The 6 Most Disturbing Data Breaches of 2018

ByJoseph Carson Posted on Updated on

Hacker

It’s reasonable to qualify all data breaches as disturbing. However, there have been a number of specific cyber incidents this year that have reached especially troublesome levels of intrusion, neglect or magnitude.

Here is a list of the six most disturbing data breaches so far in 2018, including attacks that were previously executed but were not announced or discovered until this year.

Table of Contents show

1. Exactis

Before this past summer, most people were not familiar with Exactis, a company that compiles and aggregates business and consumer data collected from people who browse websites that use cookies. On June 27, the world learned that Exactis left its database open to the public, exposing nearly 340 million individual records, affecting approximately 230 million US consumers and 110 million businesses.

So far, the company has yet to confirm the breach and the number of people affected is still an estimate, but the leaked data included victims’ phone numbers, home and email addresses, interests, and the number, age and gender of their children. Additionally, victims’ personal habits, religions and even pet ownership details may also have been exposed. Exactis now faces a first-class action lawsuit.

Why is this breach disturbing?

  • The lack of responsibility demonstrated by the company: One of the largest collections of personal data was left unprotected by even the most basic cyber security measures.
  • The volume of individuals affected: Nearly every US citizen could be a victim of this breach.
  • The depth of information breached: It is alleged that up to 400 variables of victims’ characteristics were exposed, although financial information and social security numbers were not leaked.

How do you protect yourself or reduce the risk from this sort of incident?

Individuals: There is not a convenient and easy way protect yourself from this type of data leak without staying offline. You are especially at risk if you browse from multiple devices. This article offers a list of ways to browse the web anonymously.
Organizations: Ensure that sensitive data is managed with a least-privileged approach and that authorized access is required to view this data. The implementation of a least-privilege policy will only allow access to the individuals who need the credentials to complete necessary tasks. Privileged account management solutions can further secure this sensitive data.

2. Under Armour / MyFitnessPal App

In February 2018, Under Armour’s MyFitnessPal App fell victim to one of the largest data breaches in history when an unauthorized party accessed the company’s data stash. The user names, email addresses and scrambled passwords of over 150,000,000 app users were stolen.

The breach was discovered on March 25 and users were notified to change their passwords four days later. Fortunately, the breached data is considered moderate and the attack was discovered relatively quickly. Under Armour earned credit for hashing the passwords and processing credit card information separately—two actions that significantly limited the potential damage of the breach. So far, the attacker responsible has yet to be identified.

Why is this breach disturbing?

  • The volume of victims: This was, at the time, a record-breaking breach of user data.
  • The type of information at risk. MyFitnessPal can collect precise data on the user’s activity, personal fitness records, health and location. As more people adopt mobile apps and wearable devices that record their private data, the more cyber criminals can expose and exploit.

How do you protect yourself or reduce the risk from this sort of incident?

Individuals: Limit vulnerability by using a unique password for each website or application you access and use a password manager. When you have the option, restrict the access of apps to only the information they need to operate.
Organizations: The exact breach technique and source of the attack have yet to be released by Under Armour, so prevention strategies specific to this breach are unavailable.

3. Tesla

On June 14, a disgruntled Tesla employee admitted to hacking the company’s secret trade information and sharing the data with unnamed third parties. Three days later, CEO Elon Musk notified employees of the breach, citing released information and code sabotage conducted by the culprit. As a revolutionary company known for its innovation, Tesla is certainly expected to be wary of cyber-attacks. A variety of non-malicious hacks have revealed several of the company’s security vulnerabilities, but this insider attack severely exposed Tesla.

Why is this breach disturbing?

  • It came from the inside: An attack from within the ranks is especially jarring. Successful companies choose their team members meticulously and a devastating attack such as this forces a company to review its vetting process and negatively affects the trust built within the organization.
  • The unknown extent of the violation: Total damage control and repair are almost impossible without knowing the full scope of the attack.

How do you protect yourself or reduce the risk from this sort of incident?

Organizations: The exact details of the attack are unknown, but the implementation of a least-privilege policy can significantly hinder these insider threats, and a privileged account system with email alerts could have notified IT administrators of the malicious activity in real time.

4. MyHeritage

News broke on June 4 that MyHeritage, a family history website that offers a genealogy and DNA testing services, was breached, exposing the email addresses and hashed passwords of over 92 million registered users. The breach occurred in October 2017 but remained undiscovered until eight months later. A security researcher told the company about a file he had found on a private server outside of MyHeritage. Fortunately, no DNA data was compromised.

Why is this breach disturbing?

  • The duration of the breach: Eight months passed before victims were notified to change their passwords. Unfortunately, it is common for victims to receive the news of a breach so long after the event that it is too late for them to respond effectively.
  • The type of company involved: A company that stores the DNA information of millions of people should have maximum and current security protections in place.

How do you protect yourself or reduce the risk from this sort of incident?

Individuals: DNA testing has become a hot trend for health predictions and ancestry details, but there are downsides. While no DNA data was accessed during this breach, users need to recognize that having your DNA stored in an organization’s database carries significant risk of damaging exposure. While there are benefits to using these services, users are potentially risking some of their most unique data.
As in most cases, individuals can help protect themselves by using a different password for every account you have can prevent cyber criminals from easily accessing your other credentials.
Organizations: It is still unknown how this data was placed on a third-party server but a comprehensive privileged account management system could have prevented data from being copied anonymously and covertly from MyHeritage.

