The Impact of 2018 Data Breaches On Data Security of 2019

The past year saw cyberattacks incessantly with the United States as the biggest victim of these attacks. These attacks affected more than 2 billion users’ records which included sensitive and personal data such as names, credit card numbers, date of births and passport numbers.

Both small and medium businesses have been the victim of cyber-attacks and data breaches. It is not only companies who suffer. People are vulnerable too. Hackers could send you malicious viruses or use Xnspy monitoring app to know everything about you from your phone. The app lets them in on your text messages, calls, emails, photos, locations and web browsing history. Though the cyberattacks and data leaks have been here a long time, the last year saw quite an increase in the reported breaches. Firms have started to report such attacks probably after the EU general update to the data protection regulation (GDPR) came into place in May.

These attacks clearly tell us that big establishments who collect massive amounts of data are not immune to hacking. Many firms do not even take the needed protective measures to ensure data safety of their business.

Let's take a look at the six biggest 2018 data breaches and see what they mean for data security in 2019:

Facebook

2018 wasn’t a good year for the social media giant in terms of security. The company suffered due to massive data breaches. At least 50 billion users were affected as a result. Facebook suffered its biggest data breach in late September that gave the hackers the ability to exploit a weakness in Facebook’s code and access the “View as” privacy tool. This tool allowed people to see how their profile looks to the public.

Lewis Henderson, VP threat intelligence at Glasswall Solutions said that user data was affected in 2018 in three security incidents. And these incidents indicate that the company’s infrastructure wasn’t built to cope with such a huge number of subscribers. Facebook doesn’t have built-in security, and it hasn’t run the companies responsible for exploiting user data through a thorough third-party security process.

When a giant like Facebook, with high engineering capability, finds it a herculean task to secure its massive global platform in the current circumstances, smaller business does not stand a chance against these malicious attacks.

Marriot

At the end of November 2018, Marriott admitted that a massive data breach took place and has affected the records of 500 million customers. The Guest Reservation Database of Marriott and its subsidiary Starwood got hacked and sensitive information was stolen which included personal information, bank details, credit numbers, and expiry dates along with passport details and arrival/departure details. The breach occurred due to the presence of inadequate security solution. Although the data was encrypted, the hackers were able to decrypt the data by getting hold of the access keys. The users affected by the breach are now vulnerable to financial and/or identity theft as well as opportunistic phishing.

Henderson said while expressing his views on the incident, it is evident from this attack that the culprit has unrestricted access across the various IT systems for a long time. According to Ian Thornton Trump, head of cybersecurity at AmTrust International, it is not the data breach that would impact the company rather the class and regulatory actions afterward. He says that the Marriott breach is not only about the failure of data protection, but a failure of governments to insist that identity documents are dealt with the same care as credit card information.

This is not the first time Marriott came under attack. It is troubling to witness the inadequacy of security measures despite the previous cyber-attack. Along with spending thousands of dollars to facilitate customers so that they have a smooth experience staying there, Marriott needs to invest in cybersecurity.

Quora

Quora suffered a massive user data breach in December 2018. The intrusion was discovered on November 30 which included up to 100 million users’ names, their email IDs, user IDs, email addresses and IP addresses, encrypted passwords, personalization data, user account settings and all public actions which included comments, questions, answers, upvotes and blog posts.

The MD of The Defence Work, Edward Whittingham who is also a former law enforcement officer reported of Quora’s data breach as hard-hitting because it exposed everything from names, email IDs and passwords along with the data from the social networks such as Twitter and Facebook as well. People had connected their Quora accounts to them.

Exactis

Exactis is a marketing and data aggregation company and gathers consumer and business data via cookies which are collected from various websites. The company suffered a cyberattack and compromised 340 million business and consumer records when it left the 2TB data on a publically accessible cloud server.

This data breach exposed more than 400 variables of data regarding user characteristics. Although social security numbers and other financial details were not exposed, the data leak could still lead to massive-scale identity theft. The reasons behind the attack were the lack of an account management system and an authoritative policy for the security of sensitive information.  The company could have avoided these attacks if it had adopted a proactive approach towards cybersecurity in the past.

British Airways

British Airways informed its customers on 6th September that bank card numbers, expiry dates, and CVV codes were stolen from about 380,000 booking transactions. The firm was attacked between 21st August and 5th September, and it took the company just a day to announce the attack.

Hackers got the financial details through a script designed to steal information. This script got it by skimming the payment page before it was submitted. Yonathan Klijnsma, head threat researcher at RiskIQ said that the effectiveness and scope of the tactic used in this data which was the modification of JavaScript code on BA’s website to steal payment data while avoiding being caught was the reason the credit card skimming campaign stood out.

Magecart Group 6 was able to get information the customers fed to the airline’s online payment forms, by inserting 22 lines of codes and that, too, without any interruption. The after-effects of the attack surfaced in November when it was found that the Russian hacker group behind Magecart sold the details in the dark web for about $10 per card.

Ticketmaster

A third-party supplier was involved in the Ticketmaster data breach. The breach compromised the data of 40,000 customers. Ticketmaster announced the data breach just one month after the coming of GDPR in full effect. The company, Inbenta Technologies, responsible for chatbot on the Ticketmaster site, modified a line of JavaScript code for customization of their product.

Ticketmaster used this code on its payments page without bringing Inbenta in the loop. The hackers discovered the code and later on. The data theft wasn’t that big, but the impact was significant. Some customers claimed that their details were put up on sale on the dark web while some reported money stolen from their bank account. The culprit was the same credit-card skimming criminals, Magecart.

What is the scenario for cybersecurity in 2019?

Experts are of the view that after attacking British Airways and Ticketmaster, the Magecart would not rest. It would target more than credit card data in 2019. Klijnsma from RiskIQ says that Magecart groups have carried out a full-fledged assault on e-commerce and show zero signs of stopping in the future (2019). The attacks will get more powerful. He said that Magecart groups would expand to skimming more than payment data and it will include login credentials as well as other sensitive information.

A cybersecurity expert at ESET, Jake Moor predicts that 2019 would see a new type of attack called the GDPR bounty hunting. These work quite effectively when the attacker after stealing the information provides the firm with the copy of their data to prove that it has been breached.

The victim is then given two options. First, pay the ICO fine up to €20m or 4% of their annual global turnover or pay the fee the hacker chooses himself. Hackers take advantage of the fact that some companies would rather choose the second option to avoid defamation which follows after a data breach.

Cyber-attacks are going to be more tactical than before. Therefore, companies should remain prepared and invest in effective and necessary data protection procedures.

 

Views: 36

Comment

You need to be a member of Small Business Bonfire to add comments!

Join Small Business Bonfire

About the Small Business Bonfire

The Small Business Bonfire is a social, educational and collaborative community founded in 2011 for entrepreneurs that provides actionable tips and tools through a small business blog, a weekly newsletter and a free online community.

Subscribe to Our Newsletter

Members

© 2019   Created by Alyssa Gregory.   Powered by

Badges  |  Report an Issue  |  Terms of Service