According to The Hiscox Cyber Readiness Report 2019, almost 55% of UK firms have reported a cyber-attack in 2019 – up 40% compared to last year.
With more than half of UK firms reporting a cyber-attack, and most businesses admitting that they were unprepared for breaches, it’s important to ask the question: are you doing enough to prevent a cyber-attack?
Every week we get news of another massive data breach. While some commentators are suggesting that this is the new normal, and that data leaks and hacks are an inevitable part of our connected world, it’s worth looking at the largest data breaches to see what they have in common – and what they can teach us about data security for 2019.
Who?
India’s national personal identity card system contains information on Indian residents, including biometric data, names and information on connected services, such as bank accounts.
How?
A state-owned utility company called Indane was tapping into the Aadhaar database using an unsecured API. Hackers cracked the API and gained access to more than a billion records.
Who?
Marriott is the world’s largest hotel chain. Their Starwood brand operates a rewards scheme, and this database was accessed by hackers. While the breach was reported in 2018, it is believed to be a long-running data leak, stretching back to 2014.
How?
While details of the hack have not been released, the US government has laid the blame at the door of Chinese state hackers.
Who?
Exactis is a marketing and data aggregation firm. They hold comprehensive data on most US citizens, including information about preferences, interests and family connections.
How?
Exactis was storing more than 2 terabytes of personal data on a publicly accessible server. The exposed data was detected by a security researcher, who notified the FBI and Exactis, who have since protected the database. The researcher found the open database by using a scanning tool to find unshielded ElasticSearch instances.
Who?
MyFitnessPal is a fitness and diet-tracking app owned by Under Armour, the athletic clothing company.
How?
Details are lacking. The company has only said that an unauthorised person accessed data. While some user passwords were stolen in the hack, they were encrypted with a hashing function called bcrypt, which means the information is protected.
Who?
Quora is a hugely popular question-and-answer site, with millions of active users.
How?
The company has not released details yet, and have only stated that an unauthorised person accessed user records. Quora also stated that they are engaging a forensic technologist to help them trace the cause of the breach and prevent future hacks.
Who?
MyHeritage is an online genealogy and DNA testing service.
How?
They don’t know. One of the firm’s security team found a trove of MyHeritage data on an external server. The database includes 92 million records, including names, email addresses and hashed passwords. MyHeritage has engaged an external security consultant to identify the source of the breach.
Who?
A Facebook game called ThisIsYourDigitalLife passed user data to several third parties, including Cambridge Analytica, a data analytics company that worked with the Trump presidential campaign to target ads to swing voters.
How?
Because of Facebook permission settings at the time, the game allowed the developer to harvest information on their users, and their users’ friends and contacts. This meant that only 270,000 people installed the app, but the developer was able to pass data on millions of people to Cambridge Analytica.
Who?
Google+ is a social network. In March, Google announced that some Google+ app developers had accidentally been given access to user data. In December, Google announced that a second data breach, which they may have tried to hide, affected 52.5 million users.
How?
The Google+ hack seems to have been caused by a glitch that made user profile information available to app developers. Google is now planning to close their social network.
Who?
Chegg is an online store offering textbooks, tutors and online study support.
How?
An unauthorised third party was able to access a company database that included customer data for Chegg and some of their other brands.
Who?
The world’s largest social network was hacked, exposing sensitive user data including contact information, searches and usage history.
How?
Hackers exploited vulnerabilities in Facebook’s code to get access tokens, which then gave them full access to users’ details.
There are a few patterns in the top 10 data breaches of 2018:
Weak software. Many of these breaches were caused by vulnerabilities or weaknesses in the systems used.
Glitches. Hackers have a keen eye for glitches in software that have unintended consequences. These are ruthlessly exploited to access data that is usually hidden.
Mystery losses. A worrying trend from the top 10 is the number of ‘unknowns’. At the time of reporting, a number of companies have been unable to confirm how the hack was perpetrated.
The main lesson to learn from these examples is that hackers are creative and flexible, and that data leaks from organisations in many different ways.
