Did you know that 4.8 billion records were lost or stolen in breaches during 2018, per Gemalto’s Breach Level Index ?
The number so high foretells the damage the data breaches would have done to its owners — individuals or institutions.
So, what shall you learn from these data breaches? You must understand that data security is very important. It’s not just a jargon but an important security concept that helps a person or company safeguard his/its critical data. Let’s visualize its importance by learning about a few data breaches of this year.
First American [885 M Records]
First American Financial Corporation — the title insurance giant in the U.S. — leaked hundreds of millions of records in May 2019. The digitized documents — going back to 2003 (shockingly!) — were related to mortgage or title deals with a goldmine of personal information about property buyers and sellers.
“The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser.”, wrote KrebsOnSecurity while reporting the leak publicly.
What was the issue? Its site (firstam.com) was leaking its customer records. If anyone would know the valid link for a document, then he/she could view other documents by just changing the document number in the link. It means anyone who received a record link from the company could access all documents.
How it could have been prevented? Though the specifications of the issue were undisclosed by the company, the available information hints at unauthorized access of the company’s data. It could have been blocked by installing an access management system and/or testing for vulnerabilities in the app or site.
16 Websites [617 M Accounts]
The data of hundreds of millions of user accounts from 16 hacked services were leaked in February 2019. The list of hacked sites included popular names such as Dubsmash (a well-known video dubbing app), ShareThis (an all-in-one widget to share content), and 500px (a popular online photography community).
The data was listed for sale on the dark web for less than $20,000 in BTC. “they consist mainly of account holder names, email addresses, and passwords… There are a few other bits of information, depending on the site, such as location, personal details, and social media authentication tokens.”, told The Register.
What was the issue? Since many websites were hacked, the vulnerabilities of each website can’t be discussed. The hacker exploited security vulnerabilities, got remote-code execution, then extracted user data, as per The Register. Also, some of these stored passwords using a weak hash function (like MD5).
How it could have been prevented? First of all, every company shall follow the industry standard for storing passwords — a secure hash like bcrypt. Then, for the vulnerabilities, they should have done regular vulnerability tests, installed a web application firewall, and applied the popular data security techniques.
Canva [139 M Accounts]
Canva — a Sydney-based tech unicorn popular for building logos, websites, and more — was hacked by a single or a group of hacker(s). He/she/they is/are known as GnosticPlayers — the same hacker(s) who is responsible for listing the data of 617 M user accounts (as mentioned above), per a post by ZDNet.
“Stolen data included details such as customer usernames, real names, email addresses, and city & country information… password hashes were also present… The passwords where hashed with the bcrypt algorithm, currently considered one of the most secure password-hashing algorithms around.”, reports ZDNet.
What was the issue? The hacker used an undisclosed flaw in the company’s database server to download the data saved till 17 May. However, its security team detected the data breach and closed their servers (fortunately). Also, it stored user passwords using bcrypt hashing with salting (appreciatively).
How it could have been prevented? The company detected the breach, but it was not before millions of users’ data was stolen. It needs to act on its security products to detect and stop attacks quickly. Also, it could have installed a web application firewall and access management system for better security.
8 Websites [127 M Accounts]
The hacker(s) responsible for the above two data breaches hacked more services later in February 2019. The list of newly hacked sites included ixigo (a popular hotel and travel booking service), YouNow (a famous live video-casting service), and Houzz (a community site about architecture and interior decoration).
“Ixigo and PetFlow used the old and outdated MD5 hashing algorithm to scramble passwords, which these days is easy to unscramble. Ariel Ainhoren, research team leader at Israeli security firm IntSights, said that the hacker may have used the same security flaw to target vulnerable sites.”, per a post by TechCrunch.
What was the issue? The issue is yet unknown, but the issue could have been in PostgreSQL since six of the 16 sites used it in their backend. However, the team behind the database system denied these claims. Also, the issue could have been in their applications, their backend systems, or their backend networks.
How it could have been prevented? Those sites should have integrated a web application firewall, access management tool, and vulnerability scanner. The first tool would have helped in analyzing and blocking an attack, the second in blocking unauthorized access, and the last in scanning for vulnerabilities.
Chtrbox [49 M Records]
Chtrbox is an influencer marketing company which leaked a database in May 2019, leading to data leakage of 49 million records. The database — hosted by Amazon Web Services — was openly available on the web, allowing anyone to access the database having Instagram accounts’ data without a password.
“each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country, but also contained their personal contact information… email address and phone number.”, wrote TechCrunch.
What was the issue? The company hosted a database filled with influencers’ personal information on the web without any security — not even a password. That said, it was almost destined to get hacked or leaked. Don’t you agree?
How it could have been prevented? First and foremost, the database should have been password-protected, then its content should have been encrypted. Then, it should have been secured behind a firewall and a proper data access management system should have been kept in place to safeguard its data.
That’s all about the biggest data breaches in the first half of 2019. The above list provides a clear idea on the loss data breaches can do to your company. Also, it tells the things you can do to protect your or your company’s critical data.
Of course, it’s much easier to opt for a security product providing 360-degree protection like Imperva’s FlexProtect Plans. They provide a mix of features and tools for securing apps as well as data. For example, it offers API Security, Bot Protection, Data Monitoring and Protection, Web Application Firewall, etc.
So, what did you learn about data security through this post? Please leave your feedback by writing a comment below or reaching out via the contact page.