It seems like it was just yesterday that cyber attacks were rarely in the headlines and only involved 'obvious' targets. Today, anybody can become a victim, with hundreds of millions of private records having been compromised in the past year alone through data breaches and vulnerabilities.
The Privacy Rights Clearinghouse lists 700 disclosed breaches for the year which includes several influential enterprises. The experts predict that cybercrime will only become more rampant as time goes on, so it's critical to keep an eye on what's been happening.
Here are three key lessons we can learn from 2018's biggest data breaches.
1. Remain vigilant, even with trusted partners
We need to remain cognizant that third-party service integrations could inadvertently introduce vulnerabilities that could compromise user and customer data.
Flying under most radars is the vulnerability linked to mobile engagement platform Branch.io, which is used by hugely popular apps like Tinder and Reddit. A cross-site scripting (XSS) flaw found in the platform's endpoint is believed to have exposed data of over 685 million users.
While there has been no word yet on whether or not a malicious actor successfully exploited the vulnerability, this incident just shows how third-party web-based services could be the weak links to a system's security. "Consumers' data is being exposed from applications at an alarming rate," said Rusty Carter, VP of products at Arxan, "and the rise in visibility of browser-app vulnerabilities underscores the need for businesses to focus their attention on securing the browser-applications as they run on end-consumer devices."
2. Human fallibility continues to open back doors
Records of 1.4 million patients were compromised in May when UnityPoint Health fell victim to a breach. Attackers sent employees phishing emails that looked like they came from the recipients' bosses, successfully tricking people into sharing their email passwords. The attackers were then able to access health information found in attachments.
This type of breach is especially unfortunate given that phishing and other social engineering attacks are preventable - if good training programs are in place. "Changing behavior starts with creating positivity around cybersecurity," says HoxHunt CEO Mika Aalto, whose platform helps companies gamify phishing attack detection.
"People should feel that it is okay to tell if they think something is off - in fact, they should even be encouraged to tell. By creating a cybersecurity culture, the visibility of possible security hazards can be increased, and these sort of scenarios can be prevented from happening,"
3. Organization size doesn't matter
The recent breach of Marriott's database showed that being an industry giant doesn't spare a company from potentially leaking their customers' data. Half a billion records were reported to be stolen from the breach which included credit card and passport information of the hotel chain's guests.
Terry Ray, Imperva CTO stresses that "one of the most interesting things about this breach is the speculation that it was part of a Chinese intelligence-gathering effort that also hacked health insurers. That's why cybersecurity is so critical; there needs to be an awareness that in addition to monetary gain, somebody might be stealing your data for political gain too, and protecting that data is just as critical, regardless of who's taking it." Ray added, "What's more, the trickledown effect of nation-state hacking is particularly concerning, as sophisticated methods used by various governments eventually find their way into the hands of resourceful cybercriminals, typically interested in attacking businesses and individuals."
Social networking giant Facebook also exposed the data of 50 million users. A flaw in Facebook's code allowed attackers to exploit the 'View As' feature to access the page information of affected accounts. Given these companies' resources, one would expect that they should be able to implement the most stringent cybersecurity measures.
Unfortunately, this wasn't the case.
Avoiding vulnerabilities in 2019
Ultimately, we should all accept is that security is now a shared responsibility. As users of the global resource that is the internet, we all contribute to each other's security and risk. Business leaders must do what we can to be vigilant about threats and be proactive (not reactive) in securing the data we control.