As bad as 2016 was for cybersecurity, 2017 data breaches might just set a record for online crime. Technology is a sword that cuts both ways, and as security methods develop so do the threats they’ve built to defend us from. It’s a constant never-ending cycle, as the continuously updated breach counter from security firm Gemalto attests to. This year on the list of victims we already have quite a few famous names including Gmail, Verizon, Three, Hipchat, and Wonga. And of course there was the almost unfathomable Equifax disaster, arguably the worst breach ever. There’s probably never going to be a 100 percent foolproof security system, since it’s essentially the same species developing the threats and the fixes. It’s a battle that’s going to rage on till kingdom come.
While it’s a good habit to learn from our mistakes, learning from the mistakes of others is even better. In this quick look at the most significant 2017 data breaches so far, we look at what went wrong and look for a lesson or two amidst the chaos.
Freedom to steal
Freedom Host II is home to about 10,000 tor web pages, which is about 20 percent of the dark web. The breach caused all visitors to any of the websites hosted by Freedom Host 2 to be greeted with the message, “Hello, Freedom Hosting II, you have been hacked.” The statement also commented that the hack was for hosting child porn and scam sites.
The attacker in an interview to the Motherboard explained that it was their first hack and also shared a simple 21 step process on how to do it.
This 21 step process involves creating a new Freedom Hosting II site or logging into a current one, changing settings in a configuration file and then logging back in with your new system privileges among other things. The folks at Freedom II obviously went through that 21 step process like someone going over a loved one’s obituary, and we’re sure they’ve made the necessary changes in their security system.
The fact that the hackers clearly mention it was their first hack and involved taking advantage of loops in security probably means it could have been avoided by just actively looking for weaknesses. The last thing a security team wants to hear is that they were hacked by a beginner.
Zomato is a popular Indian-based website and app that provides users with a guide to restaurants, cafes, and clubs around the world. The reason it made our list is because data from about 17 million users were stolen in the breach that included email addresses and hashed passwords. The company then had to send personalized messages to all affected users informing them about the breach and advising them to log out of their accounts and change passwords.
In the blogpost, the Indian firm said the security breach was caused due to human error where an employee’s development account got compromised! This is a good example of being open and honest with your customers in a disaster situation, and we’re also going to look at some bad examples in a bit.
Although the company has reportedly been working toward fixing any such future issues, what we learn from this breach is there should always be an additional level of authorization for internal teams with access to such sensitive data like customer details. Extra security measures aren’t all that expensive when compared to losing face in front of 17 million customers.
Wonga is a Payday loan company and recent victim to a rather large data breach — and by large we mean the breach affected about 245,000 customers. This time the data that got out was sensitive financial information, to say the least — almost a quarter of a million accounts and sort codes for a loan company is no laughing matter. While the company maintains that “passwords are safe,” the last four digits of debit card numbers are not. They also advised all customers to ask their respective banks to stay alert for suspicious activity.
Reports suggest Wonga was a few days late in warning its customers, and did so on a corner of the website that was barely visible. This is an example of how not to treat your customers, and the fact that an incident-response plan was not in place is pretty obvious. Getting breached is one thing, reacting to it in a lackadaisical manner is another thing altogether. A formal incident-response program should be a part of any security teams arsenal, especially the ones guarding information of the financial kind.
What we learn from the Wonga breach is how not to deal with a breach; open, honest, and timely communication with users is as critical as dealing with the breach itself. This can often prevent further damage and save what few shreds of dignity a breached company has left.
Hipchat is another company that’s had to send a security notice to its users warning that a third-party library had been successfully targeted by hackers. The notice read “While HipChat Server uses the same third-party library, it is typically deployed in a way that minimizes the risk of this type of attack.” Additionally, the attack may have exposed usernames, email addresses, hashed password information, and, in some cases, messages and content from chat rooms!
Storing customer data in third-party libraries is definitely not a way to cut costs, and customers don’t really care where their data is stored as long as it’s secure. Hipchat is mostly used for official business, and customers obviously had a reasonable expectation that their privacy would be looked after personally and not left to a third-party vendor.
The lesson here is that while storage in the cloud is cheap and practically limitless, presuming it is safe can be a fatal mistake. If you must store sensitive user information off-premises, however, a thorough investigation of your hosts security setup is the least you can do.
Gmail users were targeted in May in a phishing scam that gains access to accounts through an external app. Though Google figured it out in about one hour, about a million users were affected. This really goes to show the level of innovation. To come up with a phishing scam of all things and then have it get past Google is probably a feather in a hacker’s cap, for sure. This also goes to show that behind all the servers and switches, it’s human intellect vs. human intellect, and the team that works the hardest is going to win. Phishing, pharming and the more targeted and insidious spear phishing scams are all attacks that need to be well known and practiced by a security handling e-mails.
Equifax: Credit score firm is hackers’ biggest score
In September, credit reporting firm Equifax said a hack of its computer systems from mid-May through July resulted in criminals accessing more than 143 million Social Security numbers and birth dates. Equifax’s inept handling of the breach — both before and after it happened — is a premier example of how a company should not act.
It’s still murky how Equifax was breached, but it appears to be connected to faulty use of Apache Struts, a tool many businesses use to build their websites.
This debacle has deep lessons for all companies, with the biggest one being “don’t become the next Equifax.”
2017 data breaches: It’s going to get worse
It’s only October, and the number of users who have had their information stolen, bought and sold in 2017 data breaches is already in the millions. When major enterprise companies have to bow their heads and issue warnings to their customers, the threat is very real. One point that can’t be reiterated enough is security needs to be active and not passive, and the days of sipping coffee and doing scheduled scans are gone. New-age security has to be about spending all your time actively trying to find ways to break into your own system, because that’s what the bad guys are doing.
James Thompson, a regional director at SecureAuth, put it quite well by stating companies need to “continually innovate security and authentication to keep ahead of attackers.”
Photo credit: Gemalto