Big hacks and data leaks are nothing new, but this year has seen a surge in reported breaches. The reason for this might be simple: After the EU general update to data protection regulation (GDPR) came into place in May, firms are more likely to report attacks.
But it also demonstrates that the huge amounts of data collected by companies is not immune to hacking. And many firms aren’t doing enough to ensure they are secure. Let’s take a look back at five massive hacks of this year and examine what they mean for cybersecurity in 2019.
Facebook has suffered several breaches this year, with the worst seeing at least 50 billion users compromised. The biggest breach, in late September enabled hackers to exploit a weakness in Facebook’s code to access the ‘View As’ privacy tool that allows users to see how their profile looks to other people.
Three major security incidents affected user data in 2018, says Lewis Henderson, VP threat intelligence at Glasswall Solutions – and these are just the ones we know about. “Having been caught playing fast and loose with their users’ data, further major security incidents demonstrate Facebook’s infrastructure was probably never designed to cope with this many subscribers. It simply doesn’t have security built in, nor has Facebook taken those companies who exploit subscriber data through a robust third-party security process.”
Facebook has a large security budget and a team that’s known throughout the industry as top-notch, says Joan Pepin, CISO at Auth0. “They should know what they’re doing – but they have a complicated product. The latest hack combined several features in concert, which QA never thought to test. It was a failure of imagination and an outcome of the incredible complexity of their product.”
At the end of November, hotel group Marriott admitted it had suffered a massive data breach affecting the records of up to 500 million customers. The firm revealed its Starwood division’s guest reservation database had been compromised by an unauthorized party. Information accessed included payment information, names, mailing addresses, phone numbers, email addresses and passport numbers.
“Regardless of who the finger is being pointed at, it’s clear this stealthy attack meant the perpetrator had unrestricted access, across multiple IT systems for a very long time,” says Glasswall’s Henderson. “Presumably with many elevated privileged accounts compromised, the attackers were clear to traverse customer data held in different locations and likely cleared their tracks as they went.”
And when people trust firms with their data, even cybersecurity experts aren’t immune. “I am a Marriott Platinum for Life customer: My data was hacked alongside that of millions,” says José Hernandez author of Broken Business.
He points out that good crisis management requires full, timely, and complete disclosure – alongside an independent investigation. “Beyond trust and good governance, with Europe’s GDPR, waiting two months to report a significant hack is likely to be met with significant fines and penalties.”
It’s not the data breach that will be most impactful to the company; it’s the regulatory and class actions that follow, says Ian Thornton Trump, head of cyber security at Amtrust International. “But the big question is, why was this data not encrypted while at rest? Why are passport numbers and details not required by law to be encrypted at rest? The Marriott breach was not just about failing to protect the data they have; it’s a failure of governments to insist identity documents are treated with the same requirements as credit card data.”
In December, Quora suffered a massive breach of user data. The intrusion, discovered on November 30, included up to 100 million users’ names, email addresses, IP addresses, user IDs, encrypted passwords, user account settings, personalization data, public actions and content such as questions, answers, comments, blog posts and upvotes.
“The breadth and potential value of the data compromised, like encrypted passwords and social media data, was notable,” says Andrew Tsonchev, director of technology, Darktrace Industrial.
Edward Whittingham, a former law enforcement officer who is MD of The Defence Works, agrees. “Quora’s data breach was pretty punchy, mainly because it exposed the names, email address and encrypted passwords, as well as data from social networks like Facebook and Twitter, to which people had connected their accounts,” he says.
“Perhaps most interesting, is how the cybercriminals might then go on to use the data, such as questions and answers posed on the platform. I’d expect to see this information sold on the dark web and if there are any contentious questions or answers in there, the fraudsters will be sure to make use of this information and possibly look to hold some users to ransom.”
On 6 September, British Airways informed its customers that details from around 380,000 booking transactions had been stolen, including bank card numbers, expiry dates and cvv codes. It took the firm just one day to announce it had been hit by a cyber-attack between 21 August and 5 September.
Soon afterwards, it was discovered the details were taken via a script designed to steal financial information by ‘skimming’ the payment page before it was submitted. Security researchers now think the perpetrator is the same group that breached Ticketmaster, Magecart.
The impact to affected customers was still being felt in November when it was discovered the Russian hacker group behind Magecart was selling the details in the dark web for around $10 a card.
“In the immediate aftermath, many banks and credit card companies issued replacements or warnings to their customers who may have been affected, netting the Russian group a possible $12m from the hack,” says Martin Jartelius, CSO at Outpost24.
“Aside from BA’s parent company’s shares taking a hit in the immediate aftermath, it’s likely that the company will be penalized under the GDPR legislation, with some experts stating the impact could be in the region £500m or 4% of its turnover, or – if IAG is held accountable – an even larger sum: reportedly around £800m.”
Without Inbenta’s knowledge, Ticketmaster used this code on its payments page, where it was discovered by hackers and modified to extract payment information. The scale isn’t as massive as some other breaches – but the impact was huge. Some customers reported their money had been stolen and others claimed their details had turned up for sale on the dark web. The culprit was apparently credit-card skimming criminals Magecart.
“Just one month after GDPR came into full effect, Ticketmaster announced 40,000 customers’ data was accessed due to a malicious hack on a third party solution,” says Guy Bunker, SVP of Products, Clearswift.
He points out that many security incidents occur as a result of the actions of customers, suppliers and partners. “It’s important to ensure that security measures are up to date across the entire network of companies. Ticketmaster was only as secure as its weakest link.”
Cyber security in 2019
After hitting Ticketmaster and BA, experts predict that Magecart will target more than credit card data in 2019. “In 2018, credit-card skimming criminals grouped under the Magecart label have been carrying out a full-scale assault on e-commerce. They show zero signs of stopping as we head into 2019, with the attacks only getting more traction as various groups learn how to become more effective,” says RiskIQ’s Klijnsma.
He predicts: “As web skimming can skim all sorts of information entered into a website, Magecart groups will surely expand to skimming more than just payment data, such as login credentials and other sensitive information.”
As nation state actors ramp up their campaigns, critical infrastructure will also likely be a target. These attacks are already on the rise, says Andrew Tsonchev, director of technology, Darktrace Industrial. “This year, the ports of San Diego and Barcelona were attacked with ransomware: compromising industrial devices can now allow criminals to ransom access to operational systems as well as data.”
Jake Moore, cyber security expert at ESET, predicts 2019 will see a new form of attack: GDPR bounty hunting. “GDPR bounties work effectively when the attacker extorts an organization by providing them with a copy of their data to prove that it has been breached.
“They then give the victim two options: pay the possibly eye watering ICO fine of up to €20m or 4% of their annual global turnover – or pay the hackers’ chosen fee, which could be anything less than the maximum from the ICO. Hackers take advantage of the fact that some organizations will be tempted to choose the second option so they can avoid any reputational damage caused by a data breach.”