It’s a sobering reality that within the last ten years, data breaches have become commonplace in society and for major companies, it’s not a case of if a breach will happen but when.
Hackers are becoming more aggressive than ever and with regulation struggling to keep up, businesses are re-evaluating their approach to data security and are looking to embed robust data protection frameworks within their business to tackle the rising issue.
With 2019 being pegged as the “worst year on record”, according to research done by Risk Based Security, we look back at some of the major data breaches that rocked 2019.
In November the mobile giant confirmed that hackers had managed to access the personal data of over 1 million customers, with information such as names, billing addresses, phone numbers and wireless plan information being compromised.
As news of the breach hit the press, T-Mobile issued an apology to customers, however they failed to mention when the breach took place, how it happened, who was affected and what they were planning to do to fix it, other than its plan to “improve security”, leaving their customers in the dark.
This is coming off the back of an unlucky two years for the company, as hackers managed to breach their systems in August 2018, gaining access to the personal information of over 2 million customers. Luckily no financial data, social security numbers or passwords were compromised.
Quite often, the root of a major data leak can stem from poor security measures, rather than malevolent hackers attempting to crack a database.
Facebook came under fire in September, after millions of phone numbers linked to their social media accounts were found in a server online. As the database was not password protected, users Facebook IDs, gender identity and phone numbers became easily accessible.
Up until a year ago, people could find others using just their phone numbers and a Facebook spokesperson announced that “the data set is old and appears to have information obtained before we made changes last year”.
Nevertheless, this is a worrying situation for a company that is still sore from the Cambridge Analytica scandal, when over 80 million Facebook profiles were scraped in order to affect votes in the 2016 U.S. presidential election.
3. Capital One
Described as one of the biggest data breaches of all time, over 100 million Capital One accounts and credit card applications were compromised by a single hacker by the name of Paige Thompson in March of this year.
Having previously worked as a software engineer for a cloud hosting company that Capital One was using, Thompson managed to hack the system by exploiting a mis-configured web application firewall and gaining access to credit applications as far back as 2005.
Capital One CEO Richard Fairbank came out to reassure customers that they have fixed the liability, stating that “no credit card account numbers or log-in credentials were compromised”.
However, the cost of this breach won’t come cheap with the company expected to face charges of over $100 million dollars.
In October, software company Adobe faced the exposure of over 7.5 million users on the internet. This was due to an Elasticsearch database that was left connected online without a password.
Security researchers Bob Diachenko and Paul Bischoff discovered user details email addresses, member IDs, country of origin and what products they were using. Luckily, both alerted Adobe’s security team who quickly secured the server that same day.
Adobe’s quick response was met with praise. However, this isn’t the first time the software giant has landed themselves in hot water. In 2013, hackers managed to gain access to full records and payment information of over 38 million users.
Last but not least, on the 12th November Disney launched its highly-anticipated streaming platform Disney+. However within a day social media was awash with complaints from users facing technical problems and claims of users being locked out of their accounts.
A subsequent investigation by Zdnet found “thousands” of user accounts on sale online, with hackers selling Disney+ accounts for just $3.
Furthermore, the BBC along with the help of a cyber-security researcher found “several hacked customer accounts for sale on the dark web”. However, this could have happened due to users using the same passwords across multiple sites.
Since then, Disney has released a statement mentioning that “Disney takes the privacy and security of our users’ data very seriously and there is no indication of a security breach on Disney+”.
If these stories teach us anything, it’s that it is not only vital that companies have an effective, preventative plan in place to avoid a data breach, but we must also have a proactive response plan for when these events happen.
Businesses must not only work to prevent data breaches, but also deal with the reality that given the current climate, a data breach can seem inevitable.
How does your company minimise the risk of a data breach’?
If you are looking to improve your organisation's ability to minimise and control data privacy and security risks, our Risk and Security team at FourthLine can help.
Schedule a call with our Senior Consultant James Carter to find out how our expertise can help you identify, reduce and manage security risks.