This year’s state of cybersecurity has had ups and downs.
Although research undertaken by the Identity Fraud Resource Center showed that there was a 33 percent decrease in the number of publicly recorded data breaches in the first half of 2020 relative to the number reported in the first half of 2019, the number of exposed records has risen significantly.
Cyber criminals continue to steal information from the world’s biggest organizations, discovering new forms of compromising classified information.
Let’s examine some of this year’s top data breaches so far, reflecting on why they occurred and how they could have been avoided.
Slickwraps, 21st February 2020
Slickwraps, an electronics accessories company, has a violation storey that starts with a person who has proclaimed himself a “white hat” hacker and tried to alert the company to their “abysmal cybersecurity.” The hacker wanted to write a post about their experience when the company chose to ignore the alert, which was found by a second hacker who decided not only to exploit these vulnerabilities, but emailed all customers to let them know that their data had been compromised.
Due to a remote code execution flaw that existed in the phone customization tool, this exploit was able to take place. This tool allowed end-users to upload their custom images, which could be exploited by the hacker by uploading a file that enabled them to execute shell commands eventually. Customer images, billing and shipping addresses, account information for the administrator, and employee resumes were exposed to this vulnerability.
Antheus Tecnologia, 11th of March 2020
Antheus Tecnologia, a Brazilian biometric solutions firm, had left sensitive details on 76,000 fingerprints exposed on an unsecured log server, including data. This knowledge was left exposed on the internet and discovered by the SafetyDetectives security analysis team. Other confidential information, such as facial recognition data, employee addresses, phone numbers, and administrator login information, was found in addition to the fingerprint data.
The exposure to these biometric data forms is especially troubling due to the fact that the importance of this data does not decrease over time. When stolen, the intruder has data that potentially never goes bad and can be used now or at some point in the future for malicious purposes.
ExecuPharm, 13th of March 2020
In reality, the ransomware attack on this major US pharmaceutical company took place in March, but was not exposed to the public until one month later. Through a phishing campaign aimed at ExecuPharm employees, cyber attackers were able to gain access to servers and once inside, encrypted the data and demanded a ransom to decrypt it. They released the stolen data on the dark web, which included thousands of employee addresses, financial records, user information, and database backups, when the cyberattackers did not obtain the ransom they had asked for. Personal information ranging from social security numbers to bank and credit card numbers could potentially be included in these records.
Marriott, 31st of March, 2020
Five-two million visitors
Just 2 years after the huge data breach resulting from their purchase of Starwood Hotels, Marriott revealed that due to two compromised employee credentials, guest details had been obtained. The credentials allowed them to access an application that the hotel franchise used to help provide guests with services. Although it is uncertain how the hackers gained access to the employee passwords, before being detected, they were able to slowly collect data for a month. Contact information, loyalty account information, personal information (gender, birthday), related loyalty programmes and numbers, and preferences are included in this information.
EasyJet, 19th of May, 2020
Five-two million visitors
Although the company discovered the attack on this European airline in January, knowledge about the attack was not revealed to all the customers affected until May. With strong scrutiny and a class-action lawsuit under the GDPR which could cost them up to £ 18 billion, this failure to protect data and delay in contact has landed them. Email addresses, names, travel histories, and credit card information, including the three-digit CVV, have been revealed although the company has yet to reveal how the attack was possible.