What You Can Learn from 2018’s Worst And Biggest Two Data Breaches?

Must Read

Elon Musk Added Over $100 Billion To His Net Worth In Just 1 Year, Leaves Jeff Bezos Behind

Jeff Bezos may the world's richest person in the world but it's Elon Musk who has been...

Will Work From Home Tax Become the New Normal?

In what might become groundbreaking introductory research for shaping future taxation policies, Luke Templeman starts by writing...

The Launch Of Amazon Pharmacy: All Set To Dominate $131 Billion Market!

Two years ago, when Amazon acquired PillPack, which is a prescription medicine delivery service, it was well...

With 5 billion records exposed in 6,515 data breaches in 2018, it was the second most active year for publicly exposed breaches after 2017, reports Risk Based Security (RBS) in its The Year End 2018 Data Breach QuickView Report.

Among the data breaches, 12 breaches exposed 100+ million records. Also, the web gained the top spot for breach type, owing for 39.3% of the breaches; and 65.8% of the exposed records resulted from the business sector.

So, the questions arise after witnessing the facts: 

  • what can one learn from these breaches?
  • What data security measures could have practised to avoid them?

In this post, you’ll find answers to these and more such questions. You’ll learn about the mistakes that led to the top two breaches and how to avoid them.

India’s National ID [1.1 Billion Records]

Aadhar — India’s national ID database — contains identity information including biometric data of 1.1 billion registered Indians. Any organization — like Amazon and Uber — registered with Aadhar can tap its records to verify customers.

In March 2018, Karan Saini — a security researcher from New Delhi — found a vulnerability in Aadhar that allowed anyone to access all data in its database.

What was the problem?

  1. Indane — a state-owned utility provider — used to access and verify customers via an unsecured endpoint. It was leaking data of all persons with an Aadhar, exposing their names, bank details