In the first half of this year, there were more data breaches reported than in the whole of 2016.
If news of a data breach immediately has you visualizing a hacker in a basement full of monitors launching cyber-attacks on unsuspecting companies in the dead of night, you’d be somewhat right.
Gemalto’s Breach Level Index (BLI) reports that 74 percent of data breaches are a result of cybercriminals working from the outside to infiltrate the storage of data for personal gain.
However, the BLI also indicates that accidental loss and malicious insiders are also responsible for a staggering number of stolen personal records. Whilst accidental loss accounts for just 18 percent of all breaches, it is also the source of 86% of all stolen records. Furthermore, the first half of 2017 saw malicious insiders obtain 2 million records, up from 500,000 in the previous six-month period.
Targets for data breaches vary across industries, with some sectors more favored than others. Healthcare was the hardest hit industry in the first half of this year in terms of the total number of breaches, although total health records stolen were significantly less than the public sector and technology industry respectively.
Whilst the figures would indicate a significant cybersecurity problem across North America, given it accounts for 88% of data breaches worldwide, the region has all-round greater transparency given the US has almost entirely mandated the notification of security breaches.
New Mexico became the latest state to enact breach laws, with Alabama and South Dakota the only two remaining states in the United States to have no law requiring private or government entities to notify authorities of security breaches involving personally identifiable information.
The introduction of the United Kingdom’s data protection bill and the EU’s General Data Protection Regulation (GDPR) in 2018 will bring increased transparency, which will surely see the number of disclosed breaches across Europe swell from its reported 49 global data breaches in the first half of this year.
New government regulation in Australia, which will come into effect in February next year, will also mandate the reporting of data breaches, requiring the Office of the Australian Information Commissioner (OAIC) to be notified. This will have a similar impact on the country’s reported figures, which almost mirror Europe at just 47 data breaches in the first half of this year.
Despite the commercial impact on the targeted companies and insurers, and the adverse effect on customers whose personal data is stolen or jeopardized, breaches remain a daily occurrence, with 10.4 million records exposed or stolen every day.
And whilst not every breach is to the scale of those widely reported by Yahoo, Target, Adobe and eBay, it seems that data breaches are not only here to stay, but we are likely to see reports of misconduct within the targeted companies continue.
From hiding knowledge from authorities and the persons whose data has been stolen, to paying off hackers, to selling shares before public announcements; the conduct of the breached companies leaves a lot to be desired.
The last three months has had its fair share of data breach revelations, with Uber, Equifax, SEC, Deloitte and at least 12 Malaysian telcos the headlines of varying cybersecurity news reports.
Just when you thought the cultural and ethical compass of ride-sharing app, Uber, couldn’t be in more need of recalibration, it’s been revealed today that the company’s executives hid a monumental data breach from authorities, and instead paid off the hackers to delete the data and keep quiet.
For over 12 months, Uber has concealed the fact that 57 million customer and driver records, including names, emails, phone numbers and license plates were obtained by two hackers.
Instead, Uber paid the pair $100k in exchange for their silence and the deletion of the data.
Whilst the company maintains the records were never used by the hackers, Uber was legally obligated to report the breach but failed to do so.
It was an external law firm commissioned by Uber’s board that discovered the undisclosed hack, which it says took place in October 2016.
Bloomberg revealed that the two hackers were able to access an archive of rider and driver information through data stored on an Amazon Web Services account. The login credentials were by some means obtained via “a private GitHub coding site used by Uber software engineers”.
Unbelievably, the company was negotiating the terms with the hackers whilst it was also settling an unrelated lawsuit with the New York Attorney General over data security disclosures, and during the Federal Trade Commission’s investigation into Uber’s handling of consumer data.
Despite the breach being an obvious concern in terms of security protocol, Uber’s processes for promptly reporting breaches is by far its biggest failure. The company had already been fined $20,000 in January 2016 for failing to adequately notify authorities of a data breach in 2014.
The company’s co-founder and former CEO, Travis Kalanick, was aware of the 2016 cyber-attack a month after it took place, and was in the top job when at least five criminal probes and dozens of civil lawsuits were also filed against the company. Somehow Kalanick remains on Uber’s board, with the Chief Securities Officer and one of his deputies hit with the axe instead.
