8 Mega-Breaches and Advice for MSSPs, Other Providers
Facebook has logged 100 times more Instagram plaintext passwords than they originally disclosed last month.
![Credit Card Breach Credit Card Breach](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltfdfff62594488f94/65245bcff45c0563c70f34da/Credit-Card-Breach.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
The breach of about 500 million Marriott guests’ personal data, including some passport numbers and credit card details, was one of the largest-ever cybersecurity incidents of its kind, said Maxim Frolov, managing director of Kaspersky Lab North America. While the amount of information stolen is alarming, one of the most concerning aspects of this breach is that Marriott revealed attackers were able to access its system in 2014 and remained undetected until November 2018. Ultimately, this reveals that the security solutions the Starwood Hotels and Marriott Group had in place were not sufficient enough if it allowed an unauthorized third-party to get into the system and steal information over such a significant period of time, without alerting Marriott’s security team.
“This serves as a reminder for cybersecurity professionals that when it comes to cyberattacks, it’s not a matter of ‘if’ but ‘when’ one will occur,” Frolov said. “So, the crux of the issue really lies in whether a business can detect an attack fast enough and respond in a timely manner to minimize its impact. A prevention-only strategy is no longer sufficient. When it comes to targeted, highly elaborate attacks, detection and mitigation should instead be the priority for the organization.”
In breaches like this, it’s best to admit what you know, and be clear about what you don’t know, Ducklin said. Don’t try to paper over the “unknown unknowns,’” he said.
Another newsworthy cybersecurity incident occurred in August 2018, when British Airways confirmed it suffered a massive data breach affecting an estimated 380,000 people, Frolov said. Customers who used the airline’s website and app between Aug. 21 and Sept. 5 reportedly had the details of their payment cards stolen.
“Not only did this breach cause substantial reputational damage, but recovery from this kind of incident can be extremely costly,” he said. “The average data breach now costs enterprises $1.23 million, which factors in costs such as damage to credit ratings and insurance premiums, extra PR to repair brand damage, additional staff wages and replacing IT infrastructure. Furthermore, with new regulations such as the General Data Protection Regulation (GDPR) taking hold, fines and lawsuits are also a big fear factor for business leaders, which could skyrocket the total cost of a breach into the billions.”
The British Airways breach underscored the need for businesses to take a holistic approach to IT security, Frolov said. It proved that businesses must supplement technical solutions with cybersecurity awareness training for employees, access to the latest threat intelligence, and specialized protection for the entire IT infrastructure — especially for industrial control systems and cloud-based services.
“Although this may seem like a significant investment, if security professionals and business leaders can align their strategies and budgets to ensure that their business is prioritizing advanced protection, it will help the organization avoid costs in the millions of dollars in the aftermath of a breach,” he said.
The web services provider was fined $35 million in 2018 by the Securities and Exchange Commission for waiting more than two years to tell investors about a breach it knew of as early as December 2014, Ducklin said. As the SEC said in its settlement order: “We do not second-guess good faith exercises of judgment about cyberincident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
“Don’t try to sweep data breaches under the carpet,” Ducklin said. “One day, someone will look under it.”
Facebook was at the center of a few of the biggest breaches of the year, including the breach it reported in August 2018 of 50 million user records which were exposed through vulnerabilities in Facebook developer APIs, said George Anderson, Webroot’s director of product marketing.
“That incident showed us that no matter how security conscious a user is, there are some things you can’t prevent,” he said. “Even with two-factor authentication on all logins, users are always subject to the buggy code that is securing your data. A developer’s oversight will always trump the most robust security posture. I suspect these attacks will only grow and become worse as social media platforms evolve to be even more integrated with various apps – especially with criminals rarely standing still and always experimenting with new tools, exploits and tactics.”
The outsourcing giant apparently suffered a breach recently in which crooks who had broken into its network used the company as a jumping-off point to attack customers. When approached by investigative journalist Brian Krebs, the company “ummed-and-ahhed about the issues, relying on platitudes that left it looking worse off in the long run,” Ducklin said.
“However you play it, a data breach is an admission that crooks got into your business,” he said. “Don’t try to buy time by responding that your cybersecurity is robust and not to worry — it just makes you sound smugly ill-informed.”
Corporations like Facebook now are being held more accountable for the way they handle sensitive customer information, regardless of where the vulnerability occurs, Anderson said.
“This all means that MSPs need to be updating their security portfolios regularly, and they need to ensure they’re not only delivering solutions that enable a multilayered defense, but also AI-powered security solutions to help organizations do the best they can to keep up with the changing threat landscape,” he said.
One of the biggest breaches of the past year is the collective breach of information from 76 universities across 21 countries as well as 47 U.S. and foreign private sector companies, including the U.S. Department of Labor and the United Nations. The Iran-linked APT known as Cobalt Dickens was responsible for the attacks, which they executed through phishing emails.
