How Data is Under Siege like Never Before
This Info Note provides insights on the latest incidents with exposure of personal data reported during the first quarter of 2018.
- Published
- April 05, 2018
Introduction
There has never been a moment in history with so many reports of personal data exposure as the one experienced lately. The number of incidents and volume of data stolen recently reported reached unprecedented figures, causing serious concern to users and governments around the world. According to security researchers, the number of U.S. data breaches tracked in 2017 hit an all-time high of 1,579 (up ca. 45% compared with 2016) in an average of half a million records compromised every day. With the recently reported incidents of Equifax, Expedia (Orbitz data), Cambridge Analytica (Facebook data), Grindr, Under Armour (MyFitnessPal data) and Hudson's Bay brands (Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor) a new record could be set in 2018. The financial and reputational impact of these incidents is yet to be quantified: lawsuits and state/regulators penalties are still being filed, while shares price continues to drop for some of these organizations. This Info Note provides insights on the latest incidents with exposure of personal data reported during the first quarter of 2018.
Contextual Information
Figure 1 - Number of Data Breach Incidents Reported (2005-2017) - Data from idtheftcenter.org
During the first three months of 2018, the news media reported major incidents with the exposure of personal data from well-known companies reaching ca. 390 million user accounts exposed. Many of the affected companies operate on massive collection and processing of customers personal data are now under scrutiny, for poor data protection practices and privacy policies. An independent organization qualified the Facebook and Grindr incidents as questionable data monetization practices rather than data breaches. However, the transfer of data to Cambridge Analytica[1], done without prior authorization from Facebook and users, constitutes a serious violation of data protection regulation.
Security researchers[2] estimate that ca. 60% of 2017 data breach incidents are attributed to external authors mainly using phishing, ransomware and skimming methods. Of the remaining ca. 40%, unauthorized access and employee error (negligence, improper disposal and loss) accounts for the majority of incidents.
Major Incidents with Data Exposure in Q1, 2018
The following table draws a comparison between major incidents involving data exposure during the first quarter of 2018.
|
SAKS |
Cambridge Analytica |
EQUIFAX |
UNDER ARMOUR |
Sector: |
Retail |
Services (political consulting) |
Services (credit scoring) |
Retail and Industry |
Number of accounts: |
5 million |
87 million |
148 million |
150 million |
Data guardian: |
Own systems |
|
Own systems |
MyFitnessPal app |
Type of data: |
Credit card information |
PII |
Credit card information and PII |
Passwords and PII |
Type of breach: |
Cyberattack (PoS system) |
Privacy policy abuse and illegal appropriation of data |
Cyberattack exploiting a software vulnerability (Apache Struts) |
Under investigation, no details revealed |
Duration of the breach: |
May 2017 to March 2018 |
March 2013 |
May 2017 |
From 2015 until disclosure |
Incident disclosure: |
Security researcher (identified the CC info for sale on the dark web) |
Whistle-blower (Facebook was aware of the incident but did not disclose) |
Late disclosure by the company (reaction two months after identification) |
Immediate by the company |
Disclosure date: |
March 2018 |
March 2018 |
First disclosure Sep 2017 last in Feb 2018 |
March 2018 |
User notification: |
Late (the company is taking long to notify customers) |
Late (by Facebook) |
Late |
Immediate |
Mitigation for users: |
Review CC statement for fraudulent transactions. Introduce two-factor authentication in CC payments |
Review privacy settings and access to personal data |
Review CC statement for fraudulent transactions. Introduce two-factor authentication in CC payments |
Change password and review account suspicious activity |
Mitigation for the company: |
Demand vulnerability fix from PoS vendor |
Adjust policies and introduce new privacy controls |
Change system architecture, and introduce new security policies and practices |
Fix the vulnerability and introduce new security policies |
Table 1 - Major incidents compromising personal data reported in Q1, 2018
Other data breach incidents reported in Q1, 2018
Public administration continues to be an attractive target for data thieves to harvest personal identifiable information (PII) such as national ID and social security numbers, similar to what is happening with personal health information (PHI) in the healthcare industry. Data breaches identified in the retail sector are on the rise with Hudson's Bay (owner of Saks brands), Sears Group (owner of Sears and Kmart companies), Limoges Jewellery and Under Armour (MyFitnessPal app) targeted by cyber criminals for credit card information.
