The recent past has witnessed cybersecurity professionals fighting for a way against information security breaches where victories have been hard to come by. In parallel, the exponential growth in terms of the number of interconnected devices, whether mobile devices or IoT, has pushed the demand for active software development.

The pace with which new versions of code is being pushed has increased the risk of allowing unknown vulnerabilities that are able to penetrate the code and allowing malicious users to gain access to a window of opportunity.

 

Most security attempts so far have been based on the establishment of a secure network, the encryption of data and the physical security of the device. Unfortunately, these measures still leave the device's core software vulnerable to attackers.

 

Almost every recent year has provided us with an increasing number of incidents that demonstrated how existing approaches to security are not up to the mark. Individuals, as well as organizations, are unable to safeguard themselves from an ever-increasing number of threats that are made even more complicated thanks to the unstructured layering of a variety of security tools.

 

Approaches like infrastructure and perimeter-based security that have often served users in the past are not sufficient any longer. Furthermore, the recent events have highlighted the lack of a proper SIEM system (Security Information and Event Management) that’s capable of limiting the surface of attack when it happens.This is especially true when it comes to an application-focused and cloud-based computing environment.

 

10 of the Biggest Information Security Breaches in 2018

Here are some of the significant information security breaches that made the news in 2018 -

 

Panera

• What - Panera's IT team failed to rectify a data leakage from their website for eight months after being informed of the leak. The site was finally taken down for maintenance.
• When – Disclosed April 2018
• Victims – Newegg online shoppers
• Audience – Every customer account on PaneraBread.com
• Data Exposed –

1. Names
2. Emails
3. Addresses
4. Birthdates
5. Last four digits of the customer's credit card numbers

 

Newegg

• What – The cybergang Magecart hacked into Newegg and inserted a credit card skimming code into the site. A customer's payment info was then transferred directly to Magecart's command and control server.
• When – August 14, 2018 – September 18, 2018
• Victims – 37 million
• Audience – Online shoppers on Newegg
• Data Exposed –

1. Credit card information

 

Elasticsearch

• What – 80+ million records of sensitive, personal data was accessed. The usage of the data is so far unknown. The source of the unguarded databases was tracked to a data management company no longer in business.
• When – Discovered November 14, 2018
• Victims – 82 million
• Audience – Online businesses and users on the internet
• Data Exposed –

1. Names
2. Emails
3. Addresses
4. Phone numbers
5. Company details
6. Employee count
7. Revenue details, etc.

 

Facebook

• What – The Cambridge Analytica scandal occurred where the data collection firm harvested user's information without their consent. The attack was politically motivated and was allegedly aimed to influence the 2016 presidential elections in the United States.
• When – Disclosed September 2018
• Victims – 87 million
• Audience – Every customer account on PaneraBread.com
• Data Exposed –

1. Profile information
2. Political beliefs
3. Friend networks
4. Private messages

 

 

 

MyHeritage

• What – The genealogy site was informed in June 2018 about an external server gaining access to personal MyHeritage info. The site confirmed the breach and asked users who had signed up before October 2017 to change their passwords.
• When – Informed June 2018
• Victims – 92 million
• Audience – MyHeritage users who had signed up before Oct 2017
• Data Exposed –

1. Email addresses
2. Hashed passwords

 

Quora

• What – Though the company did not disclose a large part of the breach, the question and answer site did confirm that a third party had breached access to one server of the company.
• When – Discovered December 3, 2018
• Victims – 100 million
• Audience – All Quora users
• Data Exposed –

1. Names
2. Email addresses
3. Hashed passwords
4. Profile data
5. Private and public actions

 

Under Armour

• What – In February 2018 Under Armour's food and nutrition app was hacked which exposed personal information to attackers. Fortunately, payment information was not disclosed since the company processed payment transactions through a separate interface.
• When – February 2018
• Victims – 150 million
• Audience – Users of MyFitnessPal
• Data Exposed –

1. Email addresses
2. Usernames
3. Hashed passwords

 

Exactis

• What –The data collection site was breached and had up to 2 TB of information leaked onto a public website for free access by anyone. The number of people that accessed the data before it was discovered is still unknown.
• When – June 2018
• Victims – 340 million
• Audience – Businesses and users across the internet.
• Data Exposed – 400+ categories of information including
• Phone numbers

1. Email addresses
2. Physical addresses
3. Interests
4. Religion
5. Age
6. Pet ownership, etc.

 

Starwood

• What – The hotel chain stated that one of its servers had been breached and was the victim of unauthorized access. Recent investigation has suggested that it may have been caused by the Chinese government for political purposes.
• When – Discovered in September 2018.
• Victims – 500 million
• Audience – Starwood guests
• Data Exposed –

1. Names
2. Email addresses
3. Physical addresses
4. Birthdates
5. Account information
6. Phone numbers
7. Gender
8. Travel information
9. Passport information
10. Accommodation information
11. Hashed credit card information

 

Aadhaar

• What – Unkown sellers used WhatsApp to offer a portal into India's Unique Identification Authority for INR 500 or less.
• When – August 2017 – January 2018
• Victims – 1.1 billion
• Audience – Indian citizens
• Data Exposed –
• Names

1. Aadhaar numbers
2. Email addresses
3. Physical Addresses
4. Phone numbers
5. ID photographs
6. Tips to Avoid Cybersecurity Disaster

There are some avoidable oversights on the part of organizations which the following suggestions can help overcome and reduce the risk of a potential information security breach.

 

Tighten the Existing Security System

 An organization's system and all relevant software come with guidelines on how to ensure maximum security during usage. Everyone inside the network should strictly adhere to these rules. Some of these guidelines include terminating unnecessary services or signing up for lower privilege settings.

 

Utilize Patches Effectively

Hackers are happy to use even the smallest lapse in your IT security to gain access. It is therefore of paramount importance to run frequently scan your security system and all related software while keeping them up to date with the latest available patches.

Secure Outbound Data

Similar to using a firewall to protect the organization's system from incoming bots or malware the company also needs to ensure that specific data is not allowed to exit your internal systems and infrastructure. This is process is known as egress filtering and is an essential aspect of cybersecurity. This prevents hackers, rogue employees, or just employees committing honest mistakes from leaking malicious software or sensitive data from the organization's network.

 

Increase Awareness

It is critical for all employees and contractors of an organization to be aware and alert when it comes to possible security issues. This can mean being alert to phishing scams being sent over email or messaging applications that may appear legitimate but are an attempt to extract sensitive information or credentials, or worse, expose the system to malware.

 

Be Astute When it Comes to Passwords

Many organizations have password related policies in place that address the strength and reuse of user passwords. However, one area that is often is neglected is the PC password of the local administrator. In many cases, this password is the same that is used on the company's servers. It would be relatively simple for hackers to gain access to the entire system and create external as well as internal damage once they gain access to this information.

 

Pay Close Attention to Physical Security

Organizations should inculcate the culture of not leaving credit cards, ID badges, financial and personnel files, tablets or cell phones unguarded within the organization. Employees should be trained to ensure that these items are kept on their person at all times or locked securely when not being used.

 

1. Encrypt Data - All personal computers as well as personal information that is stored on servers and in databases should be encrypted. This is perhaps the most foolproof way to ensure data is protected against hackers if they gain unauthorized access to sensitive data.
2. Purchase a Cyber Insurance Policy - In the chance that an organization does experience a cybersecurity breach, a robust cyber insurance policy will ensure that the organization is adequately covered for any losses and costs to mend the damage.

 

Conclusion

Understanding the organization's weaknesses and vulnerabilities when it comes to cybersecurity is the initial step in planning for proper cybersecurity. Preparing for a possible data breach or future attack by hackers is possibly the best way to counter such an event.