In September 2017, one of the world’s leading credit reporting agencies, Equifax, revealed a data breach that occurred over a three-month period (May to July 2017), which resulted in the theft of personal information of over 182,000 records, including more than 209,000 credit card numbers.
It was six weeks after the breach was discovered, that Equifax publicly revealed that its database of 143 million customers had been exposed by cybercriminals due to an avoidable web-patch vulnerability.
Whilst fingers originally pointed to a bug in Apache Struts web-application software, Equifax reportedly failed to follow advice to patch and update its Apache Struts platform, which would have avoided the breach all together.
Some time after Equifax went public, it was revealed that customers in the UK and Canada were also affected.
Property Claim Services (PCS) has estimated an insured loss of $125 million, with overall economic losses of the cyber-attack expected to be even larger.
Dozens of lawsuits have already been filed by people who had their personal data exposed, which included social security numbers, birth dates, addresses and some driver’s license numbers.
Adding to the mounting public and legal pressure, there were calls for further investigations after it was revealed that three senior Equifax executives sold stock during the period that the breach was uncovered, but before the public was informed.
To rub further salt into the wounds, those customers attempting to find out if they were personally affected by the breach were originally required to accept terms that waived their ability to sue should there be a class-action law suit. Mounting complaints resulted in the company removing the clause.
With the damage done, Equifax’s CEO retired but not before defending the company’s actions:
“We acted immediately to stop the intrusion. We [reported] the event to law enforcement, and we continue to work with authorities,” said Equifax Chief Executive, Rick Smith.
Equifax’s Chief Information Officer and Chief Security Officer also stepped down following the hacking revelations.
US Securities and Exchange Commission (SEC)
Also in September this year, the US SEC publicly revealed that a software vulnerability in the Commission’s corporate filing system resulted in hackers gaining access to non-public trading information.
Whilst personal data was not accessed, it’s believed the corporate filing system known as “EDGAR” housed critical commercial and trading data such as information on mergers and acquisitions, and quarterly earnings figures, all in advance of public announcements.
It was deemed that this goldmine of insider-trading information was accessed for illicit gain in 2016, with the public acknowledgement coming significantly later via the US Government’s financial trading watchdog.
The SEC claims it had patched the unspecified vulnerability as soon as it was discovered in 2016, but reports indicated that a further five critical patches took place as late as January this year, leading to questions about the adequacy of the Commission’s cybersecurity follow-up, even after such a significant breach had occurred some months earlier.
The usernames, passwords, IP addresses and sensitive business information of an undisclosed number of US-based Deloitte customers were exposed in a cyberattack that took place in November last year.
The Big Four accounting firm confirmed that it had notified government authorities immediately after becoming aware of the breach, as were the “very few clients” who were impacted.
It was reported that hackers gained access to Deloitte’s mail server, which exposed sensitive emails and attachments. Hosted on Microsoft’s Azure cloud service, it’s believed the administrative account that was accessed was not secured with two-factor authentication.
Deloitte released very little information to the public, but made it clear that it had initiated “an intensive and thorough review, which included mobilizing a team of cyber-security and confidentiality experts inside and outside of Deloitte.” The company also confirmed that the review of their email platform was complete.
A 2014 data breach was uncovered just last month by Malaysian technology news site, Lowyat.net. The site revealed that more than 46.2 million mobile numbers from Malaysian telcos and mobile virtual network operators (MVNOs) were being traded online.
The millions of records being sold via bitcoin and on Lowyat Forums included at least 12 telcos: Altel, Celcom, DiGi, Enabling Asia, Friendimobile, Maxis, MerchantTradeAsia, PLDT, RedTone, TuneTalk, Umobile and XOX.
There were also 17 million records from Malaysia’s #1 careers website, Jobstreet, up for sale, which included names, login details, nationalities, phone numbers and home addresses.
Even more concerning was a large-scale security breach of medical records from the Malaysian Medical Council (61,000 records), Malaysian Medical Association (20,000 records) and Malaysian Dental Association (4,200 records). All data is believed to have been originally stolen between 2014-2015.
The Malaysian authorities have said very little to date on the matter given investigations are ongoing, instead calling for the public to avoid speculation at this time.
More on this topic: Human Error to Blame for 22% of Unplanned Data Center Outages and Securing Against the Data Center Breach