What You Can Learn from 2018’s Worst And Biggest Two Data Breaches?

Must Read

Superstitions across different countries – An Overview

Some believe that a superstition is anything that people believe that is based on myth, magic, or irrational thoughts. They are beliefs that are steeped in lore or tradition, and it is usually difficult to pinpoint the exact origin. Here is a brief compilation of Superstitions which are prevalent across different countries.

1.5 Million Engineers Pass Out In India Every Year, Fewer Getting Hired [Trends]

Engineering colleges have been springing up like wild mushrooms in India in the last few years. Their number has...

World’s Most Popular Ad Slogans: A Brief List To Inspire With !

Advertisement plays an important role for companies as well as consumers world wide. It gives a seller an opportunity...
Aarzu Khan
A full-time data scientists and a part-time industry analyst; still learning power of effective presentation and firm believer of the thought "Numbers are always magical". Love to be in the network of people who 'know' how to respect their time and keep others engaged in meaningful activities.

With 5 billion records exposed in 6,515 data breaches in 2018, it was the second most active year for publicly exposed breaches after 2017, reports Risk Based Security (RBS) in its The Year End 2018 Data Breach QuickView Report.

Among the data breaches, 12 breaches exposed 100+ million records. Also, the web gained the top spot for breach type, owing for 39.3% of the breaches; and 65.8% of the exposed records resulted from the business sector.

So, the questions arise after witnessing the facts: 

  • what can one learn from these breaches?
  • What data security measures could have practised to avoid them?

In this post, you’ll find answers to these and more such questions. You’ll learn about the mistakes that led to the top two breaches and how to avoid them.

India’s National ID [1.1 Billion Records]

Aadhar — India’s national ID database — contains identity information including biometric data of 1.1 billion registered Indians. Any organization — like Amazon and Uber — registered with Aadhar can tap its records to verify customers.

In March 2018, Karan Saini — a security researcher from New Delhi — found a vulnerability in Aadhar that allowed anyone to access all data in its database.

What was the problem?

  1. Indane — a state-owned utility provider — used to access and verify customers via an unsecured endpoint. It was leaking data of all persons with an Aadhar, exposing their names, bank details, and more personal info.

    The only required input was an Aadhar ID, which is just a 12-digit number. So, one can easily enumerate the identity numbers by random-picking or cycling through combinations like 1234-5678-9001 to 1234-5678-9999. Then, one can call the endpoint with it — if there comes a response, one gets a person’s data.
  2. The target endpoint didn’t just supply data about the utility provider’s customers, but anyone with an Aadhar. “it seems that everyone’s information is available, with no authentication — no rate limit, nothing,” posted ZDNet.
  3.  “the Indian authorities did nothing for weeks to fix the flaw. ZDNet spent more than a month trying to contact Indane, and the Indian authorities — including … National Informatics Centre. Nobody responded to … emails,” wrote ZDNet.

They even reached out to the Indian Consulate in New York, but after 2-3 weeks of explanation and follow-up emails, the vulnerability was still not fixed.


What could’ve been done?

  1. First of all, a production endpoint must be secured by following the data security measures and practices relevant as per the industry standards. Then, there must be an authentication scheme like OAuth (Open Authorization) for REST APIs and Web Services Security (WS Security) for SOAP APIs.

    If it’s openly connected to the Internet, then it must have additional measures such as encryption (like TLS) and signatures as well as quotas and throttling. An API gateway is also helpful for analyzing and controlling the incoming traffic.
  2. Then, an endpoint must return compartmentalized data; for example, an endpoint for student’s data from a school database must supply student data. If it can supply teacher’s data as well, the endpoint is not compartmentalized.

    In this breach, an endpoint for a specific utility provider returned data about other utility providers too. So, it allows a malicious person to access more data than what would have been possible if the endpoint was compartmentalized.
  3. An organization must publicly provide the contact details of their security teams or concerned departments for informing a vulnerability or an active data leak or breach. Also, the responsible department or team must be prompt at finding the actual problem and fixing the vulnerability after knowing about it.

Marriott Starwood [416.9 Million Records]

Marriott International is a multinational hospitality company that franchises and manages more than 6,500 of hotels and lodging facilities worldwide.

