There are many things that no business wants to be famous for and the list of biggest IT security breaches is one of them. Yet, when you look at the companies that have been worst affected in the last five years, most are well-known businesses: Facebook, Microsoft, Marriott and Yahoo, to name a few.
Are there lessons to be learned from those breaches? There certainly are.
In many instances, however, it’s not about learning something completely new. It’s about making sure you haven’t overlooked or neglected something that you should have already done.
So let’s go through a few major data breaches and see what we can learn from them.
The breach: In 2019, it was revealed more than 540 million Facebook user records had been exposed when data collected by a third party media company called Cultura Colectiva, was configured to allow public download of files.
The data sets collected using Facebook’s platform were no longer under Facebook’s control; but the third party responsible for the security of that data failed to store it securely.
Lesson: If you’re sharing data with an outside organisation, make sure its security policies conform to your own standards. For example, data being stored in the cloud should meet your security policies and rules.
The breach: A security breach in 2016 affected over 400 million users on the Friend Finder network, which included a number of adult-oriented social media sites.
The breach occurred due to a local file inclusion (LFI) vulnerability that allowed an attacker to include files located elsewhere on the server into the output of a given application. They can be used to perform serious actions, including code execution.
The breach: 885 million documents from insurance giant First American Financial were left exposed on publicly accessible web pages for years. They included bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts, social security numbers and photos of driver's licences.
The company was the victim of an insecure direct object reference (IDOR), which occurs when a hacker can simply guess the pattern an application uses to refer to its stored data.
The breach: In 2018, Marriott International revealed hackers had breached its Starwood reservation system and stolen the personal data of up to 500 million guests. Starwood had been acquired by Marriott two years prior, but the company continued to use the reservation system, unaware it had been breached by hackers before the takeover and infected with malware.
IT and security staff at Starwood were laid off following the acquisition, so Marriott was unaware of previous security concerns over the reservation system.
Lesson: Ensure your security policies are applied consistently across all systems, including those acquired through takeovers. Failure to do so will create new vulnerabilities.