Data breaches not receiving full disclosure – it affects you

data breaches

Many companies are hiding the extent of data breaches in clever and deceitful ways.

Data breaches are when a cybercriminal gains access to data – it could be from a loyalty card, airline, bank, social media, business you deal with and many more. As we move to an increasingly online world data is the new gold. Cybercriminals then use it against you to steal your identity, empty your bank account and ruin your life.

data breaches

Data breaches are on the up as cybercriminals are smarter than programmers

Did you know that in March Facebook buried a major Instagram breach? Instead of issuing a new warning it updated an old blog and did nothing to publicise it. Millions of Instagram users are affected and don’t even know. Change your password now. Better still #deleteFacebook.

UpGuard caught two Facebook developers storing hundreds of millions of Facebook users records in plain text on Amazon Cloud servers, including their names, passwords, comments, interests, and likes. A Mexican company called Cultura Colectiva used insecure Amazon cloud servers to store 146 gigabytes of data, including 540 million Facebook users records. Facebook did not report the breach as it was the developer’s responsibility to do so and breach laws are lax in Mexico. Another reason to #deleteFacebook.

data breach

Facebook also exposed 600 million users passwords stored in plain text making them freely available to over 20,000 employees. Facebook says it has no evidence of misuse, so it did not report the matter. Read my lips #deleteFacebook before there are more tears.

data breaches

No wonder the company is expecting a record-breaking US$3-5 billion fine by the US FTC and similar amounts (€1.63 billion) over GDPR breaches. Australia is even looking at fines – when you are on a good thing stick to it!

CEO Zuckerberg has changed tack from his staunch self-regulation quest to calling for globally consistent rules for all social media – which he knows there is a snowflakes chance in hell of ever happening. He even admitted that saying, “Regulation typically isn’t global it’s national.”

Other major data breaches in March and April

Citrix has admitted that unknown hackers freely roamed its internal network for six months. It advised the California Attorney General on 29 April that cybercriminals had access to the network from 13 October 2018 to 8 March 2019. Hackers ‘stole business information’ that may have included names, social security numbers, financial information and more. OK, it mainly affects Citrix, its employees and customers, but we expect more from a company that sells secure remote access products.

Toyota had a breach that affects up to 3.1 million customers mainly in Asia. But it also had a breach in Australia in February and is yet to publish what information was compromised.

Around 200,000 Docker developers are at risk via a breach of its database. While it is a small number of developers, Docker Containers are becoming a significant part of delivering internet services, and using tainted container ‘images’ could compromise this convenient programming.

Chinese head hunter (HR) companies have had 590 million CVs (job applications) stolen. Sloppy programming left poorly secured databases online without a password. The worst part about this breach is that China has no mandatory data breach notification and the information allows cybercriminals to build a very complete profile of the applicants.

In India, JustDial had a breach of 100 million users due to sloppy programming leaving its user database on an insecure cloud service. This was a shocking breach exposing email, mobile number, address, gender, date of birth, photo, occupation, company name they are working with – basically whatever profile related information a customer ever provided to the company.

The breaches are mostly due to sloppy, quick and dirty programming to get a start-up idea online as fast as possible.

Some are due to humans succumbing to spear phishing, and some were caused by subverting (bribing) trusted staff to hand over keys to the castle.

These are the tip of the iceberg and by no means the largest breaches – these were the worst handled.

What is worse is that criminals are mining the data breaches and then selling it to other criminals.

The latest dark web sale is for US$20,000 for 620 million user names and passwords from 16 recently hacked websites including Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

IT Governance tries to keep up with the breach disclosures (March disclosures here and April disclosures here).

The bottom line is that cybercriminals are way ahead of sloppy developers that have no independent certification of their programs to minimise the possibility of risk.

It is horrifying that millions of apps on the Apple App Store and Google Play are written by sloppy developers that can access everything we do on the phone. Don’t let Apple reassure you that its iPhone is safe either.

A poorly written mSpy iOS app (based in a country where there is no data breach reporting legislation) revealed masses of personally identifiable information from millions of users that had installed it. While Apple is not guilty of revealing the data, it cannot control what its developers do with the data they collect from an iPhone.

Security expert Brian Krebs said, “mSpy has a history of failing to protect data about its customers and — just as critically — data secretly collected from mobile devices being spied upon by its software. In May 2015, KrebsOnSecurity broke the news that mSpy had been hacked and its customer data posted to the Dark Web.”

GadgetGuy’s take: Data breaches are increasing. The bad guys are winning.

I originally started to write this article in a brief ITy Bytes style covering the three Facebook breaches. I guess intending to reinforce the message that a college grown project written in highly insecure PHP language by a bunch of opportunistic, money focused, amateurs was not a solid base to build a secure system. Sloppy programming at the core of more sloppy programming and an obvious sell-out of ethics to make money.

data breaches

But as I researched more on “Data breaches March and April” I came across so many that I turned this into a full article.

I wish I had an answer as to how to protect yourself from data breaches – it has happened to me too with the Starwood breach which made my online life hell for a while.

OK here is the plain-talking things you need to do to be a little safer online and minimise being a victim of data breaches

  • #DeleteFaceBook although the damage there has probably been done with your details already in your dark web profile just waiting to be used against you in a spear phishing campaign.
  • If you don’t delete Facebook, there is a good article on 11 Things you can do to keep your Facebook profile from revealing too much.
  • Passwords are a major issue and like gold to cybercriminals.  With the average user now having 40+ passwords (and typical having closer to double that) using a password manager is the only way. Read about the free and easy to use LastPass here.
  • Avoid putting too much extra information in your contacts list – as Facebook sees it all. Use LastPass secure notes instead.
  • It is time to work out where your data is and if possible, remove it. FlyBuys, Woolworths Rewards, major loyalty cards are probably OK but set up a ‘junk’ email address, e.g. rayjunk@gmail.com, for all these types of cards, online purchases and competitions. You can forward these junk emails to your normal email account. Also, consider taking ten years off your birthdate and only give as much information as you are comfortable with.
  • Start using a paid VPN when online. Private Internet Access or NordVPN are two that are good in Australia.
  • Start using paid antivirus/malware/phishing/surfing software on all devices. Norton, Kaspersky, Trend, McAfee, ESET, CheckPoint
  • Read our ten tips to protect you from identity theft – it is a good overview of everything else you need to do