Many companies are hiding the extent of data breaches in clever and deceitful ways.
Data breaches are when a cybercriminal gains access to data – it could be from a loyalty card, airline, bank, social media, business you deal with and many more. As we move to an increasingly online world data is the new gold. Cybercriminals then use it against you to steal your identity, empty your bank account and ruin your life.
Data breaches are on the up as cybercriminals are smarter than programmers
Did you know that in March Facebook buried a major Instagram breach? Instead of issuing a new warning it updated an old blog and did nothing to publicise it. Millions of Instagram users are affected and don’t even know. Change your password now. Better still #deleteFacebook.
UpGuard caught two Facebook developers storing hundreds of millions of Facebook users records in plain text on Amazon Cloud servers, including their names, passwords, comments, interests, and likes. A Mexican company called Cultura Colectiva used insecure Amazon cloud servers to store 146 gigabytes of data, including 540 million Facebook users records. Facebook did not report the breach as it was the developer’s responsibility to do so and breach laws are lax in Mexico. Another reason to #deleteFacebook.
Facebook also exposed 600 million users passwords stored in plain text making them freely available to over 20,000 employees. Facebook says it has no evidence of misuse, so it did not report the matter. Read my lips #deleteFacebook before there are more tears.
No wonder the company is expecting a record-breaking US$3-5 billion fine by the US FTC and similar amounts (€1.63 billion) over GDPR breaches. Australia is even looking at fines – when you are on a good thing stick to it!
CEO Zuckerberg has changed tack from his staunch self-regulation quest to calling for globally consistent rules for all social media – which he knows there is a snowflakes chance in hell of ever happening. He even admitted that saying, “Regulation typically isn’t global it’s national.”
Other major data breaches in March and April
Citrix has admitted that unknown hackers freely roamed its internal network for six months. It advised the California Attorney General on 29 April that cybercriminals had access to the network from 13 October 2018 to 8 March 2019. Hackers ‘stole business information’ that may have included names, social security numbers, financial information and more. OK, it mainly affects Citrix, its employees and customers, but we expect more from a company that sells secure remote access products.
Toyota had a breach that affects up to 3.1 million customers mainly in Asia. But it also had a breach in Australia in February and is yet to publish what information was compromised.
Around 200,000 Docker developers are at risk via a breach of its database. While it is a small number of developers, Docker Containers are becoming a significant part of delivering internet services, and using tainted container ‘images’ could compromise this convenient programming.
Chinese head hunter (HR) companies have had 590 million CVs (job applications) stolen. Sloppy programming left poorly secured databases online without a password. The worst part about this breach is that China has no mandatory data breach notification and the information allows cybercriminals to build a very complete profile of the applicants.
In India, JustDial had a breach of 100 million users due to sloppy programming leaving its user database on an insecure cloud service. This was a shocking breach exposing email, mobile number, address, gender, date of birth, photo, occupation, company name they are working with – basically whatever profile related information a customer ever provided to the company.
The breaches are mostly due to sloppy, quick and dirty programming to get a start-up idea online as fast as possible.
Some are due to humans succumbing to spear phishing, and some were caused by subverting (bribing) trusted staff to hand over keys to the castle.
These are the tip of the iceberg and by no means the largest breaches – these were the worst handled.
What is worse is that criminals are mining the data breaches and then selling it to other criminals.
The latest dark web sale is for US$20,000 for 620 million user names and passwords from 16 recently hacked websites including Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).