The 21 biggest data breaches of 2018

Copy-Paste from  https://www.businessinsider.com/data-hacks-breaches-biggest-of-2018-2018-12

Here are the biggest data breaches that were revealed this year, ranked by number of users affected:

21. British Airways — 380,000

Jack Taylor / Getty

What was affected: Card payments

When it happened: August 21, 2018 — September 5, 2018

How it happened: A "criminal" hack affecting bookings made on the airline's website and app.

20. Orbitz — 880,000

Orbitz

What was affected: Payment card information and personal data such as billing addresses, phone numbers, and emails.

When it happened: January 1, 2016 — December 22, 2017

How it happened: Hackers accessed travel bookings in the website's system.

19. SingHealth — 1.5 million

Jirka Matousek/Flickr

What was affected: Names and addresses in the Singapore government's health database, and some patients' history of dispensed medicines. Information on the prime minister of Singapore was specifically targeted.

When it happened: May 1, 2015 — July 4, 2018

How it happened: Hackers orchestrated a "deliberate, targeted, and well-planned" attack, according to a statement.

18. T-Mobile — about 2 million

What was affected: Encrypted passwords and personal data, including account numbers, billing information, and email addresses.

When it happened: August 20, 2018

How it happened: An "international group" of hackers accessed T-Mobile servers through an API.

17. myPersonality — 4 million

Ime Archibong, a Facebook executive who wrote the blog post announcing the issues with myPersonality. Getty

What was affected: Personal data via Facebook customers who used the myPersonality app.

When it happened: The app was "mostly active before 2012," but was banned from Facebook this year in April.

How it happened: The app mishandled Facebook user data by sharing "information with researchers as well as companies with only limited protections in place."

16. Saks and Lord & Taylor — 5 million

Northfoto/Shutterstock

What was affected: Payment card numbers

When it happened: Details were never shared.

How it happened: "New York-based security firm Gemini Advisory LLC says that a hacking group called JokerStash announced last week that it had put up for sale more than 5 million stolen credit and debit cards, and that the compromised records came from Saks and Lord & Taylor customers."

15. SheIn.com — 6.42 million

SheIn.com

What was affected: Email addresses and encrypted passwords for customers' online store accounts.

When it happened: Sometime in June 2018

How it happened: Hackers carried out "a sophisticated criminal cyberattack on its computer network."

14. Cathay Pacific Airways — 9.4 million

Wikipedia

What was affected: 860,000 passport numbers; 245,000 Hong Kong identity card numbers; 403 expired credit card numbers; and 27 credit card numbers without the card verification value (CVV).

When it happened: Activity was discovered in March 2018

How it happened: Passenger data was accessed "without authorization."

13. Careem — 14 million

Faisal Al Nasser/Reuters

What was affected: Names, email addresses, phone numbers, and trip data.

When it happened: January 14, 2018

How it happened: "Access was gained to a computer system that stored customer and driver account information."

12. Timehop — 21 million

iTunes

What was affected: Names, email addresses, and some phone numbers.

When it happened: December 2017 — July 2018

How it happened: "An access credential to our cloud computing environment was compromised ... That cloud computing account had not been protected by multifactor authentication."

11. Ticketfly — 27 million

Shutterstock

What was affected: Personal information including names, addresses, email addresses, and phone numbers.

When it happened: Late May 2018

How it happened: A hacker called "IsHaKdZ" compromised the site's webmaster and "gained access to a database titled 'backstage,' which contains client information for all the venues, promoters, and festivals that utilize Ticketfly's services."

10. Facebook — 29 million

Wachiwit/Shutterstock

What was affected: Highly sensitive data, including locations, contact details, relationship status, recent searches, and devices used to log in.

When it happened: July 2017 — September 2018

How it happened: "The hackers were able to exploit vulnerabilities in Facebook's code to get their hands on 'access tokens' — essentially digital keys that give them full access to compromised users' accounts — and then scraped users' data."

9. Chegg — 40 million

pmccormi / Flickr

What was affected: Personal data including names, email addresses, shipping addresses, and account usernames and passwords.

When it happened: April 29, 2018 — September 19, 2018

How it happened: According to Chegg's SEC filing: "An unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company's family of brands such as EasyBib."

8. Google+ — 52.5 million

What was affected: Private information on Google+ profiles, including name, employer and job title, email address, birth date, age, and relationship status.