|
Incident description |
Type of data |
# records |
UTILITIES |
|
|
|
Haryana power (India) |
Ransomware attack |
PII |
2,600,000 |
GOVERNMENT |
|
|
|
Oregon Tax Agency (USA) |
Inside threat |
PII |
36,000 |
Hawaii County (USA) |
System failure |
PII |
65,000 |
Aadhaar System (India) |
Software vulnerability |
PII |
Unknown |
EDUCATION |
|
|
|
Pennsylvania PA (USA) |
User error/software vulnerability |
PII |
360,000 |
Data threat |
PII |
1,200 |
|
TELECOMMUNICATIONS |
|
|
|
Swisscom (Switzerland) |
Data theft attack |
PII |
800,000 |
Bell Canada (Canada) |
Data leak |
PII, PFI |
Unknown |
DIGITAL SERVICES |
|
|
|
Orbix (USA) |
Security breach in legacy system |
PII, PFI |
888,000 |
Helsingin Uusyrityskeskus (Finland) |
Web site vulnerability |
PII |
130,000 |
RETAIL |
|
|
|
Limoges Jewellery (USA) |
Cloud misconfiguration |
PII, PFI |
1,300,000 |
Delta, Sears and Kmart (USA) |
Software vulnerability |
PII, PFI |
Unknown |
FOOD SERVICES |
|
|
|
Panera Bread (USA) |
Outdated Server |
PII, PFI |
Unknown |
Sodexo (UK) |
Software vulnerability (POS) |
PII, PFI |
Unknown |
RMH Franchise (USA) |
Malware |
PII, PFI |
Unknown |
MEDICAL AND HELTHCARE |
|
|
|
Telstra Health’s Argus (Australia) |
Software vulnerability |
PHI |
40,000 |
UnityPoint Health (USA) |
Phishing attack |
PHI |
16,000 |
Inogen (USA) |
Phishing attack |
PHI |
30,000 |
Software vulnerability/user error |
PHI |
280,00 |
|
FINANCIAL |
|
|
|
Frost Bank (USA) |
Software vulnerability |
PII |
Unknown |
SunTrust Banks Inc (USA) |
Inside threat |
PII, PFI |
1,500,000 |
OTHER |
|
|
|
Bongo -FedEX (USA) |
Cloud misconfiguration |
PII |
119,000 |
Table 2 - Incidents compromising personal data reported in Q1, 2018
Type of Data Exposed
Figure 2- Number of accounts exposed per type of data, in incidents reported during Q1, 2018 (million users)
During the first quarter of 2018, PII and PHI accounted for the majority (ca. 62%) of data exposed from the incidents reported. The long lasting and high value of PII and PHI makes the exposure more serious and attractive for data thieves than any other type of information. A single PHI file, for example, can yield a profit of up to $20,000. This is mainly because it can take weeks or months for a healthcare data breach to be discovered, enabling cybercriminals to extract much more valuable data. Moreover, because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change, so data thieves can take advantage of it for a longer period of time. Financial data can be easily monetized by cyber criminals despite the limited life span, representing lesser value in the black market - users once notified can quickly cancel and replace the information.
Incident Disclosure and User Notification
Figure 3 - Number of accounts exposed per type of incident disclosure during Q1 2018 (milllion users)
During the first quarter of 2018, the number of incidents disclosed by affected organizations matched the number conducted by external entities. This fact reveals that still many organizations deliberately hide this information or unintentionally operate deficient systems. A noteworthy fact is that, incidents involving payment information resulted in immediate disclosure and notification of affected users. Moreover, still the majority of users (ca. 57%) were not immediately notified, considered a serious violation of data protection policies. Under the upcoming General Data Protection Regulation (GDPR), data controllers should immediately notify personal data breaches to competent authorities (Data Protection Authorities) and affected individuals.
Recommendations
In June 2016, ENISA produced an info note reviewing massive data breaches and providing recommendations to respond and limit the impact of such data breaches. These recommendations are still valid and applicable to the incidents reported today.
Summary of recommendations for users:
- Register with online services such as haveibeenpwned.com to look for evidences that personal data has been compromised by a data breach.
- Users with personal data exposed, when notified by data keepers or alerted by the media, should immediately change passwords and monitor accounts for fraudulent activity.
- In the event of a financial data breach, contact the financial institution and if necessary immediately cancel debit or credit cards.
- Regularly review the data privacy policy and user settings of subscribed online services.
- Not re-use passwords.
- Use two-factor authentication.
Summary of recommendations for organizations (in line with EU GDPR):
- Adopt security and privacy by design in system, network architecture and software development.
- Maintain processes, controls and policies up-to-date.
- Promote internal awareness and change management.
- Implement data protection systems and processes such as access control, hashing and encryption.
- Assure immediate notification of data breaches to authorities, regulators and affected users.
- Review the requirements for personal data processing and transfer within and outside the organization.
- Define and establish an incident response process for data breaches;
Closing Remarks
The growing number of reported data breaches and volume of data stolen does not necessarily mean that systems are becoming more insecure: affected organizations are operating more transparently and timely, so consumers can be better informed on what are the immediate and long-term impacts to their personal information by any given data breach. Furthermore, the recent Cambridge Analytica/Facebook incident with direct repercussions in U.S. and UK politics, and the future introduction of GDPR are drawing substantial public attention to the data protection topic. However, is still uncertain whether all the awareness and regulation will produce tangible results in building a safe and trustworthy digital environment for the economy and society.https://www.enisa.europa.eu/publications/info-notes/the-value-of-personal-online-data
[2] ITRC – Identity Theft Resource Center - https://www.idtheftcenter.org/Data-Breaches/data-breaches