unauthorized access of their database since 2014.
What -
Names
Addresses
Email Addresses
Phone Numbers
Passport Numbers
Date of Birth
Other Personal Information
When - 2014 – Sept 10, 2018
Discovered – Sept 8, 2018
Reported – Nov 30, 2018
Aadhaar:1.1 billion
How –The Government of India ignored multiple attempts by security professionals to secure a database leak by an unsecured API endpoint that was connected to a state-owned utility company.
What -
Names
Unique 12 Digit Identity Numbers
Information regarding services they were connected to including bank details and related private information.
When - Unknown
Discovered - Not Provided
Reported – March 23, 2018
Conclusion
The question foremost in everyone's mind is, 'How do we protect ourselves in 2019?' To begin, we must, at all costs, avoid succumbing to the same mindset of 'another day, another data leak.' The protection of personal information is of paramount importance.
For those of us who have ever submitted personal information to an organization, whether on the web or offline, we can all be possible victims of cybercrime. Instead of putting blind faith in an organization's privacy policies and network security, individuals need to personally keep themselves abreast of the latest privacy and security tools available.
Here are a couple of other ways you can start -
Password Managers - This one is a no-brainer. Tools to manage passwords work across devices - desktops, smartphones, and tablets. By using them, individuals can assign a unique and complex password to each account their use. This will make sure that if a data breach involving your credentials occurs in any one account, the leaked information will not impact your other accounts.
In case you suspect that you may have been a victim of a possible data breach, you can search for your email address on aggregated stolen password sites Avast Hack Check. These sites will confirm whether or not your password has been leaked.
Activate Two-Factor Authentication - Two-factor authentication should be implemented wherever possible. In the chance that hackers may gain access to your username and password, without access to 2FA, they will continue to be locked out of your account. 2FA should be used for email accounts where possible.
