Every year, cybersecurity experts look at the previous year’s network security mistakes—the ones that resulted in massive data breaches and made headlines—to learn what went wrong and how those cybersecurity mistakes could be avoided in the future. So far, 2019 is showing no signs of breaking the tradition of each year getting increasingly devastating in terms of cybersecurity breaches.
Merely listing off the data breaches and the number of people who were affected by each provides a valuable lesson in vigilance. However, it’s important to look beyond the numbers to learn details about how each data breach occurred. With this information, it’s easier to glean lessons from these events that can be used to prevent future cybersecurity mistakes.
So, let’s study the events of the past so we aren’t doomed to repeat them:
So far in 2019, we've seen a wide variety of cybersecurity breaches—several of which could have easily been prevented with the proactive application of basic network security measures.
The Entertainment Software Association (ESA) is an organization that lobbies for the video game industry and organizes the Electronic Entertainment Expo (E3) event each year. As a part of their E3 work, the ESA collects contact information for journalists and YouTube content creators who hope to cover the event. However, earlier in 2019, it was discovered that the ESA's contact list database had been compromised, leading to doxing and harassment of people whose information was in the list.
According to a Yahoo! Finance article, "Rather than protect the information, the ESA left it available as an excel sheet that could be downloaded by anyone with the direct URL... No one broke into the ESA's website to steal this information. Rather, it was simply uploaded and laid bare for anyone to find and use."
While the ESA has issued an apology and stated that it has "removed the file from the website" and "disabled access to the site's exhibitor portal," these measures have been ridiculed as too little, too late by pundits.
Taking even the most basic security precautions to encrypt the data so it couldn't be used would have helped to protect thousands of journalists and content creators from harassment.
According to a report featured on Wired.com, in May of 2019, "A surveillance contractor for US Customs and Border Protection suffered a breach, and hackers stole photos of travelers and license plates related to about 100,000 people." The contractor in the story was identified as Perceptics, a Tennessee-based company and long-time CBP affiliate. Another issue brought up in the Wired article was that Perceptics, "Also lost detailed information about its surveillance hardware and how CBP implements it at multiple US ports of entry."
A statement from U.S. Customs and Border Protection cited in a TechCrunch article notes that: "Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract" and that, "Without CBP's authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network." While the CBP admonishment did not name Preceptics as the subcontractor, the TechCrunch article and the Wired article both link the company to the incident.
The apparent issue here is that sensitive data was moved from a secure system to a less-secure one, giving cybercriminals an opportunity to steal it. As the data has appeared on the "dark web" (according to the Wired article), it is possible that the data has already been sold to third parties for malicious use.
This incident highlights the importance of keeping sensitive data on closed systems, and avoiding moving such information to unsecured network endpoints.
Security mistakes are nothing new, as some of the biggest breaches of 2018 prove:
The data breach suffered by Marriott’s Starwood properties was not just one of the biggest data breaches of 2018, it ranks high on the list of the biggest data breaches of all time—though not at the top. As reported by Computer Weekly, the network security breach, “Exposed the data of half a billion customers of the Marriott hotel group’s Starwood properties, including the St Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points and W Hotel brands.”
The company’s booking system was the primary target of the cyberattack. According to Computer Weekly, the specific data stolen during the Starwood data breach included: “Customers’ names, addresses, phone numbers, card numbers, passport numbers and even information about where and who they were traveling with.” Yet, oddly, officials cited in the article stated that “this information wasn’t used for any known financial gains or identity thefts.”
So, why would attackers target this information, if not to use it for financial gain? The prevalent theory is that the attack was politically motivated and was sponsored by a foreign state. As an NPR.org article cites: “Preliminary indications show the breach was executed by hackers affiliated with the Chinese Ministry of State Security.” The stolen information could conceivably be used to track politicians and their associates, as well as to identify intelligence agents.
The most shocking part of this breach isn’t that the accounts of 500 million people were compromised—it’s that the breach took place over the course of four years before it was finally identified. The lesson here may be that no business’ cybersecurity architecture is absolute—and that actively checking for cyber threats and intrusions on the network is crucial.
Failing to routinely check for the presence of active intruders is one of the biggest network security mistakes that a company can make.
While the cybersecurity breach that hit Marriott/Starwood was major, it still wasn’t the largest data breach of 2018. That dubious distinction goes to Aadhaar, which had a data breach compromising the personal information of 1.1 billion of India’s citizens. As reported by Avast (a free antivirus company), the data exposed in the breach included “Aadhaar numbers, names, email and physical addresses, phone numbers, and photos.”
The attackers were selling a portal into India’s Unique Identification Authority for around ₹500 according to the Avast article—which, at an exchange rate of 1 rupee equaling about $0.014 (based on the exchange rate as of Feb. 3, 2019), is $7 in U.S. currency. For $7, it would be possible to buy instant access to the personal data of 1.1 billion people.
In fact, according to a Washington Post article about the Aadhaar data breach, reporters were able to get into contact with an unnamed individual to buy access to the portal and that, for an additional $5, “The individual offered reporters software to print out unique identification cards, called Aadhaar cards, that can be used to access various government services including fuel subsidies and free school meals.” This would create an enormous opportunity for unscrupulous individuals to commit fraud with the stolen information.
Unfortunately, information about the breach remains limited, and an official statement from the Unique Identification Authority cited in the Post article says that, “Claims of bypassing or duping the Aadhaar enrollment system are totally unfounded. Aadhaar data is fully safe and secure and has robust, uncompromised security.” Because of this assertion that no breach has occurred, there are no details known about what kind of cyber threat caused the alleged breach, who is behind the attack, and what, if any, network security measures could be taken to prevent future breaches.
So, what’s the lesson here? The primary takeaway is that no organization, regardless of size, is immune to cyber threats. Even the biggest government-sponsored programs can be targeted and successfully breached if they have any flaws in their network security architecture.
An alternative lesson could be to ensure that there are no unused or extraneous user accounts in your network, as these give attackers opportunities to access sensitive data. By deleting unused user accounts and restricting the access privileges of active accounts to the absolute minimum required, the effects of a cybersecurity breach can be minimized.
These two data breaches are far from the only ones that occurred in 2018. With 2019 poised to be yet another year full of major cybersecurity incidents, however, it is important to learn from the network security mistakes of others and take proactive measures to protect your own organization.
Need help securing your network against cyber threats? Talk to the team at Compuquip for help and advice today!