2017 Data Breaches: Here's What We Learned


Another year has passed and along with it another set of massive data breaches to look back upon.  In a digital age when we are providing more and more personal data to businesses and conducting most of our financial transactions online, we would expect companies to keep up with the threat landscape. 

But the headlines continue to pile up, one after another, leaving a fairly long “What Not to Do” list in their wake - as well as damaged reputations, monetary fines, and lost customers.
 
So today we’re taking the time to review some of the largest breaches of 2017 and what we can learn from each of them.


UBER

When? 2016

How Many People were Affected? 57 million users and drivers

What Did They Get? Cell phone numbers, names, addresses, and additional personal information.

What Happened? The breach happened in 2016, but it wasn’t made public until November 2017.  Two attackers accessed a GitHub coding site used by Uber software engineers, found a set of login credentials, and used those credentials to access an infrastructure account that handled computing tasks for the company. Within that infrastructure, the attackers discovered an archive of rider and driver information.  Uber has admitted to failing to disclose a cyber attack and even paid hackers to not release the stolen data and keep the breach quiet.

Could it Have Been Prevented? Yes. This could have been prevented if Uber had used a more stringent, zero-trust approach to its perimeter security that would have required access to services be authenticated, authorized and encrypted. 

What Did We Learn? An attack doesn’t have to be sophisticated to be successful.  Had Uber simply been more diligent about their cybersecurity practices then this breach could have been prevented.  But what added further damage was Uber’s failure to report the breach.  If the company remediated the problem and laid out a plan for avoiding future attacks, the impact would have been much less.

 



Yahoo

When? 2013 (But clearer facts were released in 2016 and 2017)

How Many People Were Affected? 3 billion (every single Yahoo account)

What Did They Get? Usernames, passwords, birthdays, phone numbers, and in some cases, security questions and answers.

What Happened? Talk about a blunder! While the data breach happened in 2013, Yahoo didn’t announce it until 2016. And if that wasn’t bad enough, they had to make a second statement in 2017 acknowledging all 3 billion users had been affected - not just the 500 million that they originally reported. The data breach was likely conducted through a cookie-based attack that let the cyber criminals authenticate as any other user without supplying the password.

Could It Have Been Prevented? Yes, the largest security breach in the history of the internet could have been prevented. According to a former employee on the security team, Yahoo’s executive team did not see security as a top priority.

What Did We Learn? Cybersecurity is a problem that every level in a company faces. Leadership and all members of the executive management team must be committed, and that commitment must radiate throughout every level of every department in order to maintain truly effective security.

 



Hyatt Hotels

When? Occurred in mid-2017

How Many People Were Affected? The company would not say how many people were potentially affected nor does it know exactly who may have been compromised.   

What Did They Get? Payment card details (credit card numbers, names, expiration dates, and verification codes.)

What Happened? A total of 41 properties in 11 countries were affected in this breach. Hackers gained unauthorized access to payment card information from cards manually entered or swiped at the front desk of certain Hyatt-managed locations between March 18, 2017 and July 2, 2017

Could It Have Prevented? The most important takeaway with this attack is that the breach could have been detected much earlier with the right security monitoring tools and policies in place.  This breach went undiscovered for nearly four months and was also Hyatt’s second breach in two years.  Clearly not enough lessons were learned in the first go around.

What Did We Learn? One way to identify potential threats or suspicious events is with a Security Information and Event Management (SIEM) platform. A SIEM system correlates data across multiple systems in order to identify issues and patterns. With a SIEM platform in place and monitoring by a 24/7 Security Operations Center (SOC), it is possible Hyatt could have caught this breach much sooner.

 



Equifax

When? Discovered in July 2017

How Many People Were Affected? More than 143 million Americans and Canadians

What Did They Get? Personal information including social security numbers, dates of birth, addresses, and driver license numbers.

What Happened? Given the very sensitive personal information Equifax deals with, this breach was particularly alarming.  The breach was reported to have been caused by single employee error.  What was that error?  Not installing an updated software patch.

Could It Have Been Prevented? Yes. Patching is one of the most fundamental aspects of a security program, especially for a company that deals with this level of personal information.  All patches should be installed immediately as they are released. 

What Did We Learn? Patch. Patch. Patch.  Also, when the risks are this high, employee security training is a no-brainer.  Every employee should have a thorough understanding of potential threats, how their actions can create or prevent vulnerabilities, and how to be proactive and effective as a company’s first line of defense.

 



No business is too small to be targeted by cyber criminals or to suffer a major security breach.  Learn from the mistakes of the big guys and implement a fully-comprehensive security strategy to protect your company's most valuable asset: your data.  Know your network and know what’s happening on your network. Contact SLPowers today… As a SOC 2 certified Managed Security Services Provider (MSSP), we’ll get you there.