5. Facebook/Cambridge Analytica

The Facebook/Cambridge Analytica data incident was dominant in the global news stream earlier this year. In March, it was revealed that the personally identifiable information—or PII—of over 87 million Facebook users had been used to influence voter opinion. Cambridge Analytica, a British political consulting firm, obtained the PII in a controversial manner. Facebook users believed they were taking part in a survey for academic purposes, but the social media outlet’s design enabled an app to not only collect the personal information of the survey takers, but also that of all these users’ ‘friends.’

Why is this breach disturbing?

  • The deception: Facebook users were not informed that their PII was being collected during the survey.
  • The collateral damage: Friends of the survey-takers were also unknowing victims and had their data collected without their knowledge or permission.
  • The breach of trust: Facebook is no stranger to privacy violations, but it was believed that the company had moved past its questionable past. However, it seems Facebook just lulled users into a false sense of security.

How do you protect yourself or reduce the risk from this sort of incident?

Individuals: Limiting social media use is the only way for users to properly secure themselves from this kind of data collection. There are some strategies such as setting security options to maximize privacy. Users should avoid taking surveys on Facebook, clicking on Facebook links and purchasing products directly through Facebook. Rather, users can often shop more securely through the seller’s website directly.
Organizations: It is important to recognize that many employees have addictive tendencies toward using social media on their devices, so limiting this usage should be practiced by all organizations. It is also crucial—in all cases—protect your network endpoints such as user’s devices as if a breach was inevitable. With a huge overlap between personal and business devices, phones and laptops it’s only a matter of time before an endpoint breach enables an intruder to access your company’s sensitive data.

6. Health South East RHF, Aetna, BJC Healthcare and other healthcare organizations

Health South East RHF, a healthcare organization in Norway, announced that the confidential health information of 56% of Norway’s overall population had been accessed by professional cyber criminals.

This organization is one of many that have been hit with major cyber incidents. Several have suffered data breaches or cyber-attacks in 2018. Here is a list and the number individuals affected by the incidents.

Aetna – about 12,000 members
BJC Healthcare – 33,420 patients
CarePlus – about 11,200 members
Partners HealthCare – possibly 2,600 patients
St. Peter’s Surgery & Endoscopy Center – possibly 134,512 patients
ATI Physical Therapy – up to 35,136 patients
Nuance Communications – 45,000 patients
LifeBridge Health – 500,000 patients
Aultman Health Foundation – 42,600 patients
Dignity Health, Med Associates – 55,947 patients
Med Associates – 270,000 patients

When added together, there have been millions of victims affected by these data breaches. Since healthcare is such a massive industry with so many employees and users, it has become a central target for attackers. From wrongly configured servers and unsecured privileged accounts to phishing scams and messaging errors, healthcare organizations seem especially vulnerable.

Why are healthcare breaches so disturbing?

  • The nature of the data breached: Medical records contain some of individuals’ most private information. This data can be extremely damaging when exploited by attackers.
  • How easily healthcare organizations are breached: With so many non-technical employees open to attack, cyber criminals can often successfully intrude with little more than one phishing email.

How do you protect yourself or reduce the risk from this sort of incident?

Individuals: There is very little patients can do to prevent their medical records (scans, test results, diagnoses, etc.) or PII from being compromised in a healthcare breach. However, they can try limit the information contained in your records. Patients can avoid providing their social security numbers whenever they are not required to do so and they can comb their medical records for unnecessary information.
Organizations: In an industry where such a large portion of employees have access to private information, it is crucial to only allow the appropriate individuals privilege access to this sensitive data. Adopting a privileged account management system with an emphasis on least privilege would prevent unsavvy employees from mishandling information that they should not be allowed to access.
Also, organizations can implement a cyber security education program to teach employees how to identify phishing emails or suspicious hyperlinks, and ensure they understand why they are vulnerable, what the cost of a breach is, and that cyber security is everyone’s responsibility.

Everyone should feel disturbed.

These breaches are unnerving in many ways. Two especially disturbing aspects of recent cyber breaches include:

  • Breaches have been discovered by outside individuals or organizations, meaning the exposed companies not only could not block the attacks, but also failed to even detect them.
  • The attacked companies confess to the breaches too late for anyone to react in time to properly limit the damage.

Fortunately, the exposed data of these breaches has usually only resulted in the theft of less sensitive information or credentials. Victims can still say, “Well, all they got was my username—my password was hashed.” or “So they got my password, I’ll just change it.”

But what happens one day when cyber attackers collaborate, and all exposed this data gets collated into a comprehensive database? Identity theft would be rampant. Malicious actors could know victims’ names, addresses, contact information, job and family location, credit card numbers and more.

Be cyber-aware and learn to protect yourself or your organization from the most disturbing of crimes.

Avatar

Joseph Carson is a cyber security professional with more than 20 years’ experience in enterprise security & infrastructure. Currently, Carson is the Chief Security Scientist at Thycotic. He is an active member of the cyber security community and a Certified Information Systems Security Professional (CISSP).

Similar Posts

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.