2018 has been a big year for data breaches. With the GDPR’s implementation, businesses not found to be protecting their data face enormous fines and significant reputation damage. Not to mention our increasing reliance on external systems, lack of third and fourth party visibility and difficulties finding experienced dev ops personnel to securely configure cloud environments.
Regardless of how and why a breach occurs, or whether breaches disclose PII, payment card information or business files, targeted organisations are penalised by the public, the press and the ICO. There’s no escaping the scrutiny, reputational damage and costs associated with being breach targets and therefore we’d like to share our 2018 findings and analysis, to help your organisation prevent unwanted surprises.
This year’s most affected industries shouldn’t come as a surprise with healthcare, accommodation and public making the top 3;
- Healthcare – 536 reported breaches | 750 incidents
- Accommodation – 338 reported breaches | 368 incidents
- Public – 304 reported breaches | 22,788 incidents
- Retail – 169 reported breaches | 317 incidents
- Financial – 146 reported breaches | 598 incidents
76% of reported breaches were financially motivated, with 73% conducted by outsiders and 17% due to human error. Additionally, ransomware accounted for 39% of malware attacks*.
To delve into further detail, here are some of what we believe to be the most significant breaches of 2018;
Quora.com – December 2018 (discovered November 2018)
- 100 million users affected.
- Data accessed; names, email addresses and encrypted passwords.
- Compromised by a third party who gained unauthorised access to systems.
Marriott – November 2018
- 500 million users affected.
- Data accessed; names, addresses, phone numbers, email addresses, passport numbers, account information, date of birth, gender and arrival/departure. information. It’s been reported that some records also included encrypted payment card information, and Marriott could not rule out the possibility that the encryption keys had also been stolen.
- Compromised by an unauthorised party, of whom had been accessing the network since 2014.
- The unauthorised party copied and encrypted the stolen data.
Cathay Pacific – October 2018
- 4 million passengers affected
- Data accessed; passport numbers, email addresses and credit card details.
- The breach was spotted during an ongoing IT operation, that showed unauthorised access to systems holding customer data.
- Chief Executive of Cathay Pacific, Rupert Hogg, revealed that the company provided details of the breach to 27 different authorities spanning 15 jurisdictions. This alone would have kept the IT security department extremely busy.
Facebook – September 2018
- Over 30 million compromised accounts.
- Data accessed; name, relationship status, religion, birthdate, workplaces, search activity, and recent location check-ins.
- Attackers exploited a vulnerability in the code of Facebook’s “view as” tool, a feature that allows users to see what their profile looks like to others. The hackers began by using a series of seed accounts and attacking the accounts of friends, then friends of friends, and so on down the line, eventually amassing a group of 400,000 compromised accounts. Using some of these accounts, they managed to steal access tokens for an additional 30m before they were stopped.
- Their stock rapidly decreased and a fine of up to £1.25 billion could be enforced.
Ticketmaster – June 2018
- 40,000 customers affected.
- Data accessed; personal information including payment details.
- An external third-party supplier of Ticketmaster was found to be exporting Ticketmaster customer’s data to an unknown third party.
- It’s been reported that the Ticketmaster breach was not a one-off and that hacking group Magecart targeted Ticketmaster as part of a massive credit card hacking campaign affecting more than 800 ecommerce sites.
Each incident would have brought about a bunch of publicised and non-disclosed circumstances, but the real question is, what can you do to ensure your own organisation doesn’t suffer the same fate? Unfortunately, there is not one “fix-all” solution but rather, a variety of processes, exercises and programmes that can help to ensure your organisation is in the best possible position to prevent such happenings. For 2019’s risk and compliance strategy we strongly suggest your organisation considers the following;
Penetration Testing as a Service (PTaaS)
Ditch manual and disjointed penetration testing processes and build an automated, scheduled and fully tracked programme which manages and encourages the remediation of risks and vulnerabilities. Jump one step ahead and treat penetration testing as an ongoing programme of testing, remediation and task management to protect your organisation from external and internal threats.
Incorporate all of your risk and compliance elements into a single view, to encourage continuity and standardisation which over time provides complete visibility over your programme’s maturity, therefore informing focus areas for development and remediation. Sleep easy at night knowing you’ve implemented a successful and strategic risk management programme which not only covers regulatory and industry requirements, but also internal and third-party risk management.
Overcome resource shortages and progress your risk management program with experienced consultants to ensure a successful and results focused strategy. Allow 3GRC Consultants to help interpret your data, and provide support when working to gather, organise and remediate risks over any Platform use case.
An automated and centralised third party risk programme
Overcome assessment fatigue and utilise a risk management platform to automate, streamline and centralise your third-party risk management programme. Explore your options for 2019 to ensure your organisation avoids being victim to a third-party breach.
Employee cyber security training
According to the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses in the US since October 2013. With the barriers to entry for these types of scams continuing to lower, and attackers being able to take advantage of accounting and finance email credentials available in public data breaches and leaked data, it’s important for organisations to focus on understanding and reducing their own external digital footprint. Employee training which includes sessions around downloading and executing unknown applications on company assets in accordance with corporate policies and relevant regulations, and information on how to report suspicious emails and attachments, could save your organisation thousands.
The list of solutions available to successfully build a risk management programme are endless, however it’s important that we work together to ensure 2019 is the year we outsmart the hackers.
For more information on any of the solutions outlined above, please contact us to book your free, personalised demonstration to discuss your organisations options and current risk management program.
*Source: 2018 data breach investigations report