How Data is Under Siege like Never Before

This Info Note provides insights on the latest incidents with exposure of personal data reported during the first quarter of 2018.

Published
April 05, 2018

Introduction

There has never been a moment in history with so many reports of personal data exposure as the one experienced lately. The number of incidents and volume of data stolen recently reported reached unprecedented figures, causing serious concern to users and governments around the world. According to security researchers, the number of U.S. data breaches tracked in 2017 hit an all-time high of 1,579 (up ca. 45% compared with 2016) in an average of half a million records compromised every day. With the recently reported incidents of Equifax, Expedia (Orbitz data), Cambridge Analytica (Facebook data), Grindr, Under Armour (MyFitnessPal data) and Hudson's Bay brands (Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor) a new record could be set in 2018. The financial and reputational impact of these incidents is yet to be quantified: lawsuits and state/regulators penalties are still being filed, while shares price continues to drop for some of these organizations. This Info Note provides insights on the latest incidents with exposure of personal data reported during the first quarter of 2018.

Contextual Information

Figure 1 - Number of Data Breach Incidents Reported (2005-2017) - Data from idtheftcenter.org

During the first three months of 2018, the news media reported major incidents with the exposure of personal data from well-known companies reaching ca. 390 million user accounts exposed. Many of the affected companies operate on massive collection and processing of customers personal data are now under scrutiny, for poor data protection practices and privacy policies. An independent organization qualified the Facebook and Grindr incidents as questionable data monetization practices rather than data breaches. However, the transfer of data to Cambridge Analytica[1], done without prior authorization from Facebook and users, constitutes a serious violation of data protection regulation.

Security researchers[2] estimate that ca. 60% of 2017 data breach incidents are attributed to external authors mainly using phishing, ransomware and skimming methods. Of the remaining ca. 40%, unauthorized access and employee error (negligence, improper disposal and loss) accounts for the majority of incidents.

Major Incidents with Data Exposure in Q1, 2018

The following table draws a comparison between major incidents involving data exposure during the first quarter of 2018.

 

SAKS

Cambridge Analytica

EQUIFAX

UNDER ARMOUR

Sector:

Retail

Services   (political consulting)

Services   (credit scoring)

Retail and   Industry

Number   of accounts:

5 million

87 million

148 million

150 million

Data guardian:

Own systems

Facebook

Own systems

MyFitnessPal   app

Type of data:

Credit card information

PII

Credit card information and   PII

Passwords and PII

Type of breach:

Cyberattack (PoS system)

Privacy policy abuse and illegal   appropriation of data

Cyberattack exploiting a software   vulnerability (Apache Struts)

Under investigation, no details revealed

Duration of the breach:

May 2017 to March 2018

March 2013

May 2017

From 2015 until disclosure

Incident disclosure:

Security researcher (identified the CC info   for sale on the dark web)

Whistle-blower (Facebook was aware of the   incident but did not disclose)

Late disclosure by the company (reaction   two months after identification)

Immediate by the company

Disclosure date:

March 2018

March 2018

First disclosure Sep 2017 last in Feb 2018

March 2018

User notification:

Late (the company is taking long to notify   customers)

Late (by Facebook)

Late

Immediate

Mitigation for users:

Review CC statement for fraudulent transactions.   Introduce two-factor authentication in CC payments

Review privacy settings and access to personal data

Review CC statement for fraudulent transactions.   Introduce two-factor authentication in CC payments

Change password and review account suspicious   activity

Mitigation for the company:

Demand vulnerability fix from PoS vendor

Adjust policies and introduce new privacy   controls

Change system architecture, and introduce   new security policies and practices

Fix the vulnerability and introduce new   security policies

Table 1 - Major incidents compromising personal data reported in Q1, 2018

 Other data breach incidents reported in Q1, 2018

Public administration continues to be an attractive target for data thieves to harvest personal identifiable information (PII) such as national ID and social security numbers, similar to what is happening with personal health information (PHI) in the healthcare industry. Data breaches identified in the retail sector are on the rise with Hudson's Bay (owner of Saks brands), Sears Group (owner of Sears and Kmart companies), Limoges Jewellery and Under Armour (MyFitnessPal app) targeted by cyber criminals for credit card information.

