2018 has been a year of staggering data breaches, with some famous and unexpected names involved. Most breaches were caused by poor security discipline:
- Unsecured data;
- Not fully investigating reported vulnerabilities; and
- Detected intrusion after a long time or only detected when the confidential data appeared on the Internet.
Table of Breaches
|Company||Rank||Records breached||Date Disclosed|
|PumpUp||10||6 million||31st May||Data security indiscipline||An unsecured backend server on AWS exposed identity and health information in messages between users.|
|Sacramento Bee||9||19.5 million||7th June||Intrusion for Ransom||Hackers held databases to ransom including the California voter registry. The ransom was not paid and the databases were deleted to prevent further issues. The hackers had access to the contents of all the databases.|
|Ticketfly||8||27 million||7th June||Ignored vulnerability warning||Ignored a warning from anonymus about a vulnerability, suffered an attack and was defaced, unable to operate for a week, and the details of all their 27 million customers were stolen (names, addresses, email addresses, phone numbers)|
|Panera||7||37 million||2nd April||Ignored vulnerability warning||Ignored for eight months a report of a vulnerability leaking customer’s records in plain text that could easily be indexed and processed by automation tools easily. |
|6||> 87 million||17th March||Exploited a bug||Cambridge Analytica used an app that leveraged facebook “View as” feature to scrape all details about people’s total social media presence.|
|MyHeritage||5||92 million||4th June||Confidential data found online||A security researcher found a file with all the names, email addresses and hashed passwords of new users since 17th October 2017. Payment and DNA information is outsourced to third parties so no more information was available.|
|Under Armour||4||>150 million||25th May||intrusion||In March UnderArmour learned someone gained unauthorized access to their platform ad were able to access usernames, email addresses and hashed passwords.|
|Exactis||3||340 million||26th June||data security indiscipline||A security researcher found Exactis left a database on a publicly accessible server that contained 340 customer records including names, email address, street address, phone numbers, and other CRM-type information including names and gender of customers children|
|Mariott||2||500 million||30th November||Persistent intrusion||In 2014 an “unauthorized party” gained access to Starwood’s guest reservation system and had been copying and encrypting the data. The data included names, addresses, itineraries, passport numbers, and encrypted credit card numbers and expiry dates. Decryption of the data requires 2 pieces of information, Starwood has said the attackers may have had access to both.|
This breach falls under EU GDPR so a fine of 20 million Euros or 4% of revenue, whichever is the greater, applies.
|Aadhaar||1||1.1 billion||3rd January||Confidential Data sold online||Unknown WhatsApp users sold login credentials for 500 rupees that gave access to Aadhaar information on any Indian citizen via their 12-digit Aadhaar identifier including name, address, photo, phone number and email address. A further 300 rupees gave access to software to print an ID Card for any Aadhaar number. This was available for any of the 1.1 billion registered Indian citizens.|
These breaches show IT Security is a necessary function, in any business in any industry sector with an Internet presence. The breaches also show security requires proper policy and supporting processes, along with operational diligence.
Agilient has experienced policy and audit consultants to assist in creating and measuring the effectiveness of security policy, directives, guides processes and procedures for any size business.