When it happened: 2015 — March 2018, November 7 — November 13

How it happened: Earlier this year, Google announced it would be shutting down Google+ after a Wall Street Journal report revealed that a software glitch caused Google to expose the personal profile data of 500,000 Google+ users. Then again in December, Google revealed it had experienced a second data breach that affected 52.5 million users. Google has now decided it will shut down Google+ for good in April 2019.

7. Cambridge Analytica — 87 million

What was affected: Facebook profiles and data identifying users' preferences and interests.

When it happened: 2015

How it happened: An personality prediction app called "thisisyourdigital life," developed by a University of Cambridge professor, improperly passed on user information to third parties that included Cambridge Analytica, a data analytics firm that assisted President Trump's presidential campaign by creating targeted ads using millions of people's voter data.

Only 270,000 Facebook users actually installed the app, but due to Facebook's data sharing policies at the time, the app was able to gather data on millions of their friends.

6. MyHeritage — 92 million

What was affected: Email addresses and encrypted passwords of users who have signed up for the service.

When it happened: October 26, 2017

How it happened: "A trove of email addresses and hashed passwords were sitting on a private server somewhere outside of the company."

5. Quora — 100 million

iTunes

What was affected: Account info including names, email addresses, encrypted passwords, data from user accounts linked to Quora, and users' public questions and answers.

When it happened: Discovered in November 2018

How it happened: A "malicious third party" accessed one of Quora's systems.

4. MyFitnessPal — 150 million

Shutterstock

What was affected: Usernames, email addresses, and encrypted passwords.

When it happened: February 2018

How it happened: An "unauthorized party" gained access to data from user accounts on MyFitnessPal, an Under Armour-owned fitness app.

3. Exactis — 340 million

Flickr / Leonardo Rizzi

What was affected: Detailed information compiled on millions of people and businesses including phone numbers, addresses, personal interests and characteristics, and more.

When it happened: June 2018

How it happened: A security expert spotted a database "with pretty much every US citizen in it" left exposed "on a publicly accessible server," although it's unclear whether any hackers accessed the information.

Source: WIRED

2. Mariott Starwood hotels — 500 million

Marriott International

What was affected: Guest information including phone numbers, email addresses, passport numbers, reservation dates, and some payment card numbers and expiration dates.

When it happened: 2014 — September 2018

How it happened: Hackers accessed the reservation database for Marriott's Starwood hotels, and copied and stole guest information.

1. Aadhar — 1.1 billion

Shutterstock

What was affected: Private information on India residents, including names, their 12-digit ID numbers, and information on connected services like bank accounts.

When it happened: It's unclear when the database was first breached, but it was discovered in March 2018.

How it happened: India's government ID database, which stores citizens' identity and biometric info, experienced "a data leak on a system run by a state-owned utility company Indane." Indane hadn't secured their API, which is used to access the database, which gave anyone access to Aadhar information.

Safe harbor for entities that exercise reasonable security!

Companies that implement & meeting reasonable security controls (administrative, technical and physical safeguards) to protect personal and confidentiality data may have affirmative defense upon cybersecurity breach that occur.

Accordingly to Locke Lord, LLP,

https://www.lockelord.com/newsandevents/publications/2018/11/~/media/087FF2FA887E4F82A6BF5C563D60C834.ashx

For all businesses:

-NIST Cybersecurity Framework

-NIST Special Publication 800-171 ("Protecting Controlled Unclassified  /Information in Nonfederal Systems and Organizations")

-NIST Special Publications 800-53⁹ ("Security and Privacy Controls for Information Systems and Organizations") and 800-53A ("Assessing Security and Privacy Controls in Federal Information Systems and Organization")

-The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework

-Center for Internet Security, Critical Security Controls for Effective Cyber Defense

-International Organization for Standardization / International Electrotechnical Commission 27000 Family of Information Security Standards - information security management systems ISO-27000 family¹³

For regulated businesses:

-HIPAA security requirements

-GLB security requirements

-FISMA

-Health Information Technology for Economic and Clinical Health Act

-PCI standard

Trend setting law starting in Ohio, November 2018

Equifax key security control failures built up over time

A nonpartisan agency analysis of Equifax breach via incident report review and interviews of Equifax's largest federal customers, IRS, SSN Administration and USPS revealed:

