It seems that 2.6 billion records were exposed in the first half of 2018. Just to provide context, remember that there are less than 3 times that many people alive on the planet. Obviously, those records don’t represent unique users, but it goes to show the sheer scope of the problem.
And it is an expensive problem. In the U.S. the average price tag swells to $7.91 million per breach, with an average clean up time of 201 days, according to a report released in July.
This summer, while you might have been enjoying sunshine and holidays, data breaches did not slow down for a breather.
We’ve collated 5 big data breaches of summer 2018, explaining what happened and, where possible, outlining steps what you can take to prevent the same thing from happening at your organization.
Typeform – June 2018 – “millions” of records
Unsecured data collected through Typeform surveys was reportedly taken by hackers. As a result, Monzo, Revolut, England’s Shavington-cum-Gresty Parish Council, Fortnum and Mason’s and more were forced to admit that data had been compromised.
The theft included names, email addresses and other pieces of information submitted by users through Typeform forms.
Typeform assured customers that it has identified and addressed the source of the breach. According to Security Week, the company claims it initiated a system security review.
Although it’s not clear exactly how, Typeform admitted the hackers managed to download a partial backup of form responses. This implies backups were left in readable form on web-accessible servers, rather than encrypted and put into secure storage away from web-facing systems.
Ensuring you have proper data collection, transfer and storage facilities is key to deterring the interest of hackers. Especially since the advent of GDPR, ensure that you meet regulatory compliance. Conducting annual risk assessments can highlight vulnerable areas and poor security practices early, better safeguarding against such opportunistic attacks.
Adidas – June 2018 – “millions” of records
At the end of June, Adidas warned millions of customers that their data may have been stolen in a security breach. In a statement, the company said that “an unauthorized party claims to have acquired limited data associated with certain Adidas consumers.”
Information about this attack and how many millions of users were affected remains hazy. According to reports, the incident saw the unauthorized exposure of customer email addresses, encrypted passwords and usernames from users of its US store.
We can speculate that Adidas must segment its customer data because the company does not believe that credit card or personal fitness information was accessible.
Performing regular assessments, penetrations tests and vulnerability scans, as well as ensuring you have a clear and concise emergency incident response plan, are key to reducing the overall risk of such an emergency.
Hova Health – August 2018 – 2.3 million records
Kicking off August was news that a Mexican telemedicine company known as Hova Health misconfigured a MongoDB database, exposing more than 2.3 million patient records.
Like so many others, the database was publicly available and could be accessed and edited by anyone. Apparently, no password was required!
The breach exposed highly sensitive personal information, including patient names, insurance policy numbers and expiration dates, dates of birth, and physical addresses. Reports say there were also were flags noting migrant status or disabilities.
It is important to understand that people make mistakes.
Ensuring that Information Security staff are properly trained on cybersecurity best practices and legal requirements for securing sensitive and personal information will help to avoid such costly errors. Penetration tests will also help spot holes left open by configuration blunders.
Data breach: Timehop – July – 21 million records
On the 4th July (read ‘a day you use to bury news’…), Timehop – an app that links your social profiles, bubbling up popular posts of yore – disclosed a security breach affecting 21 million users.
Timehop intercepted the cyberattack while it was in progress. Data that was leaked included names, email addresses and “keys”, which gave access to previous posts. About three million of the 21 million affected also had their dates of birth and phone numbers stolen.
The company said that no social media content, financial data or Timehop data was affected by the breach. It’s thought that the attackers accessed cloud systems using stolen credentials.
In response, Timehop reset the keys, meaning that users would have to reauthenticate the app to continue using the service. It also engaged with an unnamed cyber intelligence team to look for evidence of the data appearing on the dark web.
Timehop is often referred to as a start-up, but one of those with more than 20 million customers, making it a big target. Imposing strict password and 2-factor requirements on all cloud-based services, and training staff to avoid sharing them improperly, should prevent admin account details from falling into the wrong hands. Having a clear incident response plan also plays a key role.
British airways – September 2018 – 400k records
Just last week, the payment details of 400,000 British Airways customers were compromised in what the airline is calling a sophisticated breach of the firm’s security.
Hackers stole the following details: name, email address, credit card information (including credit card number, expiration date and the three digit [CVV] code), confirmed British Airways’ CEO.
However, the company does not store CVV codes, so researchers have speculated that the details were intercepted during transit, reported the BBC.
Details are still emerging at the time of writing, but British Airways boss Alex Cruz has clearly apologized for the incident. He has also promised full compensation.
Details on the sophistication of the attack are still scarce, but we are pretty confident that British Airways would have strong defenses in place and regularly tested against known attacks, which leads us to suspect it was a highly targeted attack, the most difficult to defend against.
This costly incident may have been facilitated by a weak or compromised third-party component of the online booking system, such as a chat facility or other website add-on. Thoroughly vet all your providers, and the tools they provide, to ensure you’re not opening yourself up to problems due to their mistakes.