The Summer 2018 Data Breach Report:
Industry Reaction to the Biggest Breaches
Summer 2018 has seen companies report a host of high-profile breaches. We hear from industry experts about the causes and implications of some of the biggest data breaches over the last few months
Air Canada App Data Breach: Passport Data Exposed
At the end of August Air Canada announced that its mobile app had been hit by a significant data breach affecting up to 20,000 customers. This breach was particularly severe because it potentially included passport numbers of many of the users. In addition to informing affected customers, Air Canada opted to lock out all 1.7 million customers until they had changed their passwords.
Praise for choice to lock accounts
“Although this is a massive breach in customer data and confidence, Air Canada are locking people out of their accounts until they update their passwords. This is a great way to encourage people to think about their passwords should they require access back into it.
“In fact, this is now an opportunity to think about using a password manager or at least a password generator to help customers with their general cyber awareness and security.
“Attacks like this are becoming far too common but we need to learn from them so making it compulsory to gain access back into the accounts is not only a positive security measure on their behalf, it also offers a moment for customers to think twice about their passwords. Let’s just hope it’s not an incremental ‘yourcatsname.2’.”
Jake Moore, security specialist, ESET
Highlights cybersecurity challenges
“The Air Canada breach once again sheds light on the difficulty companies have protecting the proprietary information of their customers that is their backbone. Collectively, this is a blow to our privacy and Air Canada joins a growing list of organidations that have faced a knock down punch.
“For the consumer, they should be working under the assumption that their personal information has been compromised many times over. As an industry until we can start making cybercrime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts.”
Israel Barak, chief information security officer, Cybereason
Password breaches are a criminals’ paradise
“Passports are the strongest form of globally consistent government-issued identification in use today – especially in the US.
“Passports, and their information, are used to deny people entry to a country, they represent a combination of digital and physical history for a traveller. Bad actors that are using their own name could be detected denied entry, and sometimes exit, from countries.
“A bad actor with victim Joan Q Public’s clean passport information is a ghost. Combine that with appalling password settings and other insecure and identifiable information for frequent travelers and it’s a criminals paradise. Criminals will continue to focus on personal data, versus financial information like in the past, as personal data is now worth more.”
Aaron Zander, IT Engineer, HackerOne
Airline apps struggle to keep up with security
“Airline apps are a lot smarter than they used to be, with boarding pass, video playback and payment functionality being added to the usual frequent flyer points display.
"And all of those advanced features have to work on a plane - the ultimate offline environment, where network-based security tools won't help.
“Our investigations lead us to believe that the security models for many airline apps haven't evolved along with the user features.
"We would expect to see the strong level of app protection that gets applied to mobile wallet apps and commercial video playback apps, but airline apps are still not being obfuscated and they still store all the offline data in unencrypted databases. It isn't hard for an attacker to reverse engineer these apps and work out how to extract all the user data.”
Winston Bond, Senior Technical Director EMEA, Arxan Technologies
T-Mobile Data Breach: Two Million US Subscribers Hit
In August T-Mobile US announced that it had identified a breach affecting up to two million customers – around 3% of its users in the US. However, while the breach included names, contact information and basic account details, it did not include payment data. It was also mitigated within a day, minimising the amount of access hackers could gain.
Stolen data could be used in targeted attacks
“Hackers stole customer names, ZIP codes, phone numbers, e-mail addresses, account numbers and account types. This information can potentially be used in targeted attacks where attackers can impersonate customers to T-Mobile’s customer service representatives.
“Attackers may also be able to impersonate the customers to other wireless carriers and attempt to port the numbers in order to hijack the phone numbers. People who are impacted should ensure that they have set up a PIN with T-Mobile that they use to authenticate to customer service representatives, and that is required to port their phone numbers to another carrier.”
Amit Sethi, principal consultant, Synopsys
Detection and response efforts praised
“This security incident favourably stands out among many others by prompt detection and transparent disclosure.
"Many of the recent data breaches, including the most disastrous ones, were discovered weeks ago but then announced months after the occurrence.
“T-Mobile serves as a laudable example of prompt incident response. This, however, does not absolve them from accountability for the breach and further cybersecurity enhancement to prevent similar incidents in the future.”
Ilia Kolochenko, CEO, High-Tech Bridge
Abundance of caution by T-Mobile
“It looks like T-Mobile are following industry best practice of ‘abundance of caution’ when handling personal information and possible breaches.