“These attacks demonstrate that comprehensive security awareness training with emphasis on regular and relevant phishing education can never be underestimated,” Anderson said. “It’s one of the most cost-effective approaches to improving the security posture of any organization. Partners should be educating all their employees on the risks associated with phishing as well as the latest phishing techniques, on a frequent and continuous basis. Employees need to be continually tested and evaluated on their ability to identify and avoid phishing attempts via regular phishing simulations. These simulations should evolve over time to be more challenging and targeted to prepare employees for advanced phishing techniques such as whaling, spear-phishing or social engineering.”
Phishing susceptibility can be gauged through continuous, randomized but relevant phishing simulations (i.e. a fake invoice scam might work well with accounting but not necessarily with marketing, thus the scams served should be different), Anderson said.
“Partners can have experts create test-phishing emails to gauge how good employees are at spotting and appropriately dealing with them,” he said. “While the C-suite and finance department may be the golden eggs for attackers, it’s better to train and measure everyone’s susceptibility and understanding. The results will show ‘repeat offenders’ and specific individuals who might need a different training and education approach. As the saying goes, ‘it only takes one person to click.’”
Panera Bread’s website leaked millions of customer records, including names, email and physical addresses, birthdays and the last four digits of customers’ credit card numbers, for at least eight months before taken down last April, according to Krebs on Security.
“Just like any investment portfolio, a diversified one has the least risk,” said Andy Norton, Lastline’s director of threat intelligence. “Organizations investing in cybersecurity need a diversified portfolio that spans many detection methodologies that can be grouped in to three separate buckets: known threat analytics; behavioral analytics; and network traffic analytics.”
Data collection firm Exactis somehow had 2 terabytes of data relocated to a public site providing access for anyone. It’s unknown who or how many people accessed the information before it was discovered, according to Avast.
The number of victims included 110 million businesses and 230 million consumers. The leaked information included phone numbers, email and physical addresses, interests, ages and even pet ownership.
Dunkin’ Donuts suffered two credential-stuffing
attacks in three months, as
hackers gained access to the donut chain’s customer accounts. Attackers might have accessed users’
names, email addresses, DD Perks account numbers and a DD Perks QR code — which
they could have cashed in for a free doughnut.
“Credential stuffing is like giving malicious
cyberattackers a key to your front door,” said Terry Ray, Imperva senior vice president and fellow. “The personally
identifiable information (PII) accessed can be used to log into other accounts,
potentially ones that have access to sensitive data. For example, if a DD Perks
member used a work email and uses the same password to access confidential
information at work, that data could be accessed and exposed by malicious attackers. This
is why it is critical that consumers not only do not reuse their passwords
across different accounts they hold, but they also change these passwords
consistently and set up dual factor authentication to better protect themselves.”
Dunkin’ Donuts suffered two credential-stuffing
attacks in three months, as
hackers gained access to the donut chain’s customer accounts. Attackers might have accessed users’
names, email addresses, DD Perks account numbers and a DD Perks QR code — which
they could have cashed in for a free doughnut.
“Credential stuffing is like giving malicious
cyberattackers a key to your front door,” said Terry Ray, Imperva senior vice president and fellow. “The personally
identifiable information (PII) accessed can be used to log into other accounts,
potentially ones that have access to sensitive data. For example, if a DD Perks
member used a work email and uses the same password to access confidential
information at work, that data could be accessed and exposed by malicious attackers. This
is why it is critical that consumers not only do not reuse their passwords
across different accounts they hold, but they also change these passwords
consistently and set up dual factor authentication to better protect themselves.”
The last several months have seen the continued onslaught of massive data breaches, and each of these catastrophic events holds lessons for MSSPs and other cybersecurity providers.
When it comes to data breaches, Paul Ducklin, Sophos’ senior technologist, has a simple and uncompromising way of explaining why things end badly for everyone.
“Imagine that you just acquired the services of the world’s biggest, most creative, most influential marketing agency, ready to run a massive global campaign especially for you,” he said. “And you told them to focus on making your organization look really bad, really quickly. Well, that’s pretty much what a data breach does for your business. There’s simply no upside, nor should there be. When you collect data from your customers for your own benefit, you owe it to them to look after it properly — to walk the cybersecurity walk, not merely to talk it.”
From Facebook to Marriott to Yahoo, the companies involved are paying dearly for the mistakes/shortcomings that led to the data breaches. The City of Chicago is suing Marriott, seeking restitution to residents that were affected by the breach, in addition to a monetary fine of at least $2,000 per offense, an injunction ordering the company to implement safeguards to avoid future breaches, plus attorneys’ fees, costs and a jury trial, according to a Legal NewsLine report.
And Facebook CEO Mark Zuckerberg could be facing personal sanctions from U.S. authorities for his company’s privacy and data breaches, just when the company admitted that an Instagram password breach had impacted millions of its users. And it was revealed last week that Facebook actually has logged 100 times more Instagram plaintext passwords than they originally disclosed last month, according to Sophos.
In the slideshow above, we highlight a number of the massive data breaches that have occurred in the past several months, and what cybersecurity providers can learn from each of them.
Read more about:
MSPsAbout the Author(s)
You May Also Like