This year has been a year like no other, with what seems to be a never-ending and always evolving set of headlines. At a glance, we’ve seen the evolution of the Coronavirus pandemic, the ongoing wildfires across not only the country but the world, the death of a basketball legend, Brexit finally coming to fruition, a civil rights uprising, and so much more.
The state of cybersecurity this year has had just as many ups and downs. While research done by the Identity Theft Resource Center found that in the first half of 2020 there had been a 33% drop in the number of publicly reported data breaches as compared to the number reported in the first half of 2019, the number of records exposed has gone up significantly. Cyber attackers continue to exfiltrate data from the largest organizations in the world, finding novel ways to compromise sensitive data.
Let’s explore some of the top data breaches of this year so far, focusing on why they happened and how they could have been prevented.
|How it Happened
|Type of Data
|How it could have been prevented
|Remote Script Execution Vulnerability
|customer photos, addresses, administrator account details, employee resumes
|81.5 Million Records
|Cloud migration misconfiguration
|Biometric Information, Employee emails, admin logon information
|Employee emails, financial records (SSNs, Bank/Credit Card Numbers), database backups, employee documents
|5.2 Million Guests
|Contact Details, Account Information, Personal Information
|9 million+ customers
|email addresses, names, travel records, and credit card details including the three-digit CVV
The breach story of Slickwraps, an electronics accessory company, is one that begins with an individual who declared themselves a “white hat” hacker and tried to alert the company about their “abysmal cybersecurity”. When the company chose to overlook the warning, the hacker decided to publish a post about their experience, which was discovered by a second hacker who decided to not only exploit these vulnerabilities but emailed all customers letting them know that their data had been compromised.
This exploit was able to occur due to a remote code execution vulnerability that existed in the phone customization tool. This tool allowed end-users to upload their custom photos, which the hacker was able to exploit by uploading a file that allowed them to ultimately execute shell commands. This vulnerability exposed customer photos, billing and shipping addresses, administrator account details, and employee resumes.
This one is probably more obvious than others. If someone points out a vulnerability, don’t let the alert go unnoticed. More proactively though, organizations should ensure the security of their application by regular security audits, whether internal or external and penetration tests. This particular vulnerability is not uncommon and would be flagged by any number of scans or tests.
81.5 Million Records
Brazilian-based biometric solutions company Antheus Tecnologia had left sensitive information including data on 76,000 fingerprints exposed on an unsecured log server. This data was left exposed on the internet and discovered by the security research team at SafetyDetectives. In addition to the fingerprint data, other sensitive information was found such as facial recognition data, employee emails, telephone numbers, and administrator login information.
The exposure to these types of biometric data is particularly alarming because of the fact that this data’s relevance does not diminish over time. Once stolen, the attacker has information that theoretically never goes bad and can be used for malicious purposes now or any time in the future.
Organizations should ensure that the appropriate controls are put in place to secure access to sensitive data, whether this data exists on-premises or online. While this incident is likely due to a misconfiguration when transitioning data to the cloud, the migration of sensitive data between locations should be handled with care, using measures such as password protection or data encryption. This is especially important as companies are moving internal data to the cloud, which could potentially leave data exposed to anyone with the right IP address.
The ransomware attack on this major US pharmaceutical firm actually took place in March but wasn’t disclosed to the public until a month later. Cyber attackers were able to gain access to servers through a phishing campaign targeted at ExecuPharm employees, and once inside, encrypted the data and demanded a ransom to decrypt it. When the cyberattackers didn’t receive the ransom that they had demanded, they published the stolen data on the dark web, which included thousands of employee emails, financial records, user documents, and database backups. These records potentially included personal information ranging from Social Security numbers to bank and credit card numbers.
The importance of employee training on common cybersecurity attack vectors such as phishing and credential stuffing cannot be understated. The IBM Security Cost of a Data Breach Report 2020 indicates that 19% of data breaches are caused by compromised credentials and cloud misconfigurations; scenarios that often exist due to a lack of employee awareness or administrative discipline. In addition, a study conducted by the Ponemon Institute concluded that 62% of insider threats are due to “negligent insiders”, inside actors that don’t even know that they are posing a threat!
Phishing campaigns are on the rise, so it is extremely important that employees are familiar with common phishing language, how to spot suspicious links, and how to check if a website or email is legitimate. At the very least, they should know when to reach out and who to reach out to for help or clarification. Check out our blog post on how to identify phishing scams.
Another key piece of the puzzle is having a monitoring system in place to detect and respond to ransomware attacks swiftly. Time is the most important asset in being able to gain back control and stop the propagation of ransomware throughout the network.
In addition to having the appropriate monitoring technology in place, having a hardened Active Directory helps to prevent the ease with which attackers can escalate their privileges and move laterally across the network. Couple that with a Privileged Access Management solution, and now it’s even more difficult to compromise a privileged account.
5.2 Million Guests
Only 2 years after the massive data breach which stemmed from their acquisition of Starwood Hotels, Marriott announced that guest information had been accessed due to two employee credentials that had been compromised. The credentials allowed them to access an application used by the hotel franchise to help provide services to guests. While it is unclear how the hackers got access to the employee credentials, they were able to slowly pull data for a month before being discovered. This data includes contact details, loyalty account information, personal information (gender, birthday), linked loyalty programs and numbers, and preferences.
If Marriott had been leveraging multi-factor authentication, the hackers would’ve required much more than a password to compromise the employee credentials, making it extremely difficult, if not impossible, for the hackers to get into the network. Another necessary measure that Marriott could have taken is leveraging tools to monitor user activity and behavior patterns in order to proactively identify anomalous behavior, especially as it pertains to sensitive data. In this case, they might have been able to notice employees accessing a large number of guest records, which is likely outside of their typical behavior, and would have been able to investigate and likely detect the attacker’s presence much sooner.
9 million+ customers
While the attack on this European airline was discovered by the company in January, information about the attack was not disclosed to all impacted customers until May. This failure to protect data and delay in communication has landed them with intense criticism and a class-action lawsuit under the GDPR which could cost them up to £18 billion. While the company has yet to disclose how the attack was possible, email addresses, names, travel records, and credit card details including the three-digit CVV, were exposed.
With the lack of detail around exactly what happened, it’s hard to say how the exploit itself could have been prevented. That being said, public perception and customer confidence are extremely important in order to rebound from a data breach. While financial damage may be inevitable in the case of a successful data breach, maintaining the reputation of your brand is still possible. In the case of EasyJet, while they informed the ICO as required under the GDPR, they failed to alert their customers until much later, therefore damaging their trust.
The IBM Security Cost of a Data Breach Report 2020 emphasizes the importance of having the appropriate data security measures fully deployed and automated, highlighting the increase in the cost of a data breach when these solutions have not been deployed.
Learn more about how Stealthbits can help to automate a multitude of functions that contribute significantly to a strong security program, from security and configuration assessments, identification and remediation of access vulnerabilities, policy enforcement, privileged access activities, rollback and recovery of malicious changes, and threat detection and response.
Farrah Gamboa is a Director of Technical Product Management at Stealthbits – now part of Netwrix. She is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Since joining Stealthbits in 2012, Farrah has held multiple technical roles, including Scrum Master and Quality Assurance Manager. Farrah holds a Bachelor of Science degree in Industrial Engineering from Rutgers University
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more