December every year, TechTalks publishes a roundup of the biggest cybersecurity incidents of that year and 2018 is no exception. Although there hasn’t been much of (at least publicized) government leaks and global ransomware attacks like last year, the online community of major brands from virtually every sector made sure to compensate for their public counterparts’ unhackability.
Marriott International: Massive data breach
Late in November Marriott revealed that a hack that began four years ago had exposed the records of about 500 million customers of its Starwood hotels reservation system.
Marriott is the world’s largest hotel operator and its Starwood system includes famous brands like Sheraton, Westin, Le Meridien, and Tribute among others.
While investigations are ongoing, the main suspect in this case is China and it seems that the motives behind the attack are more of the intelligence gathering nature and less financial.
The hack that began in 2014, looks similar to hacks that the Chinese government was conducting in 2014 as part of its intelligence operations, according to Robert Anderson, former senior FBI official.
“Think of the depth of knowledge they could now have about travel habits or who happened to be in a certain city at the same time as another person,” said Anderson, who served as FBI executive assistant director until 2015.
According to Michael Sussman, a former senior DoJ official for its computer crimes section, the long duration of the campaign was an indicator that the hackers were seeking data for intelligence and not information to use in cyber crime plots.
“One clue pointing to a government attacker is the amount of time the intruders were working quietly inside the network,” he said. “Patience is a virtue for spies, but not for criminals trying to steal credit card numbers.”
Data exposures by Exactis and Twitter
Data exposures occur when data is stored improperly on the open internet where anyone can access it with no or minimal authentication. It can happen through a misconfigured database or other storage mechanism or be due to software bugs that lead to data storage in unintended places or wrong formats.
The former was the case with Exactis, a marketing and data aggregation firm, which left two terabytes of personal information of more than 300 million of U.S. adults exposed—more than the Equifax data breach. Although the data didn’t include social security numbers or credit card information, it was a trove that hackers of different ideology and motivation can put to nefarious use.
One alarming fact about this data breach is that the company hasn’t been known to anyone but insiders before the breach. Its page on English wikipedia has been created right after the breach in June 2018, doesn’t contain anything about the company but the data breach and ridiculously starts by saying that, “Exactis became notable in June 2018,” after Vinny Troja, a cybersecurity researcher revealed that the records were on a publicly accessible server.
The scary takeaway is that our data are so much scattered all over the internet and shared among companies, including previously unknown data brokers, that finding a weak link isn’t that difficult anymore.
Exactis is currently facing a class action suit by the targeted individuals over the incident.
A prominent example for software bugs that lead to data storage in unwanted formats is Twitter. Earlier in May the microblog sharing service revealed that it had unintentionally stored some user passwords unprotected and in plaintext in an internal log.
Twitter didn’t disclose how many users were affected and was fast to offer the classic reassurances that there was no evidence that any misuse of the unencrypted passwords occurred, nonetheless the company urged all its 330 million users to change their passwords as soon as possible.
And here’s the thing with data exposures in general: While companies, by reviewing access logs and other cyber forensic evidence, can genuinely come to the conclusion that nothing improper happened with a high degree of confidence, at the end of the day there is no way to know for sure what happened while everyone was asleep.
Russian power grid hacking
This particular incident actually happened in 2017 and it was widely believed to have been initiated from Russia, but it wasn’t until this year that the U.S. government publicly blamed Russia for the incident.
Late In 2017, security researchers at Symantec found out that hackers had gained access to hundreds of power grid sites across the U.S., Turkey, and Switzerland.
The U.S. administration also blamed the NotPetya malware, the ransomware that wasn’t a ransomware, on Russia.
This marks the first time Washington publicly accused Moscow of hacking U.S. infrastructure and shows how serious the perils of state sponsored cyber-terrorism has become.
Iranian cyber attacks on (mainly) U.S. institutions
In March, the Trump administration indicted nine Iranian individuals and an Iranian company for hacking into hundreds of universities, dozens of firms and parts of the U.S. government. According to the Department of Justice indictment, the Iranian hackers worked for a state sponsored company called the Mabna Institute and stole a whopping 31 terabytes of data worth $3 billion in intellectual property.
