Tag Archive for Data breach

| August 24, 2019
Comments Off on 8,200,000,000 Data Breaches

8,200,000,000 Data Breaches

8,200,000,000 Data Breaches2019 is on pace to be the worst year ever for data breaches. If things continue at the same pace 8.2 billion records will be exposed by the end of 2019. The threat intelligence firm Risk Based Security reports that during the first half of 2019 over 4.19 billion records were exposed in 3,813 reported breaches between January and July 2019.

Risk Based Security logoThose numbers work out to more than 20 data breaches a day. Eight mega-breaches that exposed more than 100 million records were reported. These web-based breaches were primarily the result of leaving databases accessible to third parties and failing to protect them. Forbes reports that these misconfigured databases and services accounted for 149 of the 3,813 incidents reported this year. According to Forbes, the mega-breaches exposed over 3.2 billion records and accounting for 78.6% of the total records exposed in the first half of 2019.

Largest data breaches

The 10 largest data breaches for the first half of 2019 are:

  1. Verifications.io (982 million),
  2. First American Financial (885 million),
  3. Cultura Colectiva (540 million),
  4. unknown organization in India  (275 million),
  5. unknown organization in China (202 million),
  6. Dubsmash (161 million),
  7. Canva (138 million),
  8. Justdial (100 million),
  9. Mobile Drip (80 million), and
  10. Unknown U.S. firm (80 million).

The Verifications.io, First American Financial, and Cultura Colectiva breaches are ranked among the top 10 breaches of all time based on the number of records exposed.

Database securityConsumer Affairs says the Verifications.io, an email marketing company whose misconfigured database exposed 982,864,972 names, addresses, and Facebook, LinkedIn, and Instagram accounts. The information associated with the breach includes email addresses, dates of birth, phone numbers, fax numbers, genders, IP addresses, and personal mortgage amounts. As a result of the incident, Verifications.io has ceased operations.

If you’ve bought a house, particularly in California, another breach may impact you. First American Financial Corporation exposed 885,000,000 records. Consumer Affairs writes that exposed data included real estate closing transaction records that contained names, Social Security numbers, phone numbers, email and physical addresses, driver’s license images, banking details, and mortgage lender names and loan numbers.

Other interesting data breach infobits

  • The number of breaches also reached a new high during the first half of 2019.
  • The average number of records lost per leak was just 230.
  • The majority of breaches had a moderate to low severity score and exposed 10,000 records or less.

Thankfully RBS says more critical data was less commonly stolen during attacks.

  • Electronic recordsSocial Security numbers were stolen in 11% of attacks,
  • Addresses were stolen in 11% of attacks,
  • Account numbers were stolen in 10% of attacks,
  • Birth dates were stolen in 6% of attacks,

The sectors impacted

  • Healthcare 224 breaches,
  • Retail 199 breaches,
  • Finance and insurance 183 breaches,
  • Government and information 160 breaches each, and
  • Education 99 breaches..

Inga Goddijn, executive vice-president at Risk Based Security told ComputerWeekly.com,

It is hard to be optimistic about the outlook for the year … The number of breaches is up and the number of records exposed remains stubbornly high. Despite best efforts and awareness among business leaders and defenders, data breaches continue to take place at an alarming rate.

Phishing

Phishing

Phishing is a tried and tested first step for gaining access to systems and services, the report said. The phished data can be used to perpetuate attach. The most frequently stolen data are email addresses and passwords. These credentials are valuable to attackers because they can be used across multiple domains (because we know users don’t use unique IDs for each account) for credential stuffing. These credentials can also be changed by the attacker (or the Owner). The report points out that 70% of the known breaches included email addresses and 65% included passwords.

Phishing can also lead to other critical but less monetized data. The report said phishing can lead to the exposure of unusual or unexpected types of data, including electronic signatures, calendars, marriage certificates, and company-issued employee ID numbers, all valuable for social engineering or spear-phishing attacks.

rb-

Script babyBusinesses need to get their security act together – they were responsible for over 2/3’s of the breaches by RBS. The garden variety cyber-criminal is a script-kiddie who will run automated scripts looking for unsecured databases in order to scrape up any data they can. The big breaches make the headlines, but the everyday incidents make the money for most attackers.

Related Posts

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| January 27, 2019
Comments Off on Data Privacy Day

Data Privacy Day

Data Privacy DayData Privacy Day is January 28, 2019. Data Privacy Day began in 2008 as a celebration of the signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. The National Cyber Security Alliance (NCSA) leads the Data Privacy Day campaign. Here are some tips from the NCSA to own your online presence.

Digital footprintThe first step is to STOP. THINK. CONNECT.™: take safety measures, think about the consequences of your actions and connect knowing you have taken steps to safeguard yourself and your family when online.

Share with care. What you post can last a lifetime: Any information shared online can easily be copied and is almost impossible to take back. Consider who might see a post and how it might be perceived in the future.Protect it.

Protect your infoProtect your info. Information about the games you play and what you search for online, has value – just like money how else does Zuck make $6 million a day? Be selective with the information you give to apps and websites.

