It seems almost inevitable these days that data breaches will happen, even to governments and companies with seemingly more than enough money for strong cybersecurity. Still, there are lessons to be learned from every breach, and far better to learn from the mistakes of others than your own. Instead of just looking at the largest breaches of last year by size, this review will take a quick look into some noteworthy trends and lessons-learned as we start 2019.
#1: The Data Mines
50 Million Accounts Exposed Nearly 53 Million Users Affected
The abundance of personal information stored by social media companies make them among the richest targets for hackers on the Internet. These data mines know they are aggressively targeted and therefore have well-establish cybersecurity teams and practices. The biggest takeaway from the data exposures experienced by Facebook and Google+ is the privacy conversation around the data retention and management policies that have been sparked, especially with the advent of the UK's GDPR regulation.
#2: Health Without Safety
|150 million records breached||6 million records breached||Sensitive military locations revealed|
|113.5 million records breached||92 million records breached|
2018 saw breaches of multiple fitness tracking apps and software, through mobile applications, tracking software for gyms and wellness scheduling. With the rise of smart watches, Fitbits, and other wearable devices that help track or evaluate physical health, there is a large amount of data on people’s physical health being held by these companies. Although MyHeritage, a DNA testing company, is in an entirely different industry, there’s an important connection between all of them: all are outside of the health care industry, potentially holding important personal information on your health, without the legislative oversight which applies to the health care industry.
#3: Security? Why Bother?
340 million records breached 48 million records breached
445 million records breached 11 million records breached
The common thread between these data breaches is that not a single one of these companies was hacked. All four exposed this information themselves by misconfiguration of cloud-based servers that allowed anyone download the contents, instead of allowing that access only to its employees. In the particularly egregious case of Exactis, a server was uploaded without any firewall or security at all.
#4: Still In It For The Money
37 million records breached 5 million records breached Unknown number
880,000 records breached 380,000 records breached
Only a few years ago, cybercrime was primarily related to financial data, with attackers mostly interested in unearthing credit card numbers to use or sell. Now cybercrime seems to revolve around phishing, with personal information as their main currency. This hardly means financial malware is no longer a threat, just that criminals are always looking for the easiest target. Still, as these breaches illustrate, compromising payment information is still a focus for many criminals. Older breaches of stores tended to be targeted at point-of-sale systems, using malware that quietly collected credit card information as people shopped (think of the Target breach). More modern breaches frequently employ phishing, seeking to compromise an employee with access to the financial systems instead of the system itself.
#5: Good Enough for Government Work
|300+ universities and other targets hacked||Marriott breach of 500 million records||Infiltration of US power companies|
If the past few years have proven anything about hacking to the governments of the world, it’s that the return on investment is amazing. An oversized political and financial impact can be gained by a comparatively modest investment compared to flexing political or military muscle. Think of Russia, which doesn’t have the budget to posture militarily as much as they used to but have had considerable foreign policy impacts through underhanded means like disinformation campaigns and carefully targeted phishing. On the other hand, Iran’s current actions have made it clear they’ve learned that hacking is considerably cheaper than research and development, stealing billions of U.S. dollars’ worth of intellectual property. China’s alleged breach of Marriott, which took place back in 2014 but only came out recently, illustrates how financial and personal data are all too frequently held by the same targets. Marriott, the top hotel lodging provider to the U.S. Government, was likely targeted for its clientele’s personal information and that of the U.S. Government, but they were able to steal a great deal of Marriott’s financial data in the process.