With the complexity of the current threat landscape, organizations must be more alert than ever to potential data breaches. Who will be next? What happened? What will the fine be? While we’re only midway through 2018, we’ve seen headline after headline from organizations who have come forward to notify their customers of breaches. Let’s a take look at some of the top data breaches of 2018 to learn what went wrong and how you can prevent a costly data breach from occurring at your organization.
The data breaches of 2018 began with a household name. In March, Under Armour announced that it had become aware of a February data breach of its subsidiary fitness and nutrition app, MyFitnessPal. 150 million users’ data was acquired by an unauthorized party, ranging from usernames, email addresses, and hashed passwords. Fortunately, cardholder data was not compromised because that data is collected, processed, and protected separately.
What can we learn from this? Under Armour and MyFitnessPal’s incident response was timely and factual. Four days after discovering the data breach, MyFitnessPal notified their users and gave specific instructions of what to do next: change your password and look for suspicious activity on your account. What is your organization’s incident response plan?
While many data breaches of 2018 were due to malicious hackers, approximately 1.5 million SunTrust customers’ data was stolen by an ex-employee with the intent to share the records with a criminal third party. The compromised records included names, addresses, phone numbers, and account balances, but no PII like user IDs, Social Security numbers, account numbers, PINs, or driver’s license information.
What can we learn from this? Malicious insider threats need to be taken just as seriously as third-party threats. Establishing, implementing, reviewing, and updating policies that determine who has access to your organizations sensitive data is critical. The more employees who have access, the more risk there is. Are you operating on a policy of least privilege? How are you updating access to PII if an employee resigns, is terminated, or promoted?
Family networking and genealogy provider MyHeritage recently announced a data breach spanning from October 2017 to June 2018. A security researcher discovered a file containing email addresses and hashed passwords on a private server, impacting 92 million users, with no evidence that the information was ever used. MyHeritage reported that no other sensitive information was compromised because users’ cardholder information is not stored on MyHeritage systems and other types of sensitive data (like family trees and DNA data) are stored by MyHeritage on separate systems with added layers of security.
What can we learn from this? While no cardholder information or DNA data was compromised, the breach at MyHeritage underscores the need for organizations (and users) to utilize some type of multi-factor authorization.
— MyHeritage (@MyHeritage) June 11, 2018
In late June, a security researcher discovered that Exactis, a Florida-based marketing and data aggregation firm, left its database exposed on a publicly accessible server, leaving the data of nearly 340 million individual records visible. Aside from including basic contact and public information, the data also includes more than 400 variables on a range of specific characteristics: what religion a person belongs to, whether or not they smoke, what hobbies they’re involved with, etc. The company has yet to make a public statement about the breach but secured its database upon notification of the breach.
What can we learn from this? With GDPR compliance on the rise, the Exactis breach highlights the need for marketing firms to think about their data handling practices. This data breach also probes digital consumers to consider their data rights and what type of personal characteristics they want in the public. Phone numbers, home addresses, email addresses, interests and habits, the number, age, and gender of your children – it’s all out there.
In June, Ticketmaster UK discovered that its customer support chatbot software from Inbenta was hacked. We’ve now discovered that this breach exposed a much greater one: a massive credit card skimming campaign by the threat group Magecart. Magecart’s pattern seems to be targeting third-party software companies that build and provide code to their customers, who use the code on their website, and then Magecart hackers break in and alter the code so that it impacts every website that the code runs on. It’s reported that Magecart has compromised over 800 e-commerce sites worldwide. As the year goes on, we expect MageCart’s campaign to be recognized as one of the most damaging data breaches of 2018.
What can we learn from this? The importance of vendor compliance management cannot be overstated. In this breach, TicketMaster’s customer support chatbot vendor was the key MageCart needed to compromise their website. You’re putting a great deal of control and responsibility into vendor’s hands; in TicketMaster’s case, they put part of the security of their website in Inbenta’s hands.
The Panera Bread data breach that came out this year is a bit puzzling, but that’s what makes it so interesting. In August 2017, a security researcher reported a vulnerability to Panera Bread, but the claim was dismissed. Apparently, Panera Bread didn’t even take the claim seriously enough to look into because eight months later, the bakery-cafe announced a data breach of their website that exposed thousands of customer records. This was only after KrebsOnSecurity broke the story, talked to Panera, and got them to take their website offline and fix the vulnerability. Trust us, there was a lot of back-and-forth between Krebs and Panera Bread before the issues were resolved.
What can we learn from this? It’s clear that security alerts and monitoring procedures were not appropriately implemented in this situation. Monitoring is a critical aspect of any information security program.
Timehop, a social media memory-sharing app, discovered a data breach where up to 21 million users were affected. The network intrusion occurred because an access credential to their cloud computing environment was compromised from a lack of multi-factor authentication. Within 2 hours of discovering the network intrusion, Timehop responded to the event.
What can we learn from this? Timehop’s incident response approach has been extremely transparent and accessible, one of the most thorough that we’ve seen after data breaches of 2018. In their security incident report, the company goes above and beyond the norm by apologizing, providing a technical report, outlining the number of GDPR records breached, answering FAQs, defining the terms used, and providing next steps for users.
Please read this important update with additional information on our July 4th security incident. Emails to every user are being sent out as well. https://t.co/s82imGuZpe
— Timehop (@timehop) July 11, 2018
As the year goes on, stay alert to learn about more data breaches of 2018, what caused them, how to respond, and how to learn from others’ mistakes. Have questions about incident response, breach prevention, or compliance requirements? Contact us today.