Internal agents, external criminals, weak software, outdated software connections and APIs, weak passwords, clumsy security practices, social engineering – these are all common components of data breaches.
This suggests that organisations have a lot of work to do to protect every corner of their castle. Hackers look for weak spots in many different areas, and so organisations must address every aspect of their security: software, hardware, people, processes and culture.
Last year was a bad time for data security, but a great time for digital criminals. In the midst of the thousands of hacks, leaks, exploits and phishing attempts, a group of Russian military hackers unleashed a virulent worm that would cause untold disruption and cost companies around the world billions in lost revenues and repair costs.
While nobody has claimed responsibility for the NotPetya virus, it has been traced back to a group of Russian military hackers who were trying to wreak havoc in the Ukraine – and send a warning to companies that dare to do business with Russia’s enemy.
The virus originated in the Ukraine, after Russian hackers gained access to the servers of Linkos Group, a company that produces a popular accounting program called MeDoc. Having gained access, the hacking group, known as Sandworm, was able to infect the MeDoc update server, which then allowed them access to the thousands of PCs around the world that have MeDoc installed.
NotPetya spread rapidly. It relied on two exploits working in partnership to sidestep defences, infect computers and spread to the next host. Eternal Blue, a tool created by the US National Security Agency, but stolen during a breach earlier in the year, was combined with Mimikatz, a script created by a French researcher to demonstrate that Windows was leaving users’ passwords in memory. Using these two exploits, the virus could leapfrog from machine to machine in a matter of hours.
On 27 June, computer screens at Maersk headquarters began to go black. Some displayed messages asking for a ransom to be paid in bitcoin; others simply stated that the machine was being repaired, and should not be turned off. Whatever the message, the machine was frozen and unusable.
Maersk, a global shipping company, was completely stricken by the virus: so many computers were infected, so rapidly, that the company was unable to take new orders or manage their vast shipping fleet. Even the IT security team was unable to work. Servers, computers, routers and desk phones were all brought down by the virus.
Around the world, 17 of Maersk’s 76 freight terminals were disrupted by the virus. Without computers, nobody could do anything. Freight could not be received, loaded or dispatched. The contents of containers was unknown and new bookings could not be taken. Ports in Los Angeles, Rotterdam and Mumbai were reduced to parking garages. It was a catastrophic failure of shipping IT – and the costs are estimated to be astronomical.
Ultimately, NotPetya would cause an estimated $10 billion in damage, crippling multinational companies including TNT Express, Mondelez, Reckitt Benckiser, Rosneft and Merck.
At Maersk, recovering from the attack involved a frantic effort to restore core machines and then gradually wipe and restore individual machines. In just 10 days the company managed to rebuild its network of 4,000 servers and 45,000 PCs – though a complete recovery took many months.
While NotPetya was a fiendishly clever virus, it did rely on Maersk (and other victims) having unpatched machines – something that could have been avoided. Maersk has since changed its approach to digital security and is investing widely in security systems and processes. Employees report that requests for spending on digital security are being approved without delay; a contrast to their prior reticence to invest in digital protection.
Why do so many companies have to learn digital security lessons the hard way?
Find out more about Cyber Security eLearning.
Currys PC World is the latest in a long line of corporations to suffer a large-scale data breach, but the positive news to take from the story is the swiftness and clarity of their response. One of our colleagues, as a Currys PC World customer, received an email explaining the loss of data, what was involved, and what he should do to protect himself from fraud.
The message was comprehensive and apologetic – and suggests that British businesses are finally learning how to respond to these kinds of cyber crimes.
The recent news from Currys PC World came in two waves; at first, they believed that 1.2 million customers were affected, although no payment card information was involved. Several weeks later the electronics giant had to report that the scale of the problem was far larger. After an internal investigation they put the number of customers affected at 10 million.
Currys PC World reports that none of their customers has been directly defrauded in the immediate aftermath of the data breach. But we know from previous hacks that customer data is rarely used in isolation; instead, this kind of information is used as bait in phishing attacks. With customer data in their hands, fraudsters can dupe people into handing over more information which then gives them access to bank accounts, payment cards and online stores.