“If only more organisations had a culture of being abundantly cautious with their cybersecurity implementations. Telco service credentials form the foundation of our digital identities. Keeping them secure is paramount to the integrity of many other online portals.”
Andy Norton, director of threat intelligence, Lastline
Systemic societal malaise over data privacy
“Billions of these kinds of records are being leaked to the Internet at a growing rate with all the implications for privacy, digital security and person safety that that brings.
“What interests me about this incident is that it illuminates a systemic malaise that is starting to impact society at a fundamental level, as the recent Facebook / Cambridge Analytics incident illustrates. It’s not clear what can still be done about this at this late stage. Pandora’s box has been opened, the evil is out, and there’s not much we can do to put it back.
“Addressing the problem of personal data leaks will take years or decades even and will require political will and deep commitment from business, government, and the security industry.”
Charl van der Walt, chief security strategy officer, SecureData
Reddit Data Breach: Legacy Logins Taken
Reddit, the self-styled “front page of the internet” announced at the start of August that it had been the subject of a limited data breach. Current email addresses were obtained, as was a 2007 database containing usernames and salted and hashed and passwords. The hackers got access via an SMS-based two-factor authentication system.
Exposing the flaws in two-factor authentication
“The hack at Reddit is a reminder that when protecting sensitive data by choosing 2FA in addition to a password, it is important to know that not all 2FA offers the same security; for example, the difference between using SMS-based authentication and token based authentication.
“It looks like Reddit needs to raise the priority on implementing the model of least privilege and privileged access security controls, as this breach shows that the accounts compromised had ‘read’ access to storage systems including source code, logs and configurations. I am concerned that Reddit seems to be playing down the data breach as it was ‘only read access to sensitive data and not write’; this is positive news, however, it does not reduce the severity of the breach when it relates to sensitive data.”
Joseph Carson, chief security scientist, Thycotic
Changing use of SMS interception in hacks
“This breach is particularly interesting because it is an example of SMS based 2-factor authentication being used to compromise a major service provider. While SMS interception has been a common trick in opportunistic financial fraud, it is far less common to hear about this method being used in this type of targeted attack of a public service.
“Although any form of multi-factor authentication is a considerable improvement on simple password models, SMS based verification tokens can be stolen with a variety of well-known techniques, including social engineering, mobile malware, or by directly intercepting and decrypting signals from cell towers.”
Craig Young, security researcher, Tripwire
Low-friction multi-factor authentication needed
“It is time we found a balance. The future of secure authentication is certainly multi-factor, but it should also aim for low friction. To improve customer experience without reducing security, authentication strategies should be both integrated and simple.
“An example of this would be an ‘adaptive’ authentication mechanism that reviews a combination of factors such as geographic location, source IP address, device fingerprint as well as a password before allowing the user access. Most of this information can be obtained from the device being used, while the consumer only has to provide their password. This gives multi-factor authentication where the user is only aware of one factor.”
Andy Cory, Identity Management Services lead, KCOM
Basic information can still be used for fraud
“Fortunately, this Reddit breach doesn’t include credit card information. However, we all know bad actors are very talented at preparing fraud schemes with the kind of user information that was leaked. From phishing scams and dictionary attacks – where fraudsters try certain common passwords based on the user’s information – to synthetic identities; as little as an email address can go a long way in the hands of a bad actor.
“Reddit is doing the right thing by immediately informing its global community of the extent of the damage, advising of the steps Reddit is taking and letting its community know what they should watch for and do.”
Robert Capps, vice president, NuData Security, a Mastercard company
SingHealth Data Breach: Singapore’s Prime Minister Among Victims
Singapore’s largest healthcare institution SingHealth saw a devastating breach when the personal profiles of up to 1.5 million patients were accessed by hackers. This included sensitive health data, with victims including Lee Hsien Loong, Prime Minister of the country.
Data security overhaul needed
“Yet another breach, let alone one on a government body, should tell us that something in our security approach is broken. Governments hold data sensitive in their databases, such as protected health information [and] personally identifiable information, meaning they become viable attack targets. This is what happened to SingHealth. To mitigate this growing threat, there must be a new approach to data security.
“We must focus our security efforts on the data itself, both at rest and in transport. This includes protecting it at foundation level.
“Given that a business will easily spend millions to protect access to data, it would only make sense to secure the data itself as it comes through and sits in your database. Many believe this happens with encryption, but there is a flaw – current database systems can encrypt stored data, but methodologies such as Data Masking, Homomorphic Encryption, TDE and others using keystores are leaving gaps in access. This means that anyone (human or machine) that has access to the system at any administration level generally also has access to the plain unencrypted data and leaves a come get me sign.
