An unsecured database holding the personal information of 49 million Instagram customers was recently discovered. The data breach has affected numerous celebrities, influencers, and brands because the database in question is owned by a social media marketing firm that specializes in sponsored content for the platform. For Facebook—the parent company of Instagram—the episode is just the latest in a series of data security lapses.
Breaches such as Instagram’s appear in the news on a regular basis, but, though the results are usually similar, the causes often vary. Businesses must learn from recent data breaches to protect themselves against similar attacks in the future.
Lessons learned from recent data breaches
There are plenty of articles out there listing the biggest data breaches according to how many records were exposed, but weight must also be given to what type of data was breached and how it was exposed.
In terms of sheer size, the Yahoo breach of 2014 still stands as the single biggest data breach, with the company now admitting that all 3 billion email accounts were compromised. However, investigators still have no idea how it occurred, so there’s little we can learn from it.
The following is a list of five recent data breaches, each with a unique root cause that can inform and improve IT security practices.
In late 2013, Target Corp. divulged the breach of 110 million customer accounts. The company’s initial report that 40 million credit cards were compromised grew months later when it announced that an additional 70 million customer accounts had been breached.
Sometime in mid-2013, hackers quietly installed malware into Target’s payment network. However, instead of breaking into Target’s systems directly, the data thieves used credentials stolen from a third-party HVAC company.
The HVAC contractor was given access to Target’s network to submit invoices and manage projects related to fresh food refrigeration systems. However, those systems were not sufficiently segregated from networks that carried customer data and payment transactions.
Root cause: Lack of multifactor authentication
Target was hacked insomuch as once the hackers gained access to the contractor’s portal, they were able to tunnel over to Target’s payment network. And though it’s convenient to blame the contractor for allowing their credentials to be stolen, the real reason that 110 million records were breached was Target’s failure to implement multifactor authentication—which PCI regulations require for third-party network access. This could have been as simple as requiring a secondary access code be sent to the contractor’s mobile phone.
Takeaway: Multi-factor authorization is often key to preventing data breaches.
In 2017, Equifax suffered a cyberattack that resulted in the breach of 143 million customers, nearly half the adult population of the United States. Compromised information included names, social security numbers, birthdates, addresses, and drivers license numbers.
Equifax—along with TransUnion and Experian—is one of the three major credit bureaus. Considering its role in measuring how well the public maintains their credit records, Equifax was disturbingly lax in protecting its own records.
Root cause: Failure to patch a known vulnerability
Equifax did not patch their system in a timely manner despite being notified about the Apache Struts web-application vulnerability months before the personally identifiable information of millions was exfiltrated by hackers. There were numerous reasons for the data breach, including failure to segment networks which allowed hackers to easily move throughout the network. However, the fault ultimately lies with delayed patch installation.
Delayed patching is often the result of management not wanting to impact the network or dedicate the time and resources needed to test and deploy a software patch, despite the attendant risks. Another reason is poor communication. Reports indicate that Equifax was aware of the need to install the patch, yet it never found its way to the relevant system administrators.
Takeaway: Installing patches in a timely manner is a critical data breach prevention measure.
Heartland Payment Systems – March, 2008
OK, so maybe this data breach isn’t so recent, but it’s definitely relevant. Way back in 2008, Heartland Payment Systems experienced a breach of 134 million debit and credit card records, a record number at the time. As a payment processor for tens of millions of transactions each month, Heartland was an attractive target for hackers looking to gain credit card information, including the data stored in card’s magnetic strips.
Root cause: SQL injection attack
Heartland Payment Systems’ network was hacked using an SQL injection attack nearly a year before the breach was discovered. By submitting intentionally confusing SQL database queries through a vulnerable web application, attackers were able to bypass security measures and impersonate system administrators.
This allowed the attacker to monitor, alter, or otherwise exploit database records from behind the firewall. SQL injection attacks have evolved and continue to be an effective means of attack more than a decade later.
The use of parameterized statements, which separate values before sending them to the database, along with carefully defining database permissions can reduce SQL injection threats.
Cybersecurity software can also help to prevent these types of attacks by proactively guarding against inappropriate SQL commands and similar threats such as DDoS attacks that attempt to flood servers with meaningless requests.
Threat scan results in IT security software Imperva Incapsula (Source)
Takeaway: Carefully designed SQL queries, restricted privileges, and cybersecurity software can all mitigate the risks of SQL injection attacks.
SunTrust – April 2018
Suntrust is a bank holding company with more than 1400 branches throughout the southeastern United States. In April, 2018, Suntrust announced that 1.5 million clients had their names, phone numbers, addresses, and account balances exposed. Fortunately, social security numbers and bank account numbers were not compromised.
Root cause: Insider attack
Rather than a hacker breaking into a database, a former SunTrust employee accessed banking systems and attempted to sell the stolen data to a criminal third party.
Facebook’s recent admission that they stored hundreds of millions of user passwords in plaintext (i.e., not encrypted) was made worse by the fact that the database was widely accessible by thousands of employees. While the data doesn’t appear to have been compromised, Facebook’s failure to restrict access and implement basic security precautions could have easily resulted in another massive data breach.
One strategy businesses can take to mitigate insider attacks is to assign access permissions based on a data classification policy. This prevents employees from having access to data that is not relevant to their role. Another strategy is to ensure that, once an employee leaves the company, all credentials are deprovisioned with regard to business applications, email, social media, and physical facility access.
Takeaway: Companies must guard against both malicious outsiders and trusted insiders.
Marriott – September 2018
Marriott’s data breach during the fall of 2018 is one of the most consequential data breaches on record. The reason for the severity is both the number of records compromised, approximately 500 million, and the type of data breached, including credit cards, passport numbers, and other highly sensitive personally identifiable information.
Root cause: Advanced persistent threat
The actual breach began all the way back in 2014 in a Starwood hotels database. Two years later, in 2016, Marriott acquired Starwood—and its already compromised booking system—for $13 billion. The breach was not uncovered until late 2018.
The hack was an advanced persistent threat (APT) whereby attackers access a network and methodically take action over an extended period of time. These types of attacks are often employed by nation-states to conduct reconnaissance and gain intelligence. In the case of Starwood, it is believed that the APT originated from the Chinese military, possibly attempting to gain the passport information of important figures.
That hackers were able to root around undetected in the Starwood’s booking systems for four years suggests a lack of penetration testing, which is required by PCI regulations for systems that carry cardholder data. Additionally, Marriott apparently should have performed a more thorough risk assessment and reviewed Starwood security practices prior to the acquisition.
Takeaway: Businesses must exercise caution and conduct testing not only when merging companies, but when integrating any systems that might carry sensitive or regulated data.
In recent years, data breaches have increased in volume, variety, and severity. Breaches cost companies millions in financial losses, reimbursement, and damage to reputation. All businesses can strengthen their defenses and avoid becoming the next headline by learning how recent data breaches have occurred—even if it’s as simple as securing your database with a password.
This article is part of an ongoing series about the business value of IT
Note: The information contained in this article has been obtained from sources believed to be reliable. The applications selected are examples to show a feature in context and are not intended as endorsements or recommendations.