A survey from Risk Based Security revealed that 36 billion records have been exposed in 2020 globally. Let’s separate the wheat from the chaff and highlight 5 data breaches in this very strange year. A few key recurring themes of poor customer security practices and hacking techniques take place.
Twitter experienced its most severe hack in July, with several employees being duped by a phishing attack. Prominent figures such as Barack Obama and Elon Musk were compromised, with the attackers posting tweets that promoted a bitcoin scam revolving around COVID-19 relief efforts. Social engineering was a major factor at play, with the attackers able to access Twitter’s internal network as well as specific employee credentials that granted them access to internal support tools.
One former senior Twitter employee criticised the company for its lack of preparation, stating that “The issue isn’t that someone got phished; it’s that once they got phished, the company should have had the right systems in place.”
Twitter’s share value dropped by nearly 4% after the attack, highlighting the financial uncertainty and damage a breach can cause. In response, employee practices at Twitter have been amended. Twitter now requires all their employees to use physical two-factor-authentication. Large social media companies will be particularly vulnerable to breaches in the future due to the number of high-profile individuals on the site. In a volatile political climate where Twitter can be a vessel for world leaders, it’s important that their employees are well protected from outside threats.
The hotel chain Marriott International has been plagued with problems ever since they were breached in 2018, where up to 500 million guest records were exposed. A new breach in January 2020 has affected over 5.2 million of their customers. The data was accessed through an unknown third party using the login credentials of two employees at a hotel within the franchise.
The way a company reacts to a data breach is just as important as trying to stop one, and Marriott’s response to these two breaches is an interesting case study. Having two massive data breaches in the space of a couple of years is negligent and careless. An investigation by Which? found that Marriott not only had the most vulnerabilities on its websites but also the most critical issues, and this was after their most recent breach!
One interesting aspect to note is the reduction in fines from the ICO. In July 2019, the ICO announced an intention to fine Marriott £99m, but this has been reduced to £18.4m. The same thing happened with British Airways, suggesting the COVID-19 pandemic had a role to play in this reduction. Perhaps up to 4% of a company’s revenue is too extreme a punishment, and the ICO are finding it hard to make large fines for businesses a reality.
Zoom’s security procedures have come under scrutiny due to a large portion of the world’s workforce using it at home during the pandemic. Hackers got hold of over 500,000 Zoom passwords in 2020. This breach was primarily down to weak passwords being recycled on the dark web from various hack attacks since 2013, suggesting that Zoom have not been checking registered usernames and passwords against lists of known breached account credentials. The onus is on the company’s lack of preventative systems, but also on the individual user and their repetitive use of the same passwords.
As many as 300,000 Nintendo accounts were breached in 2020. Nintendo released a statement saying login ID and passwords were “obtained illegally from other than our service by some other means”. The general consensus is that credential stuffing, and phishing techniques were used to crack weak passwords.
The lesson that Nintendo’s customers learnt from the breach was the need for multi-factor authentication and not using the same passwords for different accounts and services. There is only so much a company can do if its users don’t take the right precautions.
In a year that’s already been tough for the airline industry, the cherry on top for EasyJet was 9 million of their customers’ personal data being stolen. EasyJet complied with GDPR and told the ICO of a breach in January. But EasyJet failed to notify their customers of the breach for months. This lack of transparency was chalked down to highly sophisticated nature of the attack where it “took time to understand the scope” of the breach. This draws comparison to Marriott’s lack of urgency when dealing with their breach in 2018. This indecision will be viewed as a lack of respect for their customers.
The exposure of these email addresses may make EasyJet customers vulnerable to phishing attacks in the future. This is especially true in a time where customers are cancelling and refunding flights because of Covid-19.
What can be gleaned from these breaches is the successful methods of credential stuffing and phishing that hackers are using. The common use of weak passwords across various sites is still one of the biggest issues facing the cybersecurity world today. A culture of online security still isn’t taken seriously by businesses or the wider general public, even though we seem to be spending more time online than ever.