There are many things that no business wants to be famous for and the list of biggest IT security breaches is one of them. Yet, when you look at the companies that have been worst affected in the last five years, most are well-known businesses: Facebook, Microsoft, Marriott and Yahoo, to name a few.
Are there lessons to be learned from those breaches? There certainly are.
In many instances, however, it’s not about learning something completely new. It’s about making sure you haven’t overlooked or neglected something that you should have already done.
So let’s go through a few major data breaches and see what we can learn from them.
The breach: In 2019, it was revealed more than 540 million Facebook user records had been exposed when data collected by a third party media company called Cultura Colectiva, was configured to allow public download of files.
The data sets collected using Facebook’s platform were no longer under Facebook’s control; but the third party responsible for the security of that data failed to store it securely.
Lesson: If you’re sharing data with an outside organisation, make sure its security policies conform to your own standards. For example, data being stored in the cloud should meet your security policies and rules.
The breach: A security breach in 2016 affected over 400 million users on the Friend Finder network, which included a number of adult-oriented social media sites.
The breach occurred due to a local file inclusion (LFI) vulnerability that allowed an attacker to include files located elsewhere on the server into the output of a given application. They can be used to perform serious actions, including code execution.
LFI is listed in the Open Web Application Security Project (OWASP) top 10 list of most critical web application vulnerabilities.
Lesson: Eliminate file inclusion vulnerabilities by avoiding passing user-submitted input to any filesystem/framework API. Your security policy should prioritise where files are stored.
The breach: 885 million documents from insurance giant First American Financial were left exposed on publicly accessible web pages for years. They included bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts, social security numbers and photos of driver's licences.
The company was the victim of an insecure direct object reference (IDOR), which occurs when a hacker can simply guess the pattern an application uses to refer to its stored data.
Most recently, in January 2021, controversial social media platform Parler fell victim to the same vulnerability when 99% of its public contents were archived by a hacker.
This is essentially an access control vulnerability.
Because it’s a design flaw, the best ways to investigate for IDOR are through code reviews and testing. Automated tools do not look for such flaws.
Lesson: To prevent IDOR, you should enforce access control policies so users cannot act outside their intended permissions and use hash function and hashed values instead of normal numbers or strings.
The breach: In 2017, sensitive information on 143 million US consumers was exposed in a data breach at Equifax, one of the country’s three major credit reporting agencies.
Hackers accessed people’s names, social security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They stole the credit card numbers of more than 200,000 people.
The cause of the breach was a failure by Equifax to apply a key security patch for a third-party software exploit to its servers.
Lesson: Your security policy should include automatic updates and patches across all systems, servers and devices.
The breach: In 2018, Marriott International revealed hackers had breached its Starwood reservation system and stolen the personal data of up to 500 million guests. Starwood had been acquired by Marriott two years prior, but the company continued to use the reservation system, unaware it had been breached by hackers before the takeover and infected with malware.
IT and security staff at Starwood were laid off following the acquisition, so Marriott was unaware of previous security concerns over the reservation system.
Lesson: Ensure your security policies are applied consistently across all systems, including those acquired through takeovers. Failure to do so will create new vulnerabilities.
Learn how we can help your business prevent cyber attacks.
Around the globe, our network reaches 184 countries.
We provide the underlying transport network, the virtual overlay, and the platform to prioritise everything.