You could argue that all cyber-attacks and data breaches are disturbing, and you wouldn’t be wrong. But all too often a cyber-incident comes along that hits a whole new level of intrusion or includes an unsettling component of cyber security neglect that causes us to raise our eyebrows higher than usual.
These data breaches stood out to me as being particularly disturbingI’ve compiled a list of data breaches that stand out to me as being particularly disturbing. Most occurred in 2018, while others came to light in 2018 but were well underway before the affected organization discovered them, or finally confessed to them.
1. Exactis
Before June 27 th 2018 most people were not familiar with the Florida-based firm Exactis. This is when we learned that the company left its database open to the public exposing nearly 340 million individual records , affecting about 230 million US consumers and 110 million businesses . Exactis compiles and aggregates business and consumer data they collect from people who browse websites that use cookies.At the time of writing the company had not yet confirmed the leak and the number of people affected is still an estimate, but the leaked data included an extraordinary depth of information that―in addition to phone numbers, home and email addresses, interests, and the number, age and gender of their children―may have included the victims’ personal habits, religions, and even pet ownership details. A first-class action lawsuit has been filed against Exactis.
Why is this breach disturbing? The lack of responsibility demonstrated by the company: one of the largest collections of personal data was left unprotected by even the most basic cyber security measures. The volume of people affected―we’re looking at pretty much every single US citizen. The depth of information breached. It is alleged that up to 400 variables on victims’ characteristics were exposed, although financial information and social security numbers were not among them.How do you protect yourself or reduce the risk from this sort of incident?
Individuals:Short of staying offline there is no simple and convenient way protect yourself from this type of data leak, especially if you browse from multiple devices. This article offers a list of ways to browse the web anonymously .
Organizations: Ensure that sensitive data follows a least privilege approach and that authorized access is always required to view such data. Further protect your sensitive data using a privileged account management solution that’s easy to use (to ensure adoption), and implement a least privilege policy to ensure individuals can access only the credentials they need to complete their task.
2. Under Armour / My Fitness Pay App
In February 2018 Under Armour’s MyFitnessPal App experienced one of the biggest data breaches in history when an unauthorized party accessed the company’s data stash. The user names, email addresses and scrambled passwords of over 150,000,000 app users were stolen. The breach was discovered on March 25 th and users were notified to change their passwords four days after that. The type of data that was breached is considered moderate and the breach was discovered relatively fast. Under Armour gets credit for hashing the passwords and processing credit card information separately, two actions that prevented this breach from spiraling to a whole new level of disastrous. To date, the entity behind this breach has not yet been identified. Why is this breach disturbing? The volume of users affected.This was, at the time, a record-breaking breach. The type of information at risk. MyFitnessPal can collect precise data regarding the user’s performance, personal fitness records, health and location. As more people adopt wearable or mobile apps that record their most private data, the more there is to be gained by cyber criminals.How do you protect yourself or reduce the risk from this sort of incident?
Individuals: Limit damage by using a unique password for every website or application you access and manage them with a password manager. When you have a choice, allow apps access to only the information they need in order to operate.
Organizations: The exact breach technique has not been confirmed by the company, so I can’t suggest a suitable means of protection.
3. Tesla
On June 14th a disgruntled Tesla employee admitted to hacking the company’s secret trade information and sharing the data with unnamed 3 rd parties. A few days later Elon Musk sent an email to employees notifying them of the breach and requesting their cooperation and vigilance as Tesla moved forward with its investigation and subsequent lawsuit. As a groundbreaking tech company on the forefront of human innovation Tesla is no doubt braced for cyber-attacks. A variety of non-malicious hacks have revealed several of Tesla’s security vulnerabilities, but it’s this insider attack that set the company on edge.
Why is this breach disturbing? It came from the inside, a vicious attack from within the ranks of the ‘trusted few’. Operating like extended families, companies choose their team members with great care, and a devastating attack like this not only forces a company to review its vetting process but also throws the trustworthiness of remaining team members into question. This is also concerning given the recent safety record with Tesla and whether they may be related. The extent of the violation may remain forever unknown. This makes total damage control and repair almost impossible.How do you protect yourself or reduce the risk from this sort of incident?
Organizations: The precise nature of the hack is unknown, but it’s possible that implementing a least privilege policy could have reduced the risk of this threat, and a privileged account system with email alerts for Event Subscriptions could have alerted IT Admins of the malicious activity in real time.
4. My Heritage
On June 4th news broke that the My Heritage, a family tree-type website that offers a genealogy and DNA testing service, was breached, exposing the email addresses and hashed passwords of over 92 million registered users . The breach occurred in October 2017 but remained undiscovered until 9 months later when a security researcher told the company about a file he had found on a private server outside of MyHeritage. No DNA data was compromised. This time. Why is this breach disturbing? The volume of users affected. The duration of the breach: 8 months passed before victims were notified to change their passwords. (It is not unusual for breach victims to receive the first news of a breach so long after the event that it’s too late for them to effectively react.) The type of company involved. A company that stores the DNA of millions of human beings should have maximum security protections in place and up to date.How do you protect yourself or reduce the risk from this sort of incident?
Individuals:Use a different password for every account you have to prevent cyber criminals from easily accessing your other accounts.
DNA testing for future health predictions and ancestry reasons is a hot trend. Some websites even suggest you purchase DNA tests as gifts for frie