Own your online presence.  Learn how to use the privacy and security settings on your favorite online games, apps and platforms.

Stay current. Keep pace with new ways to stay safe online: Keep up with new technology and ways to manage privacy. Visit staysafeonline.org or other trusted websites for the latest information about ways to stay safe online.

Personal information is like money. Value it. Protect it. If you don’t you will be the victim of a data breach.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedInFacebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| January 5, 2019
Comments Off on Marriott Data Breach One Of Biggest Ever

Marriott Data Breach One Of Biggest Ever

Updated July 17, 2019 – The Brits slapped Marriott with a £99m ($124m) fine for “infringements of the GDPR.” The Information Commissioner’s Office said that Marriott failed to undertake sufficient due diligence when it bought Starwood, and should also have done more to secure its systems prior to the data breach.

___

Marriott Data Breach One Of Biggest EverThe internet is a dangerous place for data. Hotel chain Marriott (MAR) proved that once again. Marriott revealed that hackers stole personal information from 500 million Starwood Preferred Guest program participants. The data stolen in the data breach included sensitive personally identifiable information (PII).

Marriott

Marriott said it got an alert on September 8, 2018, about an attempt to access the Starwood database and enlisted security experts to assess the situation. During the investigation, Marriott claims to have discovered that the unauthorized access to the Starwood network started in 2014.

Investigators found that an unauthorized party had copied and encrypted information from the database and had taken steps toward removing it. The company was able to decrypt the information on November 19, 2018, and found that the contents were from the Starwood guest reservation database. The hotel chain then waited until November 30, 2018, to tell its customers of the data theft.

What was lost on the data breach

personally identifiable informationFor about 327 million Marriott customers, the compromised information includes some combination of name, address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Marriott added that the data breach included payment card information. About 170 million impacted Marriott customers only had their names and basic information like address or email address stolen.

Marriott says that about 20.3 million encrypted passport numbers and approximately 8.6 million encrypted payment cards were compromised in the breach.

Chinese hackers Several sources report that state-sponsored Chinese hackers working for the intelligence services and the military were behind the attack. The stolen data would be an espionage bonanza for government hackers. Sources point out that the Starwood attacks began in 2014, shortly after the attack on the U.S. government’s Office of Personnel Management (OPM) compromised sensitive data on tens of millions of employees, including application forms for security clearances.

Sadly, the 500 million records Marriott hack only ranks as the third-largest known data breach to date. This list of fails illustrates, no matter what you’re doing online every time you put your information on the internet, you risk it being stolen.

RankCompanyAccounts HackedDate of Hack
1Yahoo3 BillionAugust 2013
2River City Media1.3 BillionMay 2017
3Aadhaar1.1 BillionJanuary 2018
4Marriott500 Million2014 - 2018
5Yahoo500 MillionLate 2014
6Adult Friend Finder412 MiltonOctober 2016
7MySpace360 MillionMay 2016
8Exactis340 MillionJune 2018
9Twitter330 MillionMay 2018
10Experian200 MillionMarch 2012
11Deep Root Analytics198 MillionJune 2017
12Adobe152 MillionOctober 2013
13Under Armor150 MillionFebruary 2018
14Equifax145.5 MillionJuly 2017
15Ebay145 MillionMay 2014
16Heartland Payment Systems134 MillionMay 2008`
17Alteryx123 MillionDecember 2017
18Nametests120 MillionJune 2018
19LinkedIn117 MillionJune 2012
20Target110 MillionNovember 2013
21Quora100 millionNovember 2018
22VK100 MillionDecember 2018
23Firebase100 MillionJune 2018

rb-

There is something else fishy here. Reports claim that the data was encrypted using AES-128 but not all the stolen data. Attackers were able to steal nearly 20 million passport numbers, and 8.6 million encrypted payment cards.

Marriott says that the attackers were able to gain access to 5.25 million unencrypted passport numbers and 2,000 unencrypted payment card numbers.

I’m sure that regulators (GDPR) and lawyers will ask why unencrypted sensitive info like passports and credit card numbers lying around waiting to be stolen?

 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| October 16, 2018
Comments Off on Protect Yourself from Facebook

Protect Yourself from Facebook

Protect Yourself from FacebookJust in case you have been sleeping under a rock the past couple of weeks, social media giant Facebook (FB) was hacked again. In a presser on 10/12/2018, the social networker admitted that nearly 30 million Facebook users were hacked. This is on top of the 50 million user accounts that Mark Zuckerberg’s company allowed Cambridge Analytics to steal.

Facebook did not apologize for exposing its users’ informationDuring the presser, Facebook did not apologize for exposing its users’ information but noted that it was cooperating with the FBI, the US Federal Trade Commission, the Irish Data Protection Commission, and other authorities on the data breach.

The attack involved the capture of Facebook “access tokens,” or digital keys that allow websites to recognize who someone is and keep them logged in. Using accounts they already controlled, the attackers used an “automated technique” to exploit Facebook’s “View As” functionality and steal access tokens for some 400,000 people. Hackers then used friend lists from those 400,000 accounts to obtain access tokens for another 30 million people (Here’s how to find out if you were hacked). Facebook tracked this hack to a change it made to its video uploading feature over a year ago in July 2017, and how that change affected View As.

