What causes a company like Facebook’s stock price to fall 6 percent in just two hours? Announcing two major data breaches in one year will probably do it. The dark side had a pretty good year in 2018 with over 700 million records exposed in just 10 big data breaches, with lots of nice big names dragged through the mud along the way. The secret and sensitive data of literally hundreds of millions of people have been torn open and exposed, then aggregated on various Dark Web lists for sale. What’s interesting about cybersecurity is no matter what you do, it’s never enough and you have to keep improvising and improving. If you stagnate, you die, and a few cases last year it was pure negligence where hackers just stumbled across treasure troves of data. Let’s take a look at the five biggest 2018 data breaches:
Marriott: 500 million users affected
Hotel chain Marriott International experienced a breach that affected almost 500 million people, but what’s even more concerning is the accompanying announcement that hackers had access to the reservation systems of many of its hotels for the past four years. The breach is said to have exposed private details of up to half a billion customers including sensitive information like where and when people travel and with whom. While the company initially announced that it was looking into how the breach took place, there was no explanation as to why it only recently detected a problem that evidently began four years ago.
Apparently four years ago is when Marriott announced its acquisition of Starwood Hotels and Resorts Worldwide and acquired their security risks as well. The data breach stemmed from the Starwood guest reservation database and while acquisitions are generally a good thing, security checks are a must to make sure all systems are up to speed. Starwood reported it had suffered a massive credit card hack in 2014, added to the fact that the company’s website was home to an SQL injection bug amid public offers to hack it being made on the dark web, Hold Security founder Alex Holden told Forbes. Just goes to show how security is now such an important aspect of acquisitions and a slight oversight can cause calamities.
Facebook: 50 million users affected
Tech giant Facebook reported not one but two major data breaches in 2018 caused by exploited network vulnerabilities. The bigger of the two, which was in late September, enabled hackers to exploit a weakness in Facebook’s code to access the “View As” privacy tool. Facebook now says the breach impacted 30 million users, which is about 20 million fewer than the company first announced in late September. Among the 30 million users impacted, 14 million had their names, contact details, and sensitive information such as their gender, relationship status and recent location check-ins exposed.
What these breaches indicate is that with microservices architecture, there’s really a lot more going on than we can humanly keep track of and even Facebook has trouble keeping up sometimes. While some reports suggest Facebook infrastructure is stretched to its max, others point out a lack of both in-built security, as well as robust third-party security process. The interesting part about this breach is that it combined different features in a combination that even the Facebook QA team was unaware of. What this points to is that as we scale up with microservices, there are going to be a lot of unforeseen complexities and it’s important to keep evolving your game plan to deal with them.
Quora: 100 million users affected
About 100 million users of Quora were affected by unauthorized access to one of its systems by a “malicious third party," the knowledge-sharing website reported. Account information, including name, email address, encrypted password and data imported from linked networks when authorized by users may have been compromised, it said. While it took four days for users to be informed that their personal data has been stolen, it’s a far sight better than Marriott’s four years and many have commended Quora on their swift reaction. It’s also worth noting that all passwords that have been compromised were encrypted and hashed with a salt that will vary from user to user.
Quora hasn’t officially announced what caused the attack, but according to Ilia Kolochenko, CEO at High-Tech Bridge, the intrusion occurred either via one of Quora’s web applications or through a trusted third party. Whatever the cause was, what’s clear here with the speed and efficiency at which Quora began their “clean up” operation suggests internal security measures that are well monitored and well operated. An important thing to take away from this breach is it is how you deal with a breach that matters most, the levels of integrity that a company must show to disclose its own security shortcomings to warn others is a sacrifice that has to be made swiftly.
Under Armour: 150 million users affected
The athletic wear company Under Armour had its share of problems last year as data from 150 million users tied to its fitness app MyFitnessPal was breached. The stolen information included usernames, email addresses, and passwords, the majority of which were hashed with bcrypt. Unfortunately for some, however, a portion was hashed using a notoriously weak function called SHA-1 as well, which is a lot easier than bcrypt to crack. Much like Quora, Under Armour quickly responded after discovering the hack on March 25. Four days after it occurred, Under Armour began notifying users. The company said it is working with law enforcement and “leading data security firms,” but hasn’t yet found the cause of the breach.
Matthew Green, a cryptographer at Johns Hopkins University, speculates that it could be the result of keeping too much IT work in-house rather than seeking out more specialized experts. He explains that it was probably a shift from SHA-1 to bcrypt combined with the need to keep old data available for customers who hadn’t logged in recently. Whatever the reason may be, the lesson here is to vet and audit security proactively and discover flaws before the black hats do. It’s also a good idea to have a specialized team involved with security to make sure an amateur mistake isn’t the cause of your breach.
Elasticsearch: 57 million users affected
Elasticsearch can’t seem to catch a break with breaches and after leaking NFL player information in 2017, An Elasticsearch server that was left open on the Internet without a password leaked the personal information of nearly 57 million Americans for almost two weeks. While a lot of Elasticsearch-based leaks happen because server administrators just don’t set up passwords for their servers, problems with authentication are one of the main reasons it’s easier for hackers to break in. In a blog post, Elastic, the company behind Elasticsearch, said that their servers weren’t designed to be exposed over the Internet, the lesson here being use tools that can afford you the security you need to handle your data.
2018 data breaches: Tied by a common thread
All in all, 2018 data breaches had one common thread: The fact that organizations normally have no clue as to what caused their breach and most can just speculate as to the possible causes. It’s always better to be safe than sorry and security has to change from being reactive to being proactive. Only when that happens will we be finding the bugs in our own systems before the bad guys do.
Featured image: Shutterstock