In 2014, hackers gained access to the guest reservation system of Starwood. Marriott International purchased Starwood Hotels and Resorts in September 2016, but it was not until 10th September 2018 that the breach was noticed.

What was the problem?

  1. IBM Guardium — a database security solution — detected an anomaly in the reservation database of Starwood. It indicated that someone was hampering it. So, Marriott called third-party experts to review the database in question.

    Soon afterwards, malware on the Starwood IT systems was found: A Remote Access Trojan (RAT), which allows hackers to covertly access, surveil and gain control over a computer,” posted Kate O’Flaherty on her blog on Forbes.

    After the later investigations, it was clear that customer data was breached. And two databases were leaked — one containing passport info and the other having guest data including their names, addresses, and credit card information.
  2. The Guardian reported: “The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Elizabeth Denham, the information commissioner. “… include carrying out proper due diligence when making a corporate acquisition, and … proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”
  3. Marriott took a long time to reveal this breach: Despite the fact it was found in September, disclosure did not occur until nearly three months later. It also failed to protect valuable customer information and the firm is already the subject of class action lawsuits that could cost it hugely,” summarized Kate O’Flaherty.

What could’ve been done?

  1. Marriott should have taken due diligence during the acquisition of Starwood by verifying the sensitive data and its security after the purchase. Maybe it could have migrated Starwood’s data to its data warehouse or at least secured it with its security system that was protecting Marriott’s data.

    Then, they should have utilized encryption, tokenization, and other security measures as they planned it after the breach. “CEO Arne discussed Marriott’s strategy moving forward. … Marriott will now rely on encryption and tokenization tools to secure all data they currently keep …,” wrote Security Boulevard.
  2. An organization must inform the stakeholders about a security incident as soon as possible. That includes informing the customers if their data is leaked. It serves two purposes. First, if customers know about it quickly, they can secure their other accounts or related data. The more time it’s disclosed, the more time an attacker gets to utilize the leaked or stolen customer’s data for his profit.

For example, if an attacker gains email IDs and passwords, he can use the info to gain access to the victim’s other online accounts. Then, it builds a victim’s trust in the company since they were open and transparent about the data breach.


Please enter your comment!
Please enter your name here

Latest News

India the 3rd Worst Economically Affected Nation by Internet Shutdowns in 2019: Report

2019 saw an increasing awareness about internet shutdowns in the Indian population due to unprecedented first-hand experience...

Amazon and Flipkart Under The Lens Of Indian Authorities For Competition Squashing Activities!

The ongoing tug of war between Offline and Online retailers in India seems to be far from over. On Monday, the Competition...

Constant Internet Suspensions In India Affecting Online Transactions and Economy Adversely

In the wake of the highly controversial and prejudiced Citizenship Amendment Act and other related legal developments such as the NRC, IT...

The Current Generation Require Technology In Class To Make The Most Of Future Opportunities

Technology is the current drive for everything. It has influenced all aspects of life, including cultures. It affects the way we live,...

Reliance Jio Offers Free Calls Over WiFi: Activate It Now

Following Airtel’s launch of VoWiFi calling in December 2019, Jio has now started rolling out VoWiFi calling, as well.

UPI Scam: A Man Loses Rs. 1.01 Lakhs While Using Paytm and Google Pay

Facebook finds it itself in the middle of its first scam of the new decade and the catalyst seems to be its...

In-Depth: Dprime

YouTube Should Have Bid Adieu To Dislike Button Much Earlier?

Online video sharing platform YouTube can be a ruthless place for content creators targeted by 'dislike mobs'. And the site owners totally understand that...

Facebook Has Pulled Off A Masterstroke By Integrating Its ‘Family Of Apps’?

It’s indeed hard to believe that ONE man sitting at Menlo Park, oversees how nearly a third of the world’s population interacts with each...

Facebook’s Crunch Conquest: By Relying Largely On The US Market, Is Facebook Running a Risk?

Two billion! That's Facebook, Inc. (NASDAQ: FB) for you - Right when you thought that this social-media giant has already connected the entire world, it's...

More Articles Like This