With 5 billion records exposed in 6,515 data breaches in 2018, it was the second most active year for publicly exposed breaches after 2017, reports Risk Based Security (RBS) in its The Year End 2018 Data Breach QuickView Report.
Among the data breaches, 12 breaches exposed 100+ million records. Also, the web gained the top spot for breach type, owing for 39.3% of the breaches; and 65.8% of the exposed records resulted from the business sector.
So, the questions arise after witnessing the facts:
- what can one learn from these breaches?
- What data security measures could have practised to avoid them?
In this post, you’ll find answers to these and more such questions. You’ll learn about the mistakes that led to the top two breaches and how to avoid them.
India’s National ID [1.1 Billion Records]
Aadhar — India’s national ID database — contains identity information including biometric data of 1.1 billion registered Indians. Any organization — like Amazon and Uber — registered with Aadhar can tap its records to verify customers.
In March 2018, Karan Saini — a security researcher from New Delhi — found a vulnerability in Aadhar that allowed anyone to access all data in its database.
What was the problem?
- Indane — a state-owned utility provider — used to access and verify customers via an unsecured endpoint. It was leaking data of all persons with an Aadhar, exposing their names, bank details, and more personal info.
The only required input was an Aadhar ID, which is just a 12-digit number. So, one can easily enumerate the identity numbers by random-picking or cycling through combinations like 1234-5678-9001 to 1234-5678-9999. Then, one can call the endpoint with it — if there comes a response, one gets a person’s data.
- The target endpoint didn’t just supply data about the utility provider’s customers, but anyone with an Aadhar. “it seems that everyone’s information is available, with no authentication — no rate limit, nothing,” posted ZDNet.
- “the Indian authorities did nothing for weeks to fix the flaw. ZDNet spent more than a month trying to contact Indane, and the Indian authorities — including … National Informatics Centre. Nobody responded to … emails,” wrote ZDNet.
They even reached out to the Indian Consulate in New York, but after 2-3 weeks of explanation and follow-up emails, the vulnerability was still not fixed.
What could’ve been done?
- First of all, a production endpoint must be secured by following the data security measures and practices relevant as per the industry standards. Then, there must be an authentication scheme like OAuth (Open Authorization) for REST APIs and Web Services Security (WS Security) for SOAP APIs.
If it’s openly connected to the Internet, then it must have additional measures such as encryption (like TLS) and signatures as well as quotas and throttling. An API gateway is also helpful for analyzing and controlling the incoming traffic.
- Then, an endpoint must return compartmentalized data; for example, an endpoint for student’s data from a school database must supply student data. If it can supply teacher’s data as well, the endpoint is not compartmentalized.
In this breach, an endpoint for a specific utility provider returned data about other utility providers too. So, it allows a malicious person to access more data than what would have been possible if the endpoint was compartmentalized.
- An organization must publicly provide the contact details of their security teams or concerned departments for informing a vulnerability or an active data leak or breach. Also, the responsible department or team must be prompt at finding the actual problem and fixing the vulnerability after knowing about it.
Marriott Starwood [416.9 Million Records]
Marriott International is a multinational hospitality company that franchises and manages more than 6,500 of hotels and lodging facilities worldwide.
In 2014, hackers gained access to the guest reservation system of Starwood. Marriott International purchased Starwood Hotels and Resorts in September 2016, but it was not until 10th September 2018 that the breach was noticed.
What was the problem?
- IBM Guardium — a database security solution — detected an anomaly in the reservation database of Starwood. It indicated that someone was hampering it. So, Marriott called third-party experts to review the database in question.
“Soon afterwards, malware on the Starwood IT systems was found: A Remote Access Trojan (RAT), which allows hackers to covertly access, surveil and gain control over a computer,” posted Kate O’Flaherty on her blog on Forbes.
After the later investigations, it was clear that customer data was breached. And two databases were leaked — one containing passport info and the other having guest data including their names, addresses, and credit card information.
- The Guardian reported: “The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Elizabeth Denham, the information commissioner. “… include carrying out proper due diligence when making a corporate acquisition, and … proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”
- “Marriott took a long time to reveal this breach: Despite the fact it was found in September, disclosure did not occur until nearly three months later. It also failed to protect valuable customer information and the firm is already the subject of class action lawsuits that could cost it hugely,” summarized Kate O’Flaherty.
What could’ve been done?
- Marriott should have taken due diligence during the acquisition of Starwood by verifying the sensitive data and its security after the purchase. Maybe it could have migrated Starwood’s data to its data warehouse or at least secured it with its security system that was protecting Marriott’s data.
Then, they should have utilized encryption, tokenization, and other security measures as they planned it after the breach. “CEO Arne discussed Marriott’s strategy moving forward. … Marriott will now rely on encryption and tokenization tools to secure all data they currently keep …,” wrote Security Boulevard.
- An organization must inform the stakeholders about a security incident as soon as possible. That includes informing the customers if their data is leaked. It serves two purposes. First, if customers know about it quickly, they can secure their other accounts or related data. The more time it’s disclosed, the more time an attacker gets to utilize the leaked or stolen customer’s data for his profit.
For example, if an attacker gains email IDs and passwords, he can use the info to gain access to the victim’s other online accounts. Then, it builds a victim’s trust in the company since they were open and transparent about the data breach.