The attacks started in 2013 and targeted a multitude of institutions, including 144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, and the Federal Energy Regulatory Commission, among others.
Like most Iranian attacks, the used techniques were not advanced, but spear phishing in combination with devious social engineering tactics were used to gain access to accounts and networks.
Let’s admit it: Facebook had a really bad year. As if the Cambridge Analytica scandal wasn’t enough, Mark Zuckerberg’s empire of social media services and messaging apps suffered a streak of serious privacy and cybersecurity blows over the past 12 months that also spilled over to other services that use Facebook as an authentication mechanism like Tinder.
Here is a run down of Facebook’s privacy and cybersecurity blowups in 2018:
- Facebook bug accidentally changes post status to public
- Facebook bug exposes user sessions to developers
- Facebook bug lets websites read visitors’ likes and interests
- The infamous Cambridge Analytica scandal
- Facebook bug reveals previously never shared user photos
Ben Dickson has written a detailed account of Facebook’s breaches over the past year.
Under Armour’s not-so-armored online presence
In February, hackers breached Under Armour’s MyFitnessPal app, compromising about 150 million user records, including usernames, email addresses, and passwords. The company discovered the breach in late March and, to its credit, was swift in disclosing it in just under a week.
Under Armour’s security precautions made sure that hackers couldn’t get their hands on high-value information like credit card numbers, location, or birth dates. The company had all the passwords hashed with one important caveat: Only some of the passwords were hashed with the solid bcrypt function. The rest were encrypted by an SHA-1 algorithm, which is known to have a variety of flaws.
The Under Armour hack, while not the worst both in terms of the quantity of leaked records and the quality of data and company response, was a stark reminder on how vulnerable corporate networks are.
A myriad of retailers and consumer centered services that gave our most-valuable data away
While each of the cybersecurity incidents in the following list can’t be compared in terms of quantity with this years major breaches, they cover so diverse and popular stores and services that I imagine most of use is impacted in one way or another. Here comes the list in no special order:
Cheddar’s Scratch Kitchen menu: Data breach, credit card information
Darden Restaurants, the mother company of Cheddar’s among others, announced in August that a week earlier, officials notified them of a cyberattack. The attack vertical was a legacy point-of-sale system in restaurants that encompassed 23 states.
According to Darden’s press release, diners who visited affected Cheddar’s restaurants between November 3, 2017 and January 2, 2018 may have been affected. An estimated 567 thousand payment card numbers were exposed.
Macy’s unusually costly wear
On July 9, DataBreaches.net revealed that Macy’s is sending letters of warning to its customers stating that individuals who shopped online at Macys.com and Bloomingdales.com between April and June could have had their personal information and credit card details stolen.
Adidas data breach
In late June Adidas announced that an unauthorized party has gained access to its customers data, including email addresses, physical addresses, contact information, and login credentials.
Adidas believes that only customers who shopped at the U.S. version of adidas.com are affected by the breach which according to a spokeswoman are “a few million” users.
One hack to rule them all
Early in April, it was revealed that all of Best Buy, Sears, Kmart and Delta Air Lines suffered a data breach through a common customer support service they all used: [24]7.ai.
The intrusion had already occured in late 2017 and the late and insufficient notification raised concerns among lawmakers and consumer rights groups.
While the quantity of the stolen data was relatively small (hundreds of thousands), it included sensitive information like payment card numbers, expiration dates, and CVV security codes.
Another worrying aspect of the hack was that some users’ who didn’t even use the online chat were impacted by the breach, according to Best Buy. Reminding us on how necessary comprehensive security solutions are that reach over company or service boundaries.
Saks Fifth Avenue and Lord & Taylor data breach
Also early in April, a cyber security firm revealed that millions of credit cards have been hacked and are being sold on the dark web. JokerStash, the criminal hacking group behind the breach, has a long record of online fraud and criminal hacking.
One concerning aspect of the hack was that offline customers of the aforementioned stores who used their physical card in-store have been affected.
And the list of hacked stores goes on
Panera Bread, the bakery-café chain restaurant, Forever 21, the fashion retailer, Sonic, a drive-in fast food restaurant, and Whole Foods are also among the consumer-centric business that suffered a data breach in 2018.