Happy Halloween - The Spooky Thirteen: The Scariest Breaches, Exploits, and Hacks in 2018.

Don’t be afraid of cyber security! The number of breaches and hacks in 2018 might seem scary, but security tools are advancing almost as quickly as threats, and maintaining a solid security posture is easier than ever. The following thirteen spooky hacks show what happens when security is ignored or not taken seriously enough, and how they could have been avoided.

March 2018 - Facebook - 87 Million Records Breached

When it became public that the political data firm Cambridge Analytica was collecting everyone’s Facebook information and then sharing it, a lot of people deleted their Facebook accounts. Facebook lost over $70 billion in the 10 days immediately following disclosure.

How could it have been avoided? Ironically, it has been pointed out that adhering to three clauses found in the GDPR regulations would have stopped the leak; Contractual Necessity, Consent, and Legitimate Interests. With the GDPR compliance baseline policies available in Microsoft Compliance Center, perhaps Facebook could have done a better job.

April 2018 - Panera Bread - 37 Million Records Breached

A bug or glitch was causing customer records to be transmitted in plain text, un-encrypted and available to anyone with a decent script. Panera was told about this glitch by security researcher Dylan Houlihan in August, 2017, but did nothing about it until the breach was publicized by Brian Krebs (Krebs on Security) nearly 8 months later

How could it have been avoided? Obviously, nothing should ever be sent in plain text, but more importantly, respect bug reports. If a white hat tells you have a bug, you may want to listen to him and fix the bug right away rather than waiting until it is made public.

April 2018 - Saks Fifth Avenue - 5 Million Records Breached

Malware got into Saks’ servers and copied credit card transaction information as part of the hacks in 2018. This is one of the most common data breaches. In this case, while it wasn’t confirmed, it seems likely that employees of the chain were phished.

How it could have been avoided? Train all employees on how to detect and avoid phishing attacks, whether they’re broad-based or so-called “spear phishing” attacks aimed at a specific company or individual. Additionally, The Phishing Attack Simulator in Cloud App Security can be used to understand how your users will react to phishing attacks.

May 2018 - PumpUp - 6 Million Records Breached

Sometimes, stupidity is scary. Somebody left one of Pumpup’s backend servers completely unprotected. There was no password protection at all, meaning that anyone who stumbled on the URL could access users health information, Facebook access tokens and, in some cases, even credit cards.

How could it have been avoided? All the security tools in the world don’t mean a thing if you don’t even try. Don’t leave a server (or anything else for that matter) unprotected thinking people will never find it.

May 2018 - Coca-Cola - 8,000 Records Breached

Although this was a small one, it contains a frightening lesson. A former employee at one of their subsidiaries apparently filled up his personal external hard drive with information on his way out, violating the privacy of thousands of his co-workers.

How could it have been avoided? Lets start with limited access, only give people access to the data they need, use security and compliance manager to identify unusually access to sensitive information, and to gain the ability to invalidate information even once it leaves your environment .

May 2018 - Ticketfly - 27 Million Records Breached

A hacker found a vulnerability on the Ticketfly website and tried to sell them a fix for one Bitcoin. When they refused to pay they got something scary - an image of V from V for Vendetta instead of their home page, along with the theft of thousands of user records and the need to shutdown the service for over a day, causing tons of issues for venues that use the serve to sell tickets.

How could it have been avoided? Patch your vulnerabilities quickly - had Ticketfly been more on the ball they could have closed the vulnerability before “V” was able to do anything. Even better, having a bug bounty policy would have had V on their team from the start, with clear explanations of how to report bugs and collect bounties. However, never pay ransoms. There is no guarantee that the hacker will return your data.

June 2018 - Exactis - 340 Million Records Breached

Oops. In June, Exactis, a market research firm, left one of their databases sitting on a server that was completely open to public access and discoverable via ElasticSearch. While the information  did not include credit cards or social security info, it did contain marketing minutiae that would make it highly valuable for social engineering and spear phishing attacks. Over 400 variables are tracked in the database including: “whether the person smokes, their religion, whether they have dogs or cats, and interests such as scuba diving and plus-size apparel.”

How could it have been avoided? There is NO good reason to have personally identifiable information saved on an open server. Saying that strong password enforcement policies would have helped is setting the bar a bit high for this one.

July 2018 - NHS - 150,000 Records Breached

A coding error caused 150,000 patients who had opted out of national data sharing, being opted in. The issue occurred during transfer of information between two systems, where the first saved op-out information and sent it to the second, but the second system failed to register the setting.

How could it have been avoided? Pre-deployment testing and compliance policies would have identified the issue, and made it easy to fix. Instead, the NHS has now had to identify where the information was sent and individually ask each agency or organization to destroy the improperly shared data.