1. Web/system Apache vulnerabilities that had BOT been patched (or out of date) and weekly scan failed to identify the vulnerability
2. Failure to inspect traffic because the digital certified had expired nearly 1 year ago so all encrypted traffic could NOT be inspected / reviewed (both attack as well as data exfiltration)
   
3. Lack of segmentation allowed for uninterrupted passage through multiple databases / systems without triggering any alerts (or other access control lists / rules)
   
4. Credentials were stored in clear-text and NOT encrypted which was easily accessed / stolen
5. No limit on database queries so large volumes were retrieved / exfiltrated without obstruction or alerts

And so Equifax supposedly but MANY new security requirements in place [not all yet] and reached a voluntary consent order with banking regulators in 8 states" meaning "Equifax will avoid state fines."

https://www.databreachtoday.com/postmortem-multiple-failures-behind-equifax-breach-a-11480

Cryptocurrency and practicing what you preach

As they say, "no negotiations with terrorist" or is it harder to say ,"will not pay ransomware"

 

While this study stated approx. 75% of CISOs stockpiling cryptocurrency and 79% have paid ransomware, I don't find that number to be anywhere near as high with industry peers (in this geographical vicinity).

However, it's unanimous that, "CEOs agreed that IP is still the most precious asset in the enterprise" yet about 33% of CEO click on links and 59% download software. In addition, about 70% of IT and business leaders state"losing all corporate data held on endpoint devices could be business-destroying or seriously disruptive."

And, we already know breaches are on the rise and this study says, "Sixty-one percent of CISOs and 53 percent of CEOs said their company had already experienced a breach in the last 18 months"

So, the industry has shifted from detection to prevention to recovery-driven security...assuming you know and can see what you're protection!

 

https://healthitsecurity.com/news/cisos-stockpile-cryptocurrency-in-case-of-ransomware-attack

Unleashing Human Potential

One of my all time favorites are the Stephen Covey Leadership and Management series.

And the 7 Habits or Principles (which are not Practices) that stand the test of time and will continue to do so in my opinion are quoted below:

1. Be proactive. You are responsible for your life. Decide what you should do and get on with it.
   
2. Begin with the end in mind. Think of how you want to be remembered at your funeral. Use this as a basis for your everyday behavior.
   
3. Put first things first. Devote more time to what's important but not necessarily urgent.
   
4. Think win-win. Have an abundance mentality. Seek solutions that benefit all parties.
   
5. Seek first to understand, then to be understood. Don't dive into a conversation. Listen until you truly understand the other person.
   
6. Synergize. Find ways to cooperate with everyone. Value the differences between
   people.
   
7. Sharpen the saw. Continually exercise and renew four elements of your self: physical, mental, emotional/social, and spiritual.

When you focus on the why rather than how, it inspires higher thinking and empowerment across boundaries.....leading to greatness in personal, organizational and leadership

Best Practices for Preventing a Data Breach & Avoiding Liability by Wolters Kluwer

Article from Wolterskluwer.com makes the statement / paper topic which says it all, "Understand why data breaches can occur, what security measures you can implement to reduce your risk and how to establish an effective data breach management plan."

Key takeaways /quotes:

• 27% had experienced a data breach at their organizations within the past two years, up from 23% from the previous year’s survey
• nearly 50% of general counsel say planning for cybersecurity incidents and responding to breaches
• is now a part of their job...However, the perceived importance does not always translate into time spent
• Companies that suffer a data breach can expect to face an average 5% drop in stock price and 7% loss in customers, resulting in total costs ranging anywhere from $300K to up to $14 Million
• "Internal actors are responsible for 43% of data loss, half of which are intentional, half accidental.” McAfee
• “59% of employees steal proprietary corporate data when they quit or are fired.” Heimdal Security from Verizon
• "63% of confirmed data breaches leverage a weak, default, or stolen password." Verizon 2016 Data Breach Report
• According to the 2016 Data Security Incident Response Report, hacking and malware account for 31% of overall data breach cause

 ...not to mention cost of personal liability and newly defined fines for GDPR of 4% of global revenue so understanding threat vectors namely stemming from data breach being accidental vs. intentional and internal vs. outsider

Recommendation: "Take the time to manage the risks to corporate data and protect the company against the threats that cause data breaches"
And review of the following: 