Facebook confirmed on Friday that the hack compromised the personal and contact information of 30 million users. The compromised personal data includes:

  • Information sharingName
  • Phone number
  • Email address
  • Username,
  • Gender,
  • Locale/language,
  • Relationship status,
  • Religion,
  • Hometown,
  • Self-reported current city,
  • Birthdate,
  • Device types used to access Facebook,
  • Education,
  • Work,
  • The last 10 places they checked into or were tagged in,
  • Website,
  • People or Pages they follow and,
  • The 15 most recent searches.

rb-

Mozilla Firefox web browserI have been warning about the dangers of Facebook since 2011. I use the Facebook Container extension for Firefox to helps prevent Facebook from tracking me around the web. The Facebook Container is an extension to the Desktop Firefox 57 and higher (it does not work on Firefox for mobile).

The Facebook Container is a tool to limit what data others can obtain from you. It works by isolating your Facebook identity into a separate container that makes it harder for Facebook to track your visits to other websites with third-party cookies.

When you install the extension it deletes the Facebook cookies on the computer and logs you out of Facebook. The next time you navigate to Facebook it will load in a new blue-colored browser tab (the “Container”).

Facebook containerYou can log in and use Facebook normally when in the Facebook Container. If you click on a non-Facebook link or navigate to a non-Facebook website in the URL bar, these pages will load outside of the container.

Clicking Facebook Share buttons on other browser tabs will load them within the Facebook Container. You should know that using these buttons passes information to Facebook about the website that you shared from.

Because you will be logged into Facebook only in the Container, embedded Facebook comments and Like buttons in tabs outside the Facebook Container will not work. This prevents Facebook from associating information about your activity on websites outside of Facebook to your Facebook identity.

Facebook Share buttons passes information to Facebook about the website that you shared fromIn addition, websites that allow you to create an account or log in using your Facebook credentials will generally not work properly. Because this extension is designed to separate Facebook use from use of other websites, this behavior is expected.

It is important to know that this extension doesn’t prevent Facebook from mishandling the data that it already has, or permitted others to obtain, about you. Facebook still will have access to everything that you do while you are on facebook.com, including your Facebook comments, photo uploads, likes, any data you share with Facebook connected apps, etc.

It is important to remember that other ad networks will try to correlate your Facebook activities with your regular browsing.

In addition to using the Facebook Container extension, you can further protect yourself from Facebook by changing your Facebook settings, using Private Browsing, enabling Tracking Protection, and blocking third-party cookies.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , ,
| April 2, 2017
Comments Off on 300 Billion Passwords

300 Billion Passwords

PasswordsThe death of the password has been predicted for years. Bill Gates predicted the death of the password at an RSA Security conference in 2004. In 2011, IBM (IBM) predicted that biometrics would replace passwords by 2016. In case you haven’t noticed in 2017 and passwords are still with us and they suck. “It’s now years after those statements were made, and passwords are still in heavy use,” Joseph Carson, head of global strategic alliances at Thycotic Software told CSO.

PasswordA new report (Reg. Req.) from cyber-security research firm Cybersecurity Ventures says that the number of passwords in use will grow from about 75 billion today to around 100 billion in 2020. AND the number of passwords used by machines, such as IoT devices, will grow even faster, from around 15 billion in 2015 to around 200 billion in 2020, the report said. That is 300 billion passwords by 2020.

And these numbers don’t include one-time passwords, SSL encryption keys, and other short-term credentials said Thycotic’s Carson. Thycotic Software sponsored the report.

Mr. Carson told CSO the estimates come from worldwide statistics about the total number of computers, operating systems, servers, routers, and other technologies and applications that come with passwords or need users to create passwords to use them. he added, “Then there are the social media accounts, which have been growing significantly.”

The average user has over 25 passwords, he said. There’s no decline in the number of passwords, in fact, the opposite is the case. “We find that the growth is accelerating at a massive pace,” CSO observed that the use — and reuse — of all these passwords is creating an ever-growing attack surface of both human and machine-to-machine passwords. A record number of credential breaches were disclosed in 2016, Mr. Carson added — 3 billion, with 43% of people having had at least one password or credential stolen.

A report released by the Pew Research Center said that for U.S. adults, the number was even higher. According to a 2016 survey, 64% said that they had personally noticed or been notified of a data breach that affected their accounts or personal data.

MoneyAccording to Mr. Carson, the financial damages of the breaches will continue to increase as well. Thycotic and Cybersecurity Ventures predicts potential damages from cyber-crime to reach $6 trillion by 2021.

rb-

Looks like passwords are here to stay. Followers of the Bach Seat know that passwords suck. I have covered a number of options to replace passwords. None of the biometric options have taken off as IBM had predicted.

Where biometric authentication is deployed, it’s been as an adjunct to passwords, not a replacement. Passwords are used to set up the initial trusted relationship, and as a fallback when the biometrics fail. Mr. Carson concludes, “The biometrics are used for ease of access to systems … Biometrics will never replace passwords.”

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
« Older Entries   Recent Entries »