July 2018 - UnityPoint Health - 1.4 Million Records Breached

Staff at UnityPoint Health fell for phishing attacks twice in 2018. In April, a phishing attack breached the data of 16,000 patients, and in July another phishing attack led to the breach of 1.4 million records. The hacker did not seem to be after health information, but was trying to steal vendor or payroll payments.

How could it have been avoided? The same way it was responded to: “UnityPoint reset the passwords on the compromised accounts, conducted mandatory phishing education for employees, added security tools to identify suspicious emails and implemented multi-factor authentication, officials said.” The lesson here is easy, don’t wait until you are attacked to make sure you have functional cyber security policies. At the very least, put them in place after the first attack, not the second.

August 2018 - Comcast - Potentially 26.5 Million Records Breached

Comcast isn’t always a popular company. But a pair of security issues took their customer trust to new lows. First, it was possible to gain access to Comcast’s customer portal by spoofing an IP address, then refreshing the login page that required the customer to select their home address. Since there was no limit set on attempts, a hacker could refresh the page a few times, and correctly identify the home address that was present on each attempt. The second flaw was to set up a sign-up page for Authorized Dealers (that’s Comcast agents at, say, Best Buy or another retail unit) that used the last four digits of somebody’s social security number as an access number. A hacker with the person’s billing address could brute force the page, to find the digits of the customers social security number.

How could it have been avoided? First of all, don’t use people’s social security numbers for anything except those few things for which they are required. Second of all, always limit login attempts to prevent “brute force” attacks wherein a hacker just keeps trying until they get the right combination.

September 2018 - Facebook - 50 Million Records Breached

Yes, Facebook again had hacks in 2018. Hackers managed to combine three vulnerabilities in the code, all of which had existed since July 2017, to allow them to gain unfettered access to 50 million (at least) accounts for what may have been an extended period of time. The hackers were able to log in as the users and access all of their histories on the platform.

How could it have been avoided? There is no real excuse for any company to leave known code vulnerabilities in place for over a year. Patch your vulnerabilities as soon as you discover them!

September 2018 - United Nations - Unknown Number of Records Breached

[caption id=“attachment_161680” align=“aligncenter” width=“640”]Government IT department attempting to combat hacks in 2018 Team of Government Agents Tracking Fugitive with Boss’s Survillance in Big Monitoring Room Full of Computers with Animated Screens.[/caption] Just to prove absolutely anyone can screw up their cybersecurity. Somebody at the United Nations managed to misconfigure their Trello and Google Docs accounts to set some very personal stuff viewable by “anyone with the link”. We’re talking file server credentials, language school video conferencing. The UN’s not alone…the UK and Canadian governments have also left their Trello boards “hanging out” as one of the hacks in 2018.

How could it have been avoided? proper user education is one step, but enforcing information privacy protections with Azure Security Center or Cloud App Security would have easily identified the publicly shared data.

September 2018 - NewEgg - 45 Million Credit Cards Stolen

The Magecart form-jacking malware has had a great year. In 2018, Magecart has been used to successfully steal information from British Airways, Ticketmaster, Feedify, ABS-CBN, Title Nine, Groopdealz, and Newegg. The credit card skimming attack is built to send payment information to unauthorized servers, and has been shrunk down to just 8 lines of code on compromised sites.  Newegg’s website was compromised for over a month, from August 14 to September 18, and caused customer’s browsers to send the stolen card data to a spoofed server with a similar name.

How could it have been avoided? Magecart requires write access to a target site. Using Zero Trust Security policies such as conditional access and multi-factor authentication on accounts that have privileged access makes it harder to breach the site, but known vulnerabilities can also be used to gain access, meaning patching is imperative. Supply chain hacks are also a known attack vector. Once the skimming code is in place, traditional tools like Web Application Firewalls and data loss prevention systems are useless, as the visitor’s browser is executing the code and sending the data. Use of layered security and code tampering protection can also help minimize and identify attacks prior to customer impact.

Learn More About Hacks in 2018 and Avoiding them in 2019

And that’s only 13 of the numerous breaches this year… in a recent Tech Talk, Kevin Martins, Microsoft Security Architect disclosed the following statistics while discussing phishing protection:

  • 300,000 phishing campaigns in first half of 2018
  • 8,000,000 Business Email Compromise attacks so far in 2018
  • 650,000 leaked accounts WITH credentials in 2018
  • 5 billion phishing emails blocked by Microsoft in 2018.
  • 44 million risk events (clicking on malicious links) in 2018.

Don’t wait until an attack puts you in the spotlight, or out of business. Make sure your cyber-security policies are prepared to deal with modern threats. Agile IT offers full Managed Security Services, for assistance, contact Agile IT today.

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.