Thursday, 2 July 2015

Lessons Learned: June 2015 Data Breaches

data breach, OPM, IRS, Zomato, Japan Pension Service, Houston Astros, LastPass, Kaspersky
Governments, restaurants, cybersecurity firms and even baseball teams made the cyberattack headlines this past June. The 10 data breaches below are recent examples of what to do (take any and all security precautions), what not to do (open phishy email attachments or recycle passwords) and just how bad a breach can be (OPM). Know of a data breach we missed? Add it in the comments below.
  • Employees that opened a phishing email attachment at the Japan Pension Service unleashed a virus that claimed the personal data of 1.25 million people. The pension IDs and names of all were stolen; the addresses and birth dates of some were also compromised. 
  • Anand Prakash hacked into Indian-based restaurant search engine Zomato, accessing personal data such as private Instagram photos, to prove it could be done. Zomato fixed the glitch upon learning about it from Prakash, preventing any (known) wrongdoing.
  • Internal Revenue Commissioner John Koskinen of the United States Internal Revenue Service testified in response to hackers accessing the tax information of 104,000 Americans. He shared that the breach was largely attributed to a lack of multifactor authentication, systems updates and security upgrades—all of which had been suggested prior to the attack.
  • The (most likely) Chinese breach of the Office of Personnel Management has already been labeled one of the worst in United States history. The personnel files and background check information of up to 18 million current and former federal government employees and contractors were compromised, revealing a nearly endless supply of personal information: social security numbers, addresses, arrest and financial records, mental illness history, drug and alcohol use and more. If you’re hoping for a silver lining, here it is: the US has finally committed to using https encryption by default for all federal websites by the end of 2016.
  • Hackers used malware to steal credit card information over a 4 month period from customers at Manhattan’s Eataly. Breaches on small retailers have become a common occurrence, as the security tends to be relatively easy to penetrate, and sometimes serve as a test ground before hacking larger entities. Point of sale breaches have increasingly become an issue in North America, where chip technology has yet to catch up with the rest of the world.
  • Kaspersky Lab, the cybersecurity powerhouse, was breached by hackers in an attempt to learn how to infiltrate systems more surreptitiously. The attack showed that even Kaspersky is penetrable, but also that the company has action steps for such an event. A detailed report addressed user concerns: “Kaspersky Lab is confident that its clients and partners are safe and that there is no impact on the company’s products, technologies and services.” 
  • Personal details in UK-based Brabantia’s customer database were compromised; the company assured customers that financial data such as banking and credit card numbers were stored by an external company and, therefore, safe.
  • User information of password service LastPass was compromised, if not breached, in a much-needed reminder that proper precautions prevent major debacles. In the words of LastPass: Our security and processes worked as designed, and customer data was, and is, protected.”  
  •  Missing Link Networks Inc., a credit card processor and point-of-sale vendor most closely associated with California wineries revealed that customer names, credit and debit card numbers, billing addresses and dates of birth were compromised for all transactions processed in April 2015. The breach motivated Missing Link Networks to move to a token system to avoid storing credit card numbers in the future. 
  • Major League Baseball’s Houston Astros were breached by the St. Louis Cardinals; compromised is private internal database information regarding trades, statistics and scouting reports. The key to the success of this unsophisticated breach? General Manager Jeff Luhnow and other Cardinals-turned-Astros used the same password in both offices.

No comments:

Post a Comment