Data security is a pressing concern for customers and companies alike. Many people access services and share their data through public cloud providers. While companies try to protect vital data in private cloud deployments, they still find themselves targeted by DDoS attacks and other methods used to bring down their networks.
Despite businesses around the world spending more than $114 billion on cybersecurity in 2018 (up 12.4% from the previous year), security breaches remain an ongoing risk. Data centers play a major role in this effort, providing multiple layers of digital and physical security to protect valuable information. For the most part, companies do a good job of safeguarding customer data, but when major breaches do occur, they usually make correspondingly big headlines.
When Marriott International acquired the Starwood hotel brands in 2016, they didn’t realize they were getting a lot more than they bargained for. It turns out that a Chinese intelligence group looking to gather data on US citizens had breached Starwood’s systems as far back as 2014. By the time the breach was exposed in November of 2018, approximately 500 million guests may have been affected. Most of the attacks likely acquired some combination of contact and passport information, Starwood Guest numbers, and other personal data. Marriott estimates that the credit card information of more than 100 million customers may have been exposed, but they were unsure if the attackers could decrypt the data.
2018 was a bad year for Facebook’s public image. In March, news broke that a political data firm called Cambridge Analytica had collected personal data on 50 million Facebook users without their knowledge or consent, which it then used to target voters with political ads. A month later, Facebook announced that the number of users affected was closer to 87 million, most of them in the US. The controversy forced CEO Mark Zuckerberg to testify before Congress to explain what happened.
But that was just the beginning. In September, news broke that a security issue could have allowed attackers to view every aspect of a user’s profile, potentially even private messages. Facebook responded by logging out 90 million users as part of the vulnerability patch. Of those 90 million, about 50 million were known to be affected and another 40 million might have been. Coming on the heels of the Cambridge Analytica scandal, the breach left Facebook facing the potential of further government investigation both in the US and the EU (where the new GDPR privacy law imposes an extra level of scrutiny on tech companies).
From December 2014 to January 2015, a cyberattack on the health insurance company exposed the personal information of some 80 million patients and employees. Some of the information compromised included names, Social Security numbers, email addresses, employment data, and income data. The breach constituted a violation of HIPAA law, which protects patient health information. Anthem paid out a $16 million fine to the Office of Civil Rights in October of 2018, the largest health data breach settlement in US history.
In July of 2017, Equifax, one of the largest credit bureaus in the US, detected unauthorized access into their systems through a website application vulnerability. The breach exposed information on more than 147 million customers. According to Equifax’s investigation, the breach began in May of that year, allowing access to Social Security numbers, birth dates, driver’s license numbers, and, in about 200,000 cases, credit card data. The company launched a new (hopefully secure) website to provide information to anyone affected and offered to monitor credit usage to guard against fraud. Costs related to the breach are believed to have totaled $275 million.
Equifax also promised to contact customers by USPS mail to offer additional services and compensation. This probably seemed like a good idea at the time…
In 2017, an anonymous researcher contacted the USPS to inform them of a security weakness that would have allowed anyone with a usps.com account to view and possibly modify account details for 60 million other users.
The government agency promptly addressed the issue…one year later.
Unlike many security flaws that would have required some hacking skills, the USPS vulnerability could be exploited by anyone who knew how to view and modify data elements within a regular web browser. Not only could people view real-time data about deliveries, they could also query the system to find email addresses, usernames, account numbers, and street addresses of any other users. While a validation step prevented unauthorized changes to user data, the vulnerability could have been invaluable for spammers and spear phishers. Although the USPS did address the issue, it remains unclear how many users may have been affected or why the earlier warning about the vulnerability went unheeded for over a year.
As more personal data is shared over online services, the potential for data breaches will undoubtedly increase in the coming years. Companies must learn from the mistakes that led to previous breaches in order to formulate new cybersecurity strategies that will better protect their customers and their business.