“By putting the security focus on the data itself, not just where it comes from, but where it is stored or being transacted to, it enables better protection for both external and internal threats that organisations desperately need to keep sensitive information protected.”
Simon Bain, CEO, BOHH Labs
Networks cannot be trusted
“This is a very serious breach given the sensitivity of the data accessed, and the sheer volume of records. It appears the initial infection came through a single user endpoint being infected with malware, which then worked its way through the network. This once again highlights how today’s cybersecurity is a house of cards – it just takes one person to click on the wrong thing for the whole thing to come crashing down.
"Only when we admit that we cannot detect and stop threats, and instead start focusing on minimising harm, can we ever hope to disrupt hackers. The simple fact is that if the endpoint was isolated, then the hacker would have had nowhere to go and nothing to steal.
“Yet it also highlights the fact that we can no longer trust our networks or most of our endpoints. Hackers will inevitably find a way in. Air-gapping can be an effective solution, but it is impractical when you have multiple employees trying to access a business critical application. Instead, we need to shrink protection to application level.
"By protecting applications that store our most sensitive and critical data, even if the device or network is compromised, that application cannot be touched as it will be invisible to the device and network.”
Fraser Kyne, EMEA CTO, Bromium
Healthcare data has surged in value
“The healthcare data breach outlines a new reality. Today, we are beginning to see a new and scary fact – healthcare data has grown its value such that hackers are now willing to go the extra mile to obtain it.
“This has been a growing trend over the past few years, such that healthcare data has outgrown the value of credit card or social security numbers. Are healthcare providers aware of the value of the data they are storing?”
Olli Jarva, Managing Consultant, Synopsys' Software Integrity Group
Telefonica Data Breach: Millons of Spanish users affected
Telefonica suffered an embarrassing breach in July when a user of its Spain-based landline, broadband and television service Movistar reported than anyone with an account could view others’ personal data. This included financial details, and was the result of improper design of the Movistar online customer portal. It is thought tens of millions of users are affected.
Highlights why layered security solutions are favoured
“This sort of data exposure is why so many organisations who transact with customers online – from the banking and finance sector to eCom and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioural analytics.
"In doing so, they’re shifting from ‘let's make our company a bunker for everyone’ to ‘let's leave the bunker for risky users only’. They do so by using technology that doesn't rely on data that could have been exposed in a breach, thus preventing post-breach damage.
“For years now, many top merchants and financial institutions have incorporated passive and active biometrics and behavioural analytics to verify customer identities online.
"By analysing hundreds of indicators derived from the user’s online behaviour, companies don’t have to rely on passwords, payment data, and other leaked information to make an authentication decision. Removing the organisation’s reliance on ‘things users know’, companies are far less vulnerable to the data exposed by leaks and breaches.”
Ryan Wilk, vice president, NuData Security, a Mastercard company
Potential GDPR implications
“Telefonica will need to assess the scope of the breach in order to understand how it impacts GDPR. Has the breach been exploited and the information stolen by hackers? If so, they will certainly need to inform the GDPR supervisory authority, and very likely each of the affected customers. They could then be liable to fines of up to €20m or 4% of their global turnover (their turnover is $53bn, so potentially over €2bn in fines though that is highly unlikely).
“Flaws like this are quite common in websites. It does imply that the website has not been tested against industry best practice as the flaw that was exploited should be easily discovered during penetration testing. It could also be that Telefonica made changes to the system without running additional checks, which then introduced the vulnerability.”
Rob Shapland, principle cyber security consultant, the Falanx Group
Unclear if data stolen
“So far, there is no certain evidence that the improper access control, discovered on the customer portal, was maliciously exploited and led to any personal identifying information theft. Moreover, such vulnerabilities are pretty common, and similar vulnerabilities can be found virtually on every large website with sophisticated functionality such as customer portal.
"They are hardly detectable with automated web vulnerability scanning solutions widely used by companies as a principal mean to assess security of their web applications.
“In light of the currently known circumstances, I don’t see any compelling reasons to impose a financial penalty upon Telefonica under GDPR.
"Otherwise, 99% of companies that face the same insurmountable difficulties in running their daily business will just stop operations. However, some additional attention to web application security will definitely be an appropriate measure for Telefonica to detect other vulnerabilities that may exist.”