The end of the year is a time for reflection. Some companies may be reflecting on how they could have better protected their data. 2019 was certainly the year for data breaches with the largest amount of data lost by companies of any year on record. As more data is being stored on cloud platforms, companies are becoming more prone to security breaches.
While there were many major breaches this year and the full impact of each breach can be difficult to determine, five of these breaches stick out as the biggest in terms of data lost and reputation damage.
In July 2019, the data of over 100 million people was exposed. This information included Personally Identifiable Information, or PII, which is information that can be used to correctly identify an individual. PII includes things such as e-mail addresses, phone numbers, and social security numbers. Indeed, the social security numbers of over 140,000 people were exposed in this breach.
Hacker Paige Thompson was able to exploit a misconfigured Amazon web application firewall to access Capital One’s data. The company used Amazon Web Services (AWS) to host their information in the cloud and Ms. Paige was a former AWS employee. She knew the techniques needed to exploit the poorly configured firewall.
Capital One offered free credit monitoring and identity protection for affected customers. Capital One estimated that the breach will cost the company between 100 and 150 million dollars. These costs include notification, monitoring, remediation, and legal fees. Capital One’s stock fell by 5% in the days following the attack. As with most breaches it is unclear how this attack will affect the company’s reputation and customer base, only time will tell. Although it would have certainly been less expensive for the company to hire qualified security professionals to prevent an attack like this from taking place.
Facebook, the social media giant who owns Instagram and WhatsApp, admitted to disclosing details of over 419 million user phone numbers. This is a completely separate breach from the Cambridge Analytica that led to a Congressional investigation. It is also unrelated to the Instagram breach earlier this year.
Two third-party application development companies were responsible for posting the data in an unsecure manner on Amazon cloud servers. Mexican based company, Cultura Colectiva, was responsible for the majority of this leaked information. Essentially, the data was stored without any form of protection. Anyone could access the server and download the data.
User phone numbers could be used for scam calls or by less scrupulous companies for marketing purposes. Many online passwords use phone numbers for password reset purposes. Attackers could conduct what is known as a SIM swapping attack, where a phone carrier is tricked into transferring a person’s phone number to a new device. With access to the user’s phone number, the attacker can initiate a legitimate password reset to gain access to the user’s account. Facebook has not offered any form of compensation or identity protection for users affected by the disclosure.
First American Financial
First American Financial disclosed in May that it had left over 800 million sensitive documents exposed on its website. This fortune 500 company provides mortgage and banking services. The information disclosed included bank account numbers, mortgage records, Social Security numbers, and other PII. Each of these documents, some of which dated all the way back to 2003, could be accessed without a username or password directly through the website.
This data disclosure was not the result of some mastermind hacker, it was a simple security misconfiguration. Links existed on the website to these sensitive documents without any form of authentication. This misconfiguration, known as Insecure Direct Object Reference, meant that anyone who accessed the site could potentially have had access to these documents. These documents could be accessed simply by modifying the website URL from an existing document in the most obvious format possible, a sequential list of documents starting at 000000001 and going up to 885000000. Once a vulnerability like this is discovered by attackers, it is easily exploited.
What’s worse is that it is impossible to know who accessed the data. Since there was no breach or attack point to detect, this information could have been siphoned for many months without First American Financial’s knowledge.
Because this disclosure was the result of a prolonged security misconfiguration, it is impossible to determine how many people were affected by the attack. This data was left exposed for an unknown amount of time, First American Financial refuses to disclose this information, but even after the security flaw was fixed, cached versions of the data were still found online. This means that the data could have been accessed for most of 2019. First American Financial was not punished at all for this breach and suffered no perceivable fallout from the disclosure. Their stock price remained steady and the company is not offering any form of identity theft protection for those potentially affected.
In October of 2019 Macy’s website was breached by attackers who successfully stole PII from online customers. The data stolen includes names, addresses, e-mail addresses, phone numbers, and credit card data.
An attacker successfully installed code on Macy’s checkout page. This code read customer data and reported it in secret to the attacker. Macy’s did not disclose for how long this code was executed or how many people were affected. Online stores use web applications which are susceptible to attacks of this nature. Attacker take advantage of exploits within the application code to access “protected” data.
Immediately after the attack was announced, Macy’s stock price fell by 11%. Macy’s had to hire a third-party computer forensics firm to conduct an investigation on the breach. They also hired Experian to provide identity theft protection for one year for all affected customers. News of the breach broke in mid-November, just before the busiest holiday shopping period of the year. Who knows how many customers chose other retailers over Macy’s this holiday season because of this breach?
The Federal Emergency Management Agency (FEMA) inadvertently disclosed the records of over two million people earlier this year. FEMA, a subset of the U.S. Department of Homeland Security, is responsible for assisting citizens with disaster preparedness and disaster recovery. These records included PII such as names, addresses, bank accounts, and phone numbers. It is estimated that 1.8 million people had their bank information and addresses leaked during this disclosure.
This incident occurred when FEMA willingly shared the information with a third-party contractor, against their own regulations and federal guidelines. The contractor, which remains anonymous, was hired to assist with the Transitional Sheltering Assistance program, which provides temporary housing for disaster victims. Much of the sensitive data that was shared was not required for the administration of this program, which means that this scenario could have been entirely avoided if only the relevant data had been shared. Although no external breaches were detected and the sensitive data was scrubbed from the contractor’s database, the individuals affected are now at an increased risk of identity theft and fraud.
The Inspector General’s Office conducted an investigation the disclosure and required FEMA to alter its regulations to bolster data protection measures. FEMA also is offering identity theft protection services for those affected. As with most inadvertent data disclosures, the costs of correcting the disaster far outweigh the costs of implementing proper security in the first place. Not only has FEMA incurred an enormous financial cost, its reputation has been shaken.
With data breaches becoming even more prevalent the need for trained cyber security professionals is greater than ever. All of these breaches were the result of a failure in cloud security which makes now the perfect time to pursue a Certified Cloud Security Professional certification. This certification shows companies like these that you understand the complexities of cloud security and can manage cloud systems. Take the CCSP prep course at cyberkrafttraining.com and start the new year with a new certification!