The dog days of Summer have been a busy time for cybercrime, with attacks heating up across retail, banking, and higher education.
While others may have turned their attention to holidays, August has already seen data breaches at IKEA, Capital One, online retail marketplace StockX, and university textbooks publisher Pearson, cumulatively exposing the personal and/or financial data of millions of consumers.
Here is a roundup of the major events we’ve been watching:
Pearson, a major publisher of print and digital textbooks, revealed that more than 13,000 school and university customer accounts had been exposed, with some containing information on hundreds of thousands of students.
Data included first and last names, email addresses, and dates of birth. No social security numbers (equivalent to UK National Insurance numbers) or financial details were exposed. Exactly who carried out the attack hasn’t been revealed.
In one school district alone, the breach exposed data on 114,000 students. Pearson says none of the breached data has been misused to its knowledge. It is offering complimentary credit-monitoring services to affected victims as a just-in-case measure.
StockX, an online retail marketplace valued at $1 billion USD, announced a series of ‘system updates’ last week that turned out to be its response to a significant hack back in May. A data trader has been offering to sell the data of more than 6.8 million StockX customers on the darknet.
The company belatedly posted a message this week admitting that cybercriminals had accessed customer data, including ‘…customer name, email address, shipping address, username, hashed passwords, and purchase history.’ It claims that customer financial or payment data hasn’t been exposed.
In response to the hack, StockX noted that it had sent an email alerting customers to reset their passwords, describing it however as a “systems update” and failing to mention a data breach prompted it.
IKEA committed a pair of own-goals when it revealed it had inserted 410 individual email addresses in a promotional email to customers in Singapore – then flubbed the apology.
According to IKEA, the customers were eligible for a gift card promotion. No personal customer data was exposed beyond email addresses.
To its credit IKEA was quick to notify and apologise, its follow up email, however, contained an internal draft of the apology, and was only sent to half the recipients. IKEA had to apologise again for the oversight and said it was in a rush to notify customers of the exposed email addresses error.
IKEA says it also notified Singapore’s Personal Data Protection Commission (PDPC), which enforces the city state’s Personal Data Protection Act – similar to our GDPR in requiring organisations to have an individual’s knowledge and consent when collecting, using or disclosing personal data.
Capital One announced that a breach in March exposed the personal information of nearly 106 million of the bank’s customers and applicants. The hack included US and Canadian banking and credit card customers.
According to the bank, cybercriminals accessed servers holding personal information related to credit card applications by consumers and small businesses. Exposed data included names, addresses, dates of birth, credit scores, transaction data.
About 140,000 Social Security numbers and 80,000 linked bank account numbers were also exposed. The bank said no credit card account numbers or login credentials were revealed in the hack.
Capital One’s admission came just a week after the settlement reached between Equifax and the US Federal Trade Commission concerning the massive 2017 breach that affected 147 million customers.
Closer to home, UK challenger bank Monzo had to tell 480,000 of its mobile-app-only customers to change their pins after it revealed it had stored their PIN data in a text-only log file that was accessible by unauthorised staff.
The bank, valued at £2bn, said the numbers, usually tightly secured with minimal access, had accidentally been kept in a log file. The content of those logs was accessible to roughly 100 Monzo engineers who typically would not have been authorised or had any need to see customer PINs.
What a week
Not all of the breaches occurred in August, but these latest announcements are part of the escalation in frequency of breaches and vulnerabilities we’ve seen over the past few years.
Cybercriminals are clever, determined, and always on the lookout for exploits that enable them to access systems they shouldn’t. Persistence is paying off, and the threat of attack on organisations of all sizes just gets worse as a result.
The vectors of attack aren’t apparent in the Capital One, Pearson and StockX breaches, but it seems clear they were either hacked from outside or breached from within. The IKEA and Monzo announcements meanwhile are more about human error thanan technical vulnerabilities.
If there’s one common theme across all, it’s that cybersecurity continues to be about addressing a mix of challenges that technology alone can’t fix.
Against a threat landscape that includes poor management decisions, negligent employees, and a determined and well-organised external foe, even tech companies have shown they don’t have much of an edge when it comes to cyber.
Well-known brands like Amazon, Twitter, and Uber have all been breached recently. We’ve also written about the breach at networking giant Citrix, where hackers had camped out on the company’s network for months before being found out.
From technical vulnerabilities to inadequate processes and human error, every organisation has invisible weaknesses that can make it vulnerable to breach. Investing in the latest cyber technologies and making sure they are up-to-date is necessary, but technology alone can’t offer a 100 per cent guarantee.
People are the most effective line of defence
The best security systems in the world are both susceptible to human error and improvable with human agency. A programme of security awareness training can strengthen them by switching your people on to the risk of data breaches, whether from a phishing email, botnet infection, or discovering that sensitive information is exposed in an unprotected file or server.
With better training and education, staff can help spot the signs of a breach, and avoid enabling them through misadventure and error.
Businesses and cybercriminals are locked in a long-term struggle where the weapons and tactics change almost weekly. Unless someone invents a cyber magic bullet that finally makes devices and networks impenetrable, treating cyber risk as a daily management challenge – and enlisting your people to help – is the safest route to secure systems.
Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.