 

Incident description

Type of data

# records

UTILITIES

 

 

 

Haryana power (India)

Ransomware attack

PII

2,600,000

GOVERNMENT

 

 

 

Oregon Tax Agency (USA)

Inside threat

PII

36,000

Hawaii County (USA)

System failure

PII

65,000

Aadhaar System (India)

Software vulnerability

PII

Unknown

EDUCATION

 

 

 

Pennsylvania PA (USA)

User error/software   vulnerability

PII

360,000

Irvington School District (USA)

Data threat

PII

1,200

TELECOMMUNICATIONS

 

 

 

Swisscom (Switzerland)

Data theft attack

PII

800,000

Bell Canada (Canada)

Data leak

PII,   PFI

Unknown

DIGITAL SERVICES

 

 

 

Orbix (USA)

Security breach in legacy   system

PII,   PFI

888,000

Helsingin Uusyrityskeskus (Finland)

Web site vulnerability

PII

130,000

RETAIL

 

 

 

Limoges Jewellery (USA)

Cloud misconfiguration

PII,   PFI

1,300,000

Delta, Sears and Kmart (USA)

Software vulnerability

PII,   PFI

Unknown

FOOD SERVICES

 

 

 

Panera Bread (USA)

Outdated Server

PII,   PFI

Unknown

Sodexo (UK)

Software vulnerability   (POS)

PII,   PFI

Unknown

RMH Franchise (USA)

Malware

PII,   PFI

Unknown

MEDICAL AND HELTHCARE

 

 

 

Telstra Health’s Argus (Australia)

Software vulnerability

PHI

40,000

UnityPoint Health (USA)

Phishing attack

PHI

16,000

Inogen (USA)

Phishing attack

PHI

30,000

Oklahoma State University   Center for Health Sciences (USA)

Software   vulnerability/user error

PHI

280,00

FINANCIAL

 

 

 

Frost Bank (USA)

Software vulnerability

PII

Unknown

 SunTrust Banks Inc (USA)

Inside threat

PII,   PFI

1,500,000

OTHER

 

 

 

Bongo -FedEX (USA)

Cloud misconfiguration

PII

119,000

Table 2 - Incidents compromising personal data reported in Q1, 2018

Type of Data Exposed

 Figure 2- Number of accounts exposed per type of data, in incidents reported during Q1, 2018 (million users)

During the first quarter of 2018, PII and PHI accounted for the majority (ca. 62%) of data exposed from the incidents reported. The long lasting and high value of PII and PHI makes the exposure more serious and attractive for data thieves than any other type of information. A single PHI file, for example, can yield a profit of up to $20,000. This is mainly because it can take weeks or months for a healthcare data breach to be discovered, enabling cybercriminals to extract much more valuable data. Moreover, because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change, so data thieves can take advantage of it for a longer period of time. Financial data can be easily monetized by cyber criminals despite the limited life span, representing lesser value in the black market - users once notified can quickly cancel and replace the information.

Incident Disclosure and User Notification

Figure 3 - Number of accounts exposed per type of incident disclosure during Q1 2018 (milllion users)

During the first quarter of 2018, the number of incidents disclosed by affected organizations matched the number conducted by external entities. This fact reveals that still many organizations deliberately hide this information or unintentionally operate deficient systems. A noteworthy fact is that, incidents involving payment information resulted in immediate disclosure and notification of affected users. Moreover, still the majority of users (ca. 57%) were not immediately notified, considered a serious violation of data protection policies. Under the upcoming General Data Protection Regulation (GDPR), data controllers should immediately notify personal data breaches to competent authorities (Data Protection Authorities) and affected individuals.

Recommendations

In June 2016, ENISA produced an info note reviewing massive data breaches and providing recommendations to respond and limit the impact of such data breaches. These recommendations are still valid and applicable to the incidents reported today.

Summary of recommendations for users:

  • Register with online services such as haveibeenpwned.com to look for evidences that personal data has been compromised by a data breach.
  • Users with personal data exposed, when notified by data keepers or alerted by the media, should immediately change passwords and monitor accounts for fraudulent activity.
  • In the event of a financial data breach, contact the financial institution and if necessary immediately cancel debit or credit cards.
  • Regularly review the data privacy policy and user settings of subscribed online services.
  • Not re-use passwords.
  • Use two-factor authentication.

Summary of recommendations for organizations (in line with EU GDPR):

  • Adopt security and privacy by design in system, network architecture and software development.
  • Maintain processes, controls and policies up-to-date.
  • Promote internal awareness and change management.
  • Implement data protection systems and processes such as access control, hashing and encryption.
  • Assure immediate notification of data breaches to authorities, regulators and affected users.
  • Review the requirements for personal data processing and transfer within and outside the organization.
  • Define and establish an incident response process for data breaches;

Closing Remarks

The growing number of reported data breaches and volume of data stolen does not necessarily mean that systems are becoming more insecure: affected organizations are operating more transparently and timely, so consumers can be better informed on what are the immediate and long-term impacts to their personal information by any given data breach. Furthermore, the recent Cambridge Analytica/Facebook incident with direct repercussions in U.S. and UK politics, and the future introduction of GDPR are drawing substantial public attention to the data protection topic. However, is still uncertain whether all the awareness and regulation will produce tangible results in building a safe and trustworthy digital environment for the economy and society.

https://www.enisa.europa.eu/publications/info-notes/the-value-of-personal-online-data

[2] ITRC – Identity Theft Resource Center - https://www.idtheftcenter.org/Data-Breaches/data-breaches

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies