Just in time for Halloween, we look at the haunting reality of data breaches and highlight five tales that spooked not only the cyber-world.
Halloween, the scariest day of the year, is upon us! However, traditional observations of the popular holiday may be hindered by the pandemic raging outside. Instead of children roaming the streets sporting scary costumes trick-or-treating or adults attending costume parties, All Hallows’ Eve will have to be celebrated in other ways. Most of us will probably be bundled up in blankets in the comfort of our homes with mugs of pumpkin-flavored hot drinks watching eerie and horrifying stories, or better yet, telling them.
The cyber-world has many a scary story of its own as well. Unfortunately, contrary to those told on Halloween, these stories are very real.
In 2017, Equifax, one of the largest credit reporting agencies in the United States, was the victim of an astounding data breach. The breach that lasted for approximately 78 days was caused by a vulnerability in the Apache Struts web application framework, for which a patch had been issued but that Equifax had failed to apply in time. The threat actors behind the incident were able to siphon the personal data of nearly 148 million Americans, 15.2 million Brits, and almost 19,000 Canadians. The data trove included a wide range of Personally Identifiable Information (PII) including social security numbers, birth dates, and addresses … all of which could be used to conduct identity fraud. As for the monetary damage incurred by Equifax, the company estimates that the current tally is about US$1.7 billion in costs emanating from the cybersecurity incident.
In 2018, Marriott International, one of the largest hotel chains in the world, suffered a major data breach involving its reservations database. Marriot initially estimated that as many as 500 million of its customers might have been affected by the cyber-incident, but then went on to amend its estimate to 383 million. The guest information compromised in the incident included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. In some cases, the payment card numbers and their expiration dates were compromised as well. The compromised data could be used in a wide range of attacks, including phishing, social engineering attacks, credit card fraud, and identity fraud. So far, the company has incurred costs of around US$72 million for the breach, but US$71 million has been reimbursed by insurance. However, Marriott might still be looking at a hefty sum in penalties, since the UK data protection authority is looking to serve the hotel chain with a £99 million (US$123 million) fine.
As one of the world’s largest online marketplaces, most famous for its auction-style sales, eBay probably needs little in the way of introduction. In 2014, the company disclosed that it had been the victim of an attack in which as many as 145 million of its active users were affected. According to the company, the origin of the attack was traced back to the compromise of a small number of employee login credentials. The data compromised in the breach included customers’ PII, such as names, email and physical addresses, phone numbers, and dates of birth, as well as encrypted passwords, all of which could be used in various forms of cyberattacks and attempts to defraud potential victims.
In 2013, Target, one of the largest retailers in the United States, suffered a major data breach that affected more than 41 million customer payment card accounts as well as the contact information of over 60 million customers. The cybercriminals behind the attack were able to access customer names, phone numbers, email addresses, credit and debit card numbers and expiration dates, and encrypted PINs and credit card verification codes. According to Target, the PIN codes were encrypted with the Triple Data Encryption Standard, which would make them difficult to crack. However, using the information gathered from the breach, the cybercriminals could commit credit card fraud and identity fraud. In the aftermath of the incident, Target offered credit monitoring services and settled a US$10 million class-action lawsuit in which it promised to pay up to US$10,000 to any customers who could prove they suffered losses due to the data breach. It also had to pay a multistate settlement of US$18.5 million.
Adult Friend Finder
In 2016 the adult dating and entertainment company FriendFinder Network was breached, exposing over 412 million user accounts. The enormous data breach included 339 million accounts from the AdultFriendFinder.com website as well as 15 million deleted accounts that hadn’t been eliminated from its databases. The data trove consisted of 20 years’ worth of records from the company’s largest websites and included usernames, email addresses, passwords, site membership data, browser information, IP address last used to log in, and even whether the user had paid for any items. It’s worth noting that the passwords, which had apparently been converted to all lowercase, were stored either in the clear or scrambled as a SHA-1 hash, which isn’t a sufficient security measure and most passwords were easily and quickly cracked. While people are more liberal in this day and age, they probably wouldn’t like to advertise their visits or activities on such websites with most probably keeping it secret. Unfortunately, the leaked data would allow black hats to easily target these individuals and use the data to ruin their reputations, blackmail them under the threat of revealing sensitive information they would like to keep hidden, or use the cracked passwords in further credential-stuffing attacks.
To be sure, these are just some of the scary stories the cyber-world has to offer. While they may be uncomfortable to read, these cyber-incidents should serve as cautionary tales for both consumers and companies – that cybersecurity should never be taken lightly.
written by Amer Owaida, ESET We Live Security