Lessons from 3 Big Data Breaches of 2017
In 2017, cyber-attacks invaded the privacy of millions, grabbing headlines as established firms struggled to keep the noise down.
Interestingly, these breaches had a common theme — they were reported weeks after their initial discovery.
Here are three of the many security breaches of 2017 that impacted millions due to reasons including low security, weak passwords or avoidable negligence.
The breach of the Atlanta-based credit reporting agency, Equifax is one of the worst data breaches recorded in the history of cybercrimes. The heist involved highly sensitive information of consumer data that included personal details of 143 million customers, their social security numbers, credit card accounts and 11 million US drivers’ licenses.
Many aggrieved customers are facing the repercussions of the breach that include “multiple fraudulent charges” on credit cards and “unauthorized mortgage loans” on associated accounts. Additionally, driver licenses information is paving the way for impersonators to impact websites and services that accept driver’s license as a requirement.
But it is Equifax’s negligence and delays in addressing the issue that deteriorated matters further for the firm. The hackers had retrieved the data between May and July 2017 but it took the company six weeks to report the breach.
After uncovering the breach, Equifax’s attempt to address concerns through a data breach tool was also a failure and its support site resembled just another phishing site. The site directed the consumers to sign up for Equifax’s credit monitoring product TrustID.
Considered to be the “mother of all hacks”, the agency was eventually forced to retract clause on the site that prevented the affected customers from suing the company.
Yahoo — Verizon
Reported in August 2016, Yahoo’s hack originally traces back to 2014.
Initially, the breach impacted at least 500 million user accounts. But over a period of time, Yahoo’s breach took complicated turns, with deeper revelations. By the end of 2016, the company opened up on another hack which impacted one billion users.
After four months of Yahoo-Verizon merger in mid-June, Yahoo’s bidding firm Verizon made a startling announcement. In a recent update in October 2017, it was revealed that each and every Yahoo account was impacted and this was close to 3 billion.
The disclosure made Yahoo a home to the largest data breach in history, raising serious concerns on the stolen data.
In its statement, Verizon said, “The company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.”
But on July 13, 2017, Verizon too found itself amidst a hack that impacted 14 million subscribers.
The consumers who had called customer services in the past six months of the July hack were exposed to the data breach. ZDNet reported that the data of Verizon customers were available for download after an employee at an Israel-based firm, Nice Systems left them on an unsecured Amazon S3 storage server. The security lapse was discovered by the Director of cyber risk research at security firm UPGuard, Chris Vickery in June of 2017.
Such breach exposed records of customers’ information which included their names, cell phone number and account PIN.
When talking about breaches, Uber’s wait-watch-disclose policy provides a learning lesson for many startup hypes on why a business model needs to be an ethical one.
On November 21, 2017, Uber announced that personal data of as many 50 million riders and 7 million Uber drivers in the US was stolen in a breach that dated back to October 2016. The stolen information (as reported by CNBC) can allow hackers to find their homes and even their travel history.
The company had not revealed any information about the hacker or how it paid him the money. To worsen matters, Uber paid the hacker $100,000 to delete the data. According to Reuters, Uber’s newly appointed CEO Dara Khosrowshahi said that the disclosure to regulators should have been made at the time it was discovered.
Why are data breaches getting common?
Poor cybersecurity practices can give way to cybercrimes. For established firms like Deloitte that pride themselves on Cyber Intelligence Centre, data breaches can be embarrassing. In March 2017, accounting giant Deloitte fell victim to a cyber-attack. The Guardian reported that “a host of clients had material that was made vulnerable by the hack” which included The US departments of state, energy, homeland security and defense, the US Postal Service, the housing giants that fund and guarantee mortgages in the US, Fannie Mae and Freddie Mac. A recent Data Breach Investigations Report (DBIR) by Verizon showed that 70% of the breaches are financially motivated and 80% of the hacking-related breaches were either due to stolen passwords and/or weak passwords.
Outdated Security Technology Any security breach stems from lapses in the privacy practices of the firm. At the time of the hack, Deloitte did not have multi-factor authentication, which allowed outside hackers to get into the system through the administrator’s account.
Outside hacking can be malicious and the cost of such attacks is costlier when compared to data breaches through system glitches and human errors. Extraction of personal data by hackers should be addressed immediately without delay before it spreads across the entire customer base and hackers cover their tracks. As cyber-attacks become common, it is important for CEOs of firms address the issue of cybersecurity diligently and create a protected work environment. In an interview with CNBC, McAfee CEO Chris Young said CEOs must enforce a “culture of security”.
Delay in Report and Response An IBM report shows that “faster the breach can be identified and contained, the lower the costs”. But real-time detection remains distant for many companies but a grave concern is when reports of data breaches are kept under wraps for a long time.
Reporting data breach years after it has been committed only worsens the situation for both the consumers and the firm’s goodwill. Late disclosures erode the trust in organizations.
Uber and Yahoo are examples of how companies should not delay the disclosure. More than anything immediate efforts should be made to fix the issue since delaying it only aggravates the existing issue. Some of the biggest breaches like that of Yahoo took years to be revealed. Yahoo in its two consecutive hacks reported in 2016 revealed that they actually dated back to as early as 2013 and 2014. Yahoo’s recent update in 2017 worsened the issue when it was revealed that the breach actually impacted 3 billion accounts instead of 1 billion reported in 2016.
According to latest findings by digital security provider Gemalto, in the first half of 2017, almost 2 billion data records around the world were either lost or stolen through cyber-attacks. A cyber-attack is a serious crime and its impact can be devastating to the security of people of any country. In the coming times, protecting sensitive information from hacks is highly crucial and in the light of growing cyber-attacks, people should keep a close eye on fraudulent activities like bank account activities, revelations of credit card information and phishing scams.
Originally Published on Digital Disruption