So, the true impact of this kind of data breach is unlikely to be immediately obvious – and people who are defrauded six or nine months from now may never know that their loss originated with lax security at Currys PC World.
Alex Neill of Which? commented on the incident: “Dixons Carphone customers will be alarmed to hear about this massive data breach and will be asking why it has taken so long for the company to uncover the extent of its security failure. It is now critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.”
The letter from Currys PC World is commendably clear and direct: “Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.”
Currys PC World also laid out clear guidance for their customers on how to minimise the risk of fraud:
Although the value of Currys PC World shares fell after news of the initial data breach was revealed, markets reacted less extremely to the second wave of news, with shares actually rising slightly. This may reflect a degree of breach fatigue – or a belief that the high street’s last electronics retailer has already paid the price for its security failure.
Are data breaches an inevitable part of a society that lives and trades online? Or will businesses eventually find systems and processes to outfox the data bandits?
Worried about data breaches? Find out more about Data Protection eLearning from VinciWorks.
Data breaches are nothing new.
What has changed recently is the regulations surrounding personal data.
Under the General Data Protection Regulation (GDPR), companies must notify the Information Commissioner’s Office within 72 hours of becoming aware of a breach.
In the case of Ticketmaster’s recent breach, questions remain about whether they reported the loss of data affecting 40,000 customers quickly enough.
Ticketmaster lost the customer data because of a third-party application designed to help them manage customer support requests. The Inbenta software was infected with malware and was passing customer data to a third-party, who then used the information to help them make fraudulent payments.
Ticketmaster claims that up to 40,000 UK customers may have had their data stolen. Customers in the US were not affected in the incident. Ticketmaster is offering customers a 12-month identity monitoring service to help prevent further frauds from occurring.
One of the problems with a data breach of this kind is the avalanche of follow-up crimes that typically occur – not always relying on the actual data lost. This is because criminals use the confusion and concern caused by a major data loss incident to dupe customers into changing passwords – on dummy websites that they control. Ticketmaster is urging customers to only visit genuine Ticketmaster websites on recognised addresses.
Brooks Wallace, cyber-security specialist from Trusted Knight commented: “After an incident like this, criminals from around the world will jump at the chance to try and catch a few unsuspecting people out,” said Brooks Wallace from the cyber-security specialist Trusted Knight. “If you receive any emails purporting to be from Ticketmaster asking for any personal information, discard them. If you need to contact Ticketmaster, type the website address into your browser and log-in that way.”
Questions about the timing of Ticketmaster’s notification surfaced after Monzo, the online bank, reported that they had uncovered evidence that Ticketmaster may have been breached in early April – something they passed on to authorities and to Ticketmaster. Monzo’s discovery followed customer reports of fraudulent transactions. The security team at Monzo analysed the accounts of approximately 50 customers who had all been the victim of fraud and found a pattern: 70% of the affected customers had recently bought tickets from Ticketmaster. Only 0.8% of their entire customer base had used Ticketmaster.
The question that the ICO may want answered is why it took months for Ticketmaster to confirm that a breach had taken place? Was the breach carefully concealed by hackers? Or did Ticketmaster hope to limit the scope of scandal?
Read more about Information Security eLearning from VinciWoks.
The payment card industry data security standard (PCI DSS) is designed to protect consumers by encouraging businesses to do more to protect payment card details. A recent survey by US Internet giant Verizon found that compliance with PCI DSS can be a powerful force in fighting cyber-crime – but many organisations struggle to maintain full compliance with the standard.
Speaking to Computer Weekly, Verizon’s head of advisory services Gabriel Leperlier commented: “Since 2010, not a single organisation that has been breached was 100% PCI DSS compliant at the time of the breach.” This is a remarkable finding. Why are so few organisations struggling to comply with the standard?
