2018: Not the year for cybersecurity best practices
As 2018 shows, years of targeted hacks, epic heists, and run of the mill data breaches have not made organisations much wiser about the importance of strong cybersecurity.
In 2018, data breaches compromised the personal information of millions of people around the world.
Some of the biggest victims in 2018 include Google, Marriott Hotels, Quora, Google, and Orbitz, while Facebook dealt with a slew of major breaches and incidents affecting over 100 million users.
The cyber-attacks reveal the extent of impacts on customers and consumers. They give a clear warning that 2019 calls for much greater vigiliance, due diligience around risk management best practices, and much improved cyber response.
Summary of the Worse Hacks
Here at CYBERWISER.eu, we have analysed several media outlets covering the breaches and put together a summary of the top breaches from around the globe.
#1 Marriott Starwood hotels - 500 million
What was affected: Guest information including phone numbers, email addresses, passport numbers, reservation dates, and some payment card numbers and expiration dates. About 170 million impacted Marriott customers only had their names and basic information like address or email address stolen, but about 327 million people lost much more. Marriott says that this larger group had different combinations of name, address, phone number, email address, date of birth, gender, trip and reservation information, passport number, and Starwood Preferred Guest account information stolen.
When it happened: 2014 - September 2018. The hack originated at Statwood's reservation system but went undetected until early November 2018. It took Marriott 9 days to fully understand the scale of the breach.
How it happened: Hackers accessed the reservation database for Marriott's Starwood hotels, and copied and stole guest information.
The Marriott incident is one of the largest data breaches in history.
#2 Facebook - 29 million
What was affected: Highly sensitive data, including locations, contact details, relationship status, recent searches, and devices used to log in.
When it happened: July 2017 - September 2018
How it happened: The hackers were able to exploit vulnerabilities in Facebook's code to get their hands on 'access tokens' - essentially digital keys that give them full access to compromised users' accounts - and then scraped users' data. Sites use authorisation token schemes so users don't need to sign in multiple times as they move around a platform. In Facebook's case, the attackers coordinated exploitation of three different bugs in the social network's "View As" feature to grab user tokens, gain access to Facebook accounts, and exfiltrate a significant and diverse trove of user data. The vulnerabilities existed in Facebook's platform since July 2017, but the company only detected suspicious activity related to them on 14 September 2018. It disclosed the data breach in late September, reporting that attackers had gained access to 30 million accounts.
The company is investigating with the FBI. The incident is the first known data breach of a platform that has existed for well over a decade. It comes though in the wake of a dismal track record on third-party access limits and a recent incident in which a bug exposed 6.8 million users' photos to third-party developers. A clear sign things need to improve on the user privacy and data management front.
#3 - British Airways - 380,000
What was affected: Card payments. The company said that names, addresses, email addresses, and sensitive payment card details were all stolen in the breach.
When it happened: 21 August 2018 - 5 September 2018
How it happened: A "criminal" hack affecting bookings made on the airline's website and app.
Hackers from the well-known criminal group Magecart pulled off the attack by specifically evaluating the airline's digital systems and tailoring a plan for installing malicious skimming code in its payment data entry forms. That way, any time someone entered information to make a reservation, all the data would silently go to Magecart.
#4 Cambridge Analytica - 87 million
What was affected: Facebook profiles and data identifying users' preferences and interests. While only 270,000 Facebook users actually installed the app, Facebook's data sharing policies at the time means that the app was able to gather data on millions of their friends.
When it happened: 2015
How it happened: A personality prediction app called "thisisyourdigital life," developed by a University of Cambridge professor, improperly passed on user information to third parties that included Cambridge Analytica, a data analytics firm that assisted President Trump's presidential campaign by creating targeted ads using millions of people's voter data.
#5 Google+ - 52.5 million
What was affected: Private information on Google+ profiles, including name, employer and job title, email address, birth date, age, and relationship status. In both cases, Google said it doesn't have any evidence that the bugs were exploited, meaning that these were probably exposures, not breaches.
When it happened: 2015 - March 2018 and 7-13 November 2018. The bug rolled out in a 7 November software update. Google had found and corrected it by 13 November, so app developers only had the problematic data access for six days.
How it happened: Earlier this year, Google announced it would be shutting down Google+ after a Wall Street Journal report revealed that a software glitch caused Google to expose the personal profile data of 500,000 Google+ users. Then again in December, Google revealed it had experienced a second data breach that affected 52.5 million users. Google has now decided it will shut down Google+ for good in April 2019.
Google said that after an extensive audit it had concluded that, essentially, Google+ wasn't worth the expense to support and secure.