1. Data storage location -- paper vs secure electronic storage, cloud vs on-premise stores
2. Sending data to wrong recipient (email/fax) -- secure sharing environment and data exfiltration techniques
3. Least privileges for sensitive data -- Identity and Access Management and proper control / process / approval
4. Physical security of data including backup and disaster recovery - securing data for high availability as well as recovery, ISO 27001 certification for reference
5. Cyber-attach around data transfers, permissions, encryption and intrusion management -- life cycle and layered security from prevention, detection, isolation through eradication and notification

Can’t Address Today’s Problems with Yesterday’s Solution - Endpoint security [www.nsslabs.com]

Commonly known as AV (Anti-Virus) and lately EDR (Endpoint Detection and Response) and AEP (Advance Endpoint Protection), technology/IT is about evolution and keeping up with the “Jones” which is really the Hackers (of many shapes / sources: ages, purposes and goals).

• AV – have you heard virus since malware came along?
• AEP – Advance Protection and Automatic Prevention
• EDR – Monitoring, Detection and Forensic Analysis

The numbers, a quick but long list of quotes / stats primarily from NSS Labs report:

• 70% of all successful breaches originate on the endpoint (desktop, mobile, etc.) [InfoSec Island]
• 91% of all cyberattack attempts start with a phish [DarkReading]
• Analyst estimate endpoint security market at $10 Billion in 2017 to $18 Billion in 2023 [Mordor Intelligence]
• The traditional crop of endpoint security solutions has not measured up to the task of fully protecting the endpoint for many years now…has drifted into near irrelevance as polymorphism, advanced evasion technicques, and today’s sheer volume of threats overhelms older defense mechanisms
• 53% of organizations have experienced an endpoint compromise within the last two years [SANS]
• Among the most prevalent exploit kits to target endpoints in 2017, 99% utilized evasion techniques either within the kit itself or in the payload phase [betanews]
• In 2017, there was an 11x increase in the overall volume of malware [DarkReading]
• Attackers release 360,000 new malware samples every day [Infosecurity Magazine]
• 35% of the endpoint attacks in 2018 are expected to be perpetrated by file-less malware, an evasive technique that is growing 20% year-over-year [ZDNet]
• The number of malware samples targeting Internet-of-Things (IoT) devices more than doubled in 2017 [Threatpost]
• In 2017, the average organization lost $5 million due  to  endpoint  attacks,  and  there  were  5,200 breaches that exposed 7.8 billion records, which is a 24.2% increase over 2016 [Ponemon Institute]
• 45% of organizations report that one of the biggest problems they face with their current endpoint security technology is the high number of false positives and security alerts they yield [Ponemon Institute]

While there is magic / silver bullet to address this market will be “entail significant scrutiny and sophistication in the coming years”. Diligence is the selection and POC (Proof of Concept) within one’s organization will be key and few things to keep in mind:

• A rigorous testing methodology to use as a yardstick across the field of contenders
• Consider and  measure factors such as effectiveness against malware, exploits, and blended threats
• Compare the false positive rates of products and assess how well they  detect against advanced and common evasion techniques
• measure the completeness and   timeliness of a product’s threat  event reporting capabilities to  support contextual threat  awareness and threat hunting activities
• Factor in total cost of ownership  (TCO) and product manageability

Evaluation pitfalls to consider:

• How advanced the predictive/preventative
• AI (Artificial Intelligence) is within products that market it
• The trade-off of sticking with an incumbent versus ripping and replacing with a new breed of AEP product
• The feasibility of managing certain advanced but high-touch AEP or EDR platforms given the internal resources available to the security team
• The source of any given vendor’s threat feed and its capability to handle offline use

With Endpoint awareness, comes SIEM (Security Information and Event Management) and SOC (Security Operations Center) reliance/interconnection to be able to manage the incidents and infection, from detection to eradication and the ability to parse through made be effective -- > next blog entry topic for this complementary (best) approach and solution.

So, NSS, Gartner, VARs, etc. will help in the decision process…

IoT 101 safeguards

• Don't connect to the Internet
• Disable unnecessary defaults
• Require strong authentication
• Keep firmware / patch up to date
• Conduct cost - benefit analysis

https://krebsonsecurity.com/2018/01/some-basic-rules-for-securing-your-iot-stuff/