Firstly, it helps to examine the 12 requirements of PCI DSS:
In addition to these 12 requirements, digital security teams must contend with changing technology, workplaces that are riddled with web-connected devices, malicious employees and a host of determined hackers, criminals and foreign agents – who are all working day and night to access a company’s valuable data.
As Leperlier puts it: “Many organisations struggle to keep up with the continual cycle of scanning, testing and patching, which is why it is important to involve all employees, so they understand why certain security controls are in place and will be more likely to stick to them rather than finding ways around them.”
Achieving and maintaining PCI DSS compliance does not guarantee that you won’t be hacked – but failing to maintain compliance is a sure-fire way to attract the attention of hackers and criminals. After all, dropping the ball on PCI DSS compliance effectively means you’re making life easier for anyone who wants to steal your data.
There are many examples of companies that have paid a heavy price for data breaches that could have been prevented by complete compliance with PCI DSS. For example, US retail giant Home Depot agreed to pay at least $19.5 million to consumers harmed by a data breach in 2014. The breach occurred because Home Depot used inadequate security software and weak data protection policies. Under PCI DSS, companies are required to conduct vulnerability scans – something that was not carried out fully at Home Depot.
PCI DSS compliance may be difficult to achieve and maintain, but it seems the costs of dealing with a major data breach are likely to be far higher than the price of meeting the 12 requirements outlined above.
A new report by business broadband provider Beaming suggests that UK companies are being bombarded by cyber attacks.
Their survey found that attacks are up by a quarter (27%) in the first three months of 2018. On average, UK companies with an internet connection experienced 600 attempts per day to break their corporate firewalls, compared to 474 attempts in the same period in 2017.
Surprisingly, the majority of attacks are not aimed at servers and databases. Hackers are instead turning their attention to smart devices and internet-connected gadgets such as building control systems and cameras. Perhaps these are seen as softer targets where their intrusion can go undetected. It is believed that hackers want to control these devices so they can later use their processing power to launch distributed denial of service (DDoS) attacks – or spread malware.
Part of the dramatic rise in hacking attempts can be attributed to an increase in attacks coming from Europe. 44% of attacks originated on the continent, pushing Europe to overtake Asia as the most common source of attacks. Over a third of attacks were launched from the Czech Republic and 12% originated in Russia.
Sonia Blizzard, managing director of Beaming, comments: “2018 has been the worst start to a year we’ve seen for the volume of cyber attacks on UK businesses, in large part due to an unusual increase in activity originating from Europe since the start of March.”
“Company firewalls and IT security systems have been under constant pressure from malicious computer scripts and we’ve had to constantly update our network-level protections to keep up with new and evolving threats.
“It is important that businesses of all sizes regularly review their cyber security measures, monitor their IT systems and communication networks for unusual activity and take all the help they can get to stay ahead of the criminals.”
Your employees are on the front line of the data wars. Hackers often target employees as a means of gaining access to your systems, whether in the form of phishing, invoice fraud, or taking advantage of weak passwords. Once hackers have a window into your systems, they can search for valuable data and copy as much as they like.
Regular training is the easiest way to remind employees of their important role in maintaining the integrity of your systems and shielding your valuable data from competitors and opportunists.
At VinciWorks, we offer cyber-security training that is delivered online, making it convenient and affordable to deliver to small teams or large populations, wherever they are based.
We’re very pleased to announce the arrival of our latest compliance course: The Using Social Media Challenge.
Written and directed by our talented development team, the course combines a refreshing mix of story-telling, gamification, and immersive eLearning to offer learners an interactive video experience that’s sure to wow!
Fresh, fun, and informative, The Using Social Media Challenge is designed to raise awareness about hacking threats on Social Media.
To take the challenge, users must take on self-confessed cyber-criminal, John (and his fiendish team of hacking experts), and prevent him from accessing their data and infecting their computer by making the right choices whilst using social media. Each time learners thwart John’s efforts successfully, they will be rewarded with a shield. Making the wrong choices, though, will result in a win for the cybercrime syndicate and a ‘virus’ for the unsuspecting victim.
How many shields will you collect?