IBM says in a study that the cost of lost business after a breach for US organizations is $4.2 million. It is evident, then, that the organizations involved in the 5 biggest data breaches in 2019 thus far will likely suffer a considerable economic blow.
But if you read this data breaches list thinking, “these are mega-companies; the risk of a data hack at my organization is much smaller” — you could use a reality check.
According to this Varonis report, 57 percent of companies have over 1,000 folders with inconsistent permissions. Are you sure you’re paying enough attention to potential cyber risks?
Maybe if these organizations had paid more attention, they could have prevented such large-scale data breaches.
Here are the 5 biggest data breaches and hacks in 2019 so far and how they could have been prevented:
5) Oklahoma Department of Securities: Potentially Millions of Files Breached
The Oklahoma Department of Securities recently dealt with a breach of millions of files, some of which were involved with FBI investigations. UpGuard data breach research says a storage server – with records dating as far back as 1986 – says it is unclear how long the records were publicly accessible, but an IP address search engine first registered it in November of 2018.
“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server,” the UpGuard report says.
How It Could Have Been Prevented
UpGuard classified the Securities Commission website as having “severe risk of breach,” due in part to its use of a web server which reached end-of-life in 2015 (IIS 6.0). This means no updates were made to address new vulnerabilities in the last few years.
Data storage is often mandated by retention policies, particularly in the government sector. While creating backups is a best practice, the crucial part is to control every copy of the data stores, says UpGuard.
Click here for more advice on how to do that.
4) Flipboard: ~150,000,000
Content aggregation app Flipboard announced earlier this year that unauthorized access to databases containing Flipboard user information happened between June 2, 2018 and March 23, 2019, and between April 21, 2019 and April 22, 2019.
Those databases contain names, usernames, email addresses, and cryptographically-protected passwords, the company says. It is not yet known how many accounts were affected, but Flipboard reportedly serves 150,000,000 app users, and said in their announcement that not all of whom were involved.
While the fact that the hacked passwords were “cryptographically-protected” typically means more difficulty for the hacker, Flipboard did also report that passwords created or changed before March of 2012 were protected with a weaker algorithm, says a Forbes article about the data breach. What’s more, the digital tokens used to connect Flipboard with social media accounts “may have” also been stored in the databases.
How It Could Have Been Prevented
Attackers often work to obtain logins, names, email addresses, passwords, and other personal information of apps and accounts like this—all of which can help them plot and carry out even more criminal activity, says Rob Simopolous, Founder of Defendify.
“Unfortunately, today a large percentage of users have poor cyber hygiene, reusing same password on numerous sites and systems. This causes a domino effect where if an attacker breaches a site and obtains a user’s password, they may then be able to access a variety of other sensitive accounts of that user,” he says.
“Some of these attack methods include credential stuffing which is automated and allows attackers to try these passwords on numerous sites quickly.
“Given the high degree of password recycling still at play, additional security measures are needed. Software developers can help by including Two-Factor Authentication (2FA) as a part of the login process. Two-Factor Authentication requires users to enter a password and then another code (e.g. A rolling code from an app or text message form their mobile phone) in order to complete the authentication process. Providers can further assist by encouraging 2FA activation by providing in-app guidance to users and explaining why turning on Two-Factor Authentication is important” — Rob Simopolous
3) Fortnite: ~200,000,000 (link)
One of the most prominent games in pop culture lately, Fortnite sees roughly 200 million users worldwide vie to be the last player standing. But Check Point Research found vulnerabilities which “could have allowed a threat actor to take over the account of any game player, view their personal account information, purchase V-bucks, Fortnite’s virtual in-game currency and eavesdrop on and record players’ in-game chatter,” according to the report.
It isn’t uncommon for cyber criminals to create fake landing pages surrounding these popular online games that advertise ways to earn in-game currency while phishing for credentials.
Check Point Research didn’t need to create a fake website to recreate the breach, though. They didn’t even need a user to hand over log in information whatsoever.
The researchers found a weakness in Fortnite’s sub-domains which allows an XSS attack if the user only clicks on a link sent by the attacker. Here is a recreation of such an attack provided by Check Point:
How It Could Have Been Prevented
“Whereas in the past security has often been deprioritized given its cost, and well, inconvenience, in today’s world it’s absolutely critical multiple layers of security be implemented starting at the app development level,” says Simopolous.
“Organizations should have (or build) fundamentals and practices around secure coding and code reviews throughout their engineering teams. There should be a checks and balances process internally to ensure that the teams are coding securely.
“Conducting regular testing and scanning can also assist in identifying weaknesses in their applications as well. Web Application Penetration Testing (WAPT) can be implemented where ethical hackers work to see if they can discover vulnerabilities and exploit them before the attackers do. The results of a penetration test will outline what weaknesses were discovered. There should be a methodology of continuous testing and the frequency should be determined based on the results of a proper risk assessment.”
2) Facebook: ~540,000,000
This is the news that prompted some tech publications to encourage all Facebook users to change their passwords. In April 2019, UpGuard reported on two third-party Facebook apps holding large datasets which left their data exposed to the public — one of the biggest data breaches in social media history.
The breach from media company Cultura Colectiva’s app contains over 540 million records, including FB id’s, likes, reactions, and more.
Another Facebook app backup titled “At the Pool” also contained user id’s, as well as columns for fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, and much more, according to UpGuard. This affected at least 22,000 users.
“The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each. What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers. As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access.” — UpGuard report
How It Could Have Been Prevented
Many organizations are now building bug bounty programs where ethical hackers signup to perform penetration testing on their systems and when reported ethically they will be rewarded in a payment, says Simopolous. This provides access to a larger group of testers with a reward system as incentive. Once identified, organizations should move quickly to remediate the weaknesses.
“Detecting and responding to a breach quickly is a vital part of a successful cybersecurity program…it’s truly a race. Once a breach is identified, organizations should respond accordingly based on a pre-developed incident response plan. Team testing and review of that plan should be scheduled regularly, and updates made accordingly to ensure the organization is acutely prepared.
“In the end it’s a combination of having the right processes in place, testing regularly, and taking the extra steps to prioritize and develop layered security (i.e. no shortcuts to save the P&L!). This only happens when organizations instill a genuine security-first mindset, stemming from the leadership team, and making its way to everyone involved including contractors and vendors.”
1) First American Corporation: ~885,000,000
Topping the list of biggest data breaches and hacks in 2019 so far is this hack of the American real estate title insurer, First American Corporation’s website. Security reporter KrebsOnSecurity says the company’s website leaked over three quarters of a billion mortgage deal documents, including bank account numbers, tax records, Social Security numbers, wire transaction receipts, and driver’s license images.
Krebs says it was tipped off by a real estate developer who “said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link,” according to KrebsOnSecurity.
The 885,000,000 files, which date as far back as 16 years, were available to view without authentication requirements.
How It Could Have Been Prevented
In their report, KrebsOnSecurity called this type of breach “one of the most common yet preventable.”
Said one commenter on their post: “Let’s talk honestly, if First America used a serialization Content Management System or CMS [or CRM] years ago – would a simple plug-in such as Prevent Direct Access have helped keep First America s customer’s data safe?”
Read Next: 3 Ways to Prevent Data Breaches
Others replied, saying that such a method might do the trick, but that the amount of content stored there would become too much to handle. A more expensive option for securely cataloguing the data – rather than hosting it online at all – might have been more appropriate for such sensitive information.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
[…] Related: The 5 Biggest Data Breaches in 2019 So Far (And How They Could Have Been Prevented) […]