I’d love to say that data breaches come and go, but they only seem to become more prevalent. According to a recent report, the number of data breaches in the first half of 2019 increased by 54 percent.
The World Economic Forum has also pointed out that cyber-attacks and data theft are likely to be “higher than average” in 2019.
Cybercriminals are data hungry creatures and they are coming to a security flaw near you soon. So, let’s take a look at some of the mega-breaches and not so, mega-breaches, of the year so far.
We will also give you some tips to stop your company from becoming a data breach statistic.
Some of the Data Breaches of 2019
I’ve included some big breaches as well as some smaller ones from the UK. No matter what size a data breach is, someone, somewhere, is affected. The impacts are financial, lost reputation, and likely identity fraud and theft too.
Toyota – External attack
February and March of 2019 saw the exposure of 3.1 million customer records at Toyota. The cybercriminals took names, dates of birth, and employment details. The attack has been attributed to a Vietnam-based hacking group using an advanced persistent threat (APT) known as APT32. Word is that the attackers were specifically targeting car manufacturers.
Capital One – External attack due to misconfigured systems
Cybercriminal Paige Thompson was behind the major breach of personal data at Capital One. The stolen data was posted in a publicly accessible way to GitHub, a portal, used by companies across the globe. Data, including names, addresses, dates of birth, credit scores, Social Security numbers, and bank account numbers of 106 million U.S. and Canadian customers were exposed during the breach. Paige Thomson is an ex-employee of Amazon and it is thought the attack was due to an insecure database, coupled with poorly executed access control.
Suprema – Misconfigured and poorly secured database
Suprema provides biometric security for the Metropolitan Police and some UK banks. In August, Suprema announced that the biometric data of 27.8 million people had been breached. The breach is said to have exposed fingerprints, facial images, usernames, and passwords, as well as other data including employee records. What caused it? The Suprema database was unprotected and much of it left unencrypted.
First American Financial Corp. Poor website security
This is a U.S. only breach but it is such a big one it is worth mentioning. We are talking big data here, a total of 885 million personal and financial data records, associated with mortgages going back 16-years, exposed. There is now a class-action lawsuit against the company. The cause was, again, poor security configuration; customers who used a URL link to access a document on First American’s website could then access another customer’s documents. This was done by simply changing a single digit in the link.
Evite – poor security and misconfiguration
10 million Evite user accounts were breached in February 2019. Personal data exposed included names, usernames, email addresses, passwords, dates of birth, phone numbers, and mailing addresses. The incident occurred when an unauthorised access was made to an inactive data storage file associated with user accounts.
Mumsnet – Software glitch
Mumsnet, the beloved forum for parents across the UK, was the subject of a data breach in February 2019. Although smaller than some of our breaches here, it is noteworthy. The breach was apparently caused by a software upgrade. The bad upgrade allowed people logging in to see other user accounts, including data such as email addresses, account details, and personal messages. Only around 4000 accounts were affected, but the data, therein, was highly personal, especially the private messages.
Oyster Card – Credential stuffing
Although only 1200 Oyster cards were affected it is a useful breach to showcase. The cyber-attack is believed to have been a case of ‘credential stuffing’. That is an attack where cybercriminals use already stolen credentials from previous cyberattacks (like the ones we have mentioned above) to then access other accounts. People often use the same password for multiple accounts, so if one account is breached it can lead to others being breached too.
How to Prevent a Data Breach
It is all very well reading about data breaches, but you also need to know how to make sure your organization doesn’t enter the hall of cybersecurity shame.
Here are a few five tips to prevent a data breach in your organization.
- Security Awareness Training: Many cyber-incidents involving data can be prevented by a dose of security awareness training. As we have seen in our examples, many were caused by poor setup and configuration of security options. Others were exacerbated by poor security hygiene practises like using the same password across multiple accounts. Security awareness training covers the entire organization, including IT, making employees aware of the importance of security and how data breaches happen. We can all learn from the mistakes of others.
- Phishing Simulations: Data breaches, are also often initiated by spear phishing. This is a targeted form of phishing that goes after the login credentials of privileged persons such as system administrators. Offering simulated phishing as part of a security awareness training package is important in containing data breaches.
- Robust Authentication: Having two-factor authentication in place is good practise for any application that supports it.
- Regular Security Patching: Certain types of cyber-attacks, for example, malware-based attacks, rely on security flaws in software. Always ensure that security patches are installed and up to date.
- Pen testing: Penetration testing looks for vulnerabilities in IT systems, like networks, websites, and applications. A pen test of systems could have helped prevent some of the data breaches caused by configuration errors in setting up services.
Security Awareness is The Friend of Business and The Enemy of the Cybercriminal
A report by Juniper Research, which I am pleased to note mentions The Defence Works, states that
“gains that can be made by increasing human awareness of cybersecurity can make more efficient use of cybersecurity spending”
Security breaches cost a lot of money and time and cause reputational damage. I live in hope that one of these years, The Defence Works will be able to write a round-up of breaches report about how cyber-attacks are on the increase, but the success rate is decreasing. If we do get to that stage, it will be because of the use of a range of security measures, including security awareness training.
– Watch our hilarious security awareness training –
Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.