The lessons businesses must learn from the top 2018 cybersecurity breachesVenkatesh Sundar
Every organisation, big or small, must ensure that their programs and data are safe from attack, damage, or unauthorised access.
Across the world, the number of cyber attacks has consistently increased over the past 5 years, with the US emerging as the biggest victim. Small and medium businesses have been the main targets for data breaches and cyber attacks. In 2018 alone, there were a number of shocking cybersecurity breaches at major players, which compromised confidential information and voluminous data of the businesses and their users/customers. Let us take a closer look at these breaches and the lessons we can learn from them.
In September this year, Facebook unearthed the biggest breach it has ever faced since its inception. This Facebook breach was orchestrated by leveraging multiple bugs related to one of its features – View As. By using these vulnerabilities, the data of 50 million users was compromised. Hackers also gained access to a plethora of other platforms such as Instagram, Airbnb, Spotify, etc., which allow users to log in using their Facebook accounts.
Lesson learned: Even a big player like Facebook with superior engineering capability and security finds it challenging in the current digital environment to completely secure its large, global platform, which has over 2.2 billion users and connects several third-party service providers. So, smaller businesses do not stand a chance if they do not take preventive measures.
Exactis is a marketing and data aggregation company that compiles and aggregates consumer and business data through cookies collected from different websites. The company has compromised 340 million consumer and business records by leaving 2TB data on a publicly accessible cloud server. Over 400 variables of data about user characteristics were left exposed by this security lapse. Even though financial and social security numbers were not exposed, the breach could lead to large-scale identity theft.
Lesson learned: A lax attitude towards cyber security is unacceptable. The Exactis breach, which resulted from the lack of an account management system and authorisation policy to secure sensitive information, could have easily been avoided if the company was proactive towards cybersecurity.
The Guest Reservation Database of Marriott and its subsidiary, Starwood, was hacked into and sensitive information about 500 million customers of the international hotel chain was exposed including bank details, credit numbers and expiry dates, passport details, personal information, arrival-departure dates, etc. The breach which came into light on November 30, 2018, was orchestrated by leveraging the inadequate security solutions used. Even though data was encrypted, the hackers found ways to decrypt it by stealing the access keys. These affected users are vulnerable to identity theft, financial theft, opportunistic phishing and so on.
Lessons learned: This is not the first time the company has faced a data breach. So, it is appalling that adequate security measures were not installed despite the previous breach. Organisations like Marriott who invest plenty of dollars on getting the state-of-the-art digital infrastructure for seamless customer experience must also invest in cybersecurity.
A security researcher reported a security flaw in the food-ordering website of the chain of hotels that was leaking customer data including personal information, address, credit card’s last four digits, etc. of 37 million customers. The company did not take the necessary steps to fix this flaw for nearly 8 months until an expose was made by a security journalist on his blog.
Lesson learned: The importance of regular scanning and penetration testing cannot be stressed enough. If the organisation had done these on a regular basis, the breach could have been completely avoided. Organisations must be willing to work with external researchers who are responsibly disclosing security flaws in their web-based assets. This will show the organisation cares about its customers’ data and security.
Saks Fifth Avenue and Lord & Taylor
A cybercrime syndicate had stolen credit and debit card details of 5 million customers of the two luxury brands through a vulnerability/bug installed in the Point-of-Sale (POS) systems. An investigation by a research firm revealed that the actual breach happened in 2017 itself and that in March 2018, the syndicate had put out the data on sale. This security research firm had informed the brands about the breach; the brands and the company that owns them were not aware of the breach till then.
Lessons learned: This breach re-iterates the need for businesses that use POS systems to invest in stronger malware protection in these systems apart from regular scanning and penetration testing.
Delta Airline and Sears Holding Corporation
Both of these use a third-party AI solution, 24.ai, for online chat support. They announced in early 2018 that credit card information of nearly 100,000 of their customers could have been compromised due to a data breach in 24.ai.
Lesson learned: Your organisation’s cybersecurity is only as good as your partners’ security. It is crucial for organisations to scrutinise their vendors and third-party service providers before onboarding. Loopholes in their cybersecurity will directly impact your customers and your brand image.
It is the responsibility of every organisation, big or small, to ensure that customer/user data is secure. Bigger players may be able to recuperate from data breaches and cybersecurity lapses with ease owing to their financial, legal, and infrastructural strength. But smaller players may find it extremely difficult to build back customer trust and brand image as well as to fight class suits and litigations against them. It is always better to invest in strong proactive cybersecurity measures than regret later. A security specialist, with a team of certified security professionals combined with its own Application Security Product suite, will enable you to secure your organisation’s data and web assets, allowing you to focus on your core business.
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)