5 Significant Data Breaches of 2017 & How They Happened
In the last few years, data breaches have grown in frequency and complexity, emphasizing the importance of the role that information security and technology specialists play in helping companies protect their classified data as well as their customers’ personal information. When an organization suffers from a critical data breach there can be a broad range of consequences, ranging from impacting the company’s financial stability to ruining its reputation in the marketplace. For those practicing or studying information security and assurance, examining the following massive data breaches of 2017 can help with understanding the vulnerabilities of hosting data collections on digital networks and increase one’s ability for developing effective cybersecurity solutions.
Association of British Travel Agents
The Association of British Travel Agents (ABTA) is the largest travel association in the United Kingdom, representing travel agents and tour operators for more than 65 years. The ABTA sees approximately €32 billion in business revenue each year, or the equivalent of nearly $36 billion U.S. dollars. With such high amounts of money flowing throughout the organization, cyber criminals have recently set their sights on the organization, working to discover any exploitable flaws in the ABTA’s information security network.
In late February 2017, hackers discovered a security flaw in ABTA’s web server. This gap in the company’s security defenses allowed unauthorized users access to the personal data of up to 43,000 people — most of whom were members and customers of the association. An estimated 1,000 of the files accessed included customers’ personal information submitted when filing a complaint about an ABTA member; another 650 files included the personal identification information of ABTA members, many of whom had registered through the association’s website.
As ABTA leadership became aware of the situation, the association notified the third-party vendor that manages the company’s website; the error was immediately fixed. ABTA also reported the incident to the police and the UK’s Information Commissioner, as well as hired risk consultants to assess the extent of the damage. Information technology professionals determined that the risk of fraud following the attack was low, as the majority of information acquired by hackers was only email addresses and names. Upon review by an information assurance solutions firm, it was determined that the breach could have been prevented with a stronger security foundation of the third-party database that maintained the web server which stored customer information.
In February 2017 a large leak of private customer information was discovered at CloudPets, a maker of smart toys that allow family and friends to record personal messages that can be transmitted to and replayed through network-enabled stuffed toys. The party that held the most responsibility for this breach was CloudPets itself, as they hadn’t properly secured their information assets and used only an unsecured MongoDB database to store customer login information.
Usually, the threat of customer login data being leaked can be restricted by effective password parameters and routinely audited data networks, but the database used by CloudPets required no authentication to access. This allowed hackers to easily obtain customer information (including email addresses, usernames, and birth dates) for more than 800,000 CloudPets user accounts. Upon further investigation of the incident by forensic information assurance teams, it was found that hackers also managed to steal thousands of private voice recordings between parents and their children, with plans to ransom the extremely sensitive information. Overall, this breach was possible due to the low emphasis Spiral Toys — CloudPets’ parent company —placed on password strength. As a result of this practice, hackers were able to easily hack a number of accounts by checking passwords against common terms like “abc”, “123”, and “cloudpets.”
UNC Health Care
Nonprofit health care system UNC Health Care, which comprises hospitals and other healthcare affiliates throughout North Carolina, had to alert patients receiving prenatal care services of a potential breach in March 2017. The breach impacted up to 1,300 patients who had filled out pregnancy home risk screening forms during prenatal visits at the Women’s Clinic at the North Carolina Women’s Hospital and UNC Maternal-Fetal Medicine at Rex Hospital between April 2014 and February 2017. These forms are used to collect personal data from patients eligible for Medicaid and are shared with local health departments in the region to connect patients to support services. It was discovered that patients who were not Medicaid-eligible had their forms sent directly to their local county health departments in error. These forms contained sensitive information such as Social Security numbers and patients’ health history, including HIV status and any history of sexually transmitted diseases.
To fix the breach, UNC Health Care worked with county health departments and information technology specialists to purge any information from the county health department’s’ computer systems and to collect and dispose of any paper forms that may have contained sensitive medical information. They also set up a call center with a toll-free number for patients who had questions or wanted more information about how they could best defend themselves from identity theft or fraud as a result of this incident. UNC Health Care also worked with IA specialists to offer free fraud resolution services for anyone whose identity was compromised or stolen as a result of the breach.
In January 2017, Verifone, which manufactures credit and debit card terminals used in retail, taxis and gas stations, experienced a breach of its internal computer networks, the impact of which was felt by companies running Verifone’s point-of-sale terminal. Verifone said the breach was limited to just 24 gas stations and occurred over a short time period, thus they did not believe any other merchants’ payment terminals were affected.
Senior Vice President and Chief Information Officer of Verifone, Steve Horan, offered an excellent example of how information assurance professionals should react to large breaches, as his response was quick and helped limit the potential for the cyber criminals to exploit the information they had gotten access to. Horan sent an internal memo to all staff members and contractors alerting them of the breach and the subsequent steps that would be taken to alert customers, including a password change within 24 hours. In the event that a client failed to update his or her password, Horan triggered an additional email, forcing the password change. In addition, all new desktops and laptops were configured with limitations on end-user capabilities, meaning staff and contractors could no longer download additional software onto any company device without the permission of the IT Service Desk. Luckily, this breach was resolved before any of the data could be misused, though it did force Verifone to reassess the capacity of their information security standards.
Saks Fifth Avenue
In March 2017, the upscale department store Saks Fifth Avenue experienced a security breach in which tens of thousands of shoppers had their personal information made public online, including email addresses, IP addresses, phone numbers and codes of products they had expressed interest in purchasing. All of this stolen information was posted on unencrypted, plain text web pages and was visible via open WiFi networks.
Additional research conducted by IT professionals and analysts determined that the Saks website also had pages served on unencrypted connections, which increased the company’s vulnerability to hacking or data breaches and could have also exposed customers’ information. Once notified of the data breach, the management of Saks Fifth Avenue quickly shut down the pages that were vulnerable.
The above noted breaches of 2017 have collectively resulted in millions of users’ personal information being leaked online, bringing attention to the threats associated with the increased use of online platforms for payments, purchases, and delivery of services. In order to protect an organization’s data, as well as its customers’ information, information security and assurance experts need to keep abreast of industry trends and continually audit their systems to find any potential weaknesses in the technological infrastructure.
As the nation’s oldest private military college, Norwich University has been a leader in innovative education since 1819. Through its online programs, Norwich delivers relevant and applicable curricula that allow its students to make a positive impact on their places of work and their communities.
At Norwich University, we extend a tradition of values-based education, where structured, disciplined, and rigorous studies create a challenging and rewarding experience. Online programs, such as the Master of Science in Information Security & Assurance, have made our comprehensive curriculum available to more students than ever before.
Norwich University has been designated as a Center for Academic Excellence in Cyber Defense Education by the National Security Agency and Department of Homeland Security. Through your program, you can choose from the five unique concentrations that are designed to provide an in-depth examination of policies, procedures, and overall structure of an information assurance program.