25 Nov Security Lessons from the Worst Data Breaches & Cyber Attacks of 2019
Picture a heist. Picture that heist involving a hundred million people or more. Picture how that may look; imagine how that might sound. You’d be forgiven for imagining simultaneous full-scale bank robberies with alarms blaring and guns blazing, but this isn’t what heists look like anymore. Heists are silent. Heists hit millions, even billions, at one time from one remote location.
Case in point: In 2018, India experienced a massive data breach involving a whopping 1.1 billion records — including names, addresses, and 12-digit ID numbers — that were made freely available online. A year removed, and we’ll see that these heists have not slowed down in severity or number, and have continued across industries and territories to this day. Here, we cover some of 2019’s biggest data breaches and cyber attacks so far in hopes that there is something to be learned to prevent them from ever happening again.
[You may also be interested to read “Data Breaches and the GDPR – 1 Year Later”]
Data, for the past couple of years, has been the lifeblood of businesses. Organisations around the world cannot afford to operate without data, yet must be able to manage it well enough to protect assets and customers alike. To see it handled so recklessly, then, is indeed quite disheartening. A Verizon Connect analysis on asset utilisation emphasises how useful data is and indicates the importance of keeping track of these assets to avoid risks of theft and loss. But back in April social networking giant Facebook was reported to have suffered a data breach that affected 540 million people. The breach was due to third-party Facebook applications holding large datasets that lacked the necessary protection, thus exposing the data to the public. The breach resembles that of the not-so-distant Cambridge Analytica Scandal, putting Facebook’s issues regarding the policing of its developers and partners at the forefront.
A lesson that can be learned here is that of due diligence. Companies must be more responsible when securing user data, which for Facebook is not only critical in stakeholder welfare, but also in the company’s business model itself. However, several reports reveal that Facebook as a company has been astoundingly careless in this regard. A recent report by Security Analyst Brian Krebs reveals yet another flaw: Facebook had apparently been storing hundreds of millions of user passwords in plain text, making the entirety of that data set accessible to over 20,000 Facebook employees.
Another cyber attack that made news earlier this year was the Toyota breach. An article in CPO Magazine claims that the information of over 3.1 million customers had been exposed, as hackers had targeted several Toyota subsidiaries. These include Lexus Koishikawa Sales, Lexus Nerima, and Toyota Tokyo Sales Holdings, among others. These subsidiaries were weak points due to their differences in security protocols from their parent companies, which made them convenient points of entry for the attackers.
To remedy this, companies must establish clear security policies with regard to their subsidiaries. When organisations set cyber security systems and policies in place, management and leaders must demand that the subsidiaries follow suit, as to protect user data and to minimise data theft or loss across the board. Establishing a uniform minimum security baseline would surely lessen the occurrence of events such as these.
According to Verdict’s report on the Canva data breach earlier this year, over 140 million users had been compromised in a malicious attack by a hacker known as Gnosticplayers. This prompted the company to inform its users to change their respective passwords for the site, and their passwords for other sites if the sites happened to share a password. Canva also informed its users that the hacker had also stolen partial credit card information, but assured them that this information was virtually useless and that Canva never stores its users’ full credit card details.
Now, while Canva took the necessary precautions to avoid a catastrophic event by ensuring that passwords were salted and hashed with bcrypt and not storing full credit card information, their major blunder lay elsewhere. What left much to be desired was the way they communicated the breach to their users. Instead of nipping the problem in the bud, Canva informed the users of the breach via an email that starts off with what can only be described as marketing fluff, instead of getting to the point and being clear with their compromised customers right off the bat. Remember that only by being transparent can companies prevent further damage to its users’ safety and their own reputation if and when a breach or cyber attack does occur.
[You may also like “SMBs: Cybercrime’s Number 1 Target“]
Post solely for the use of infinigate.co.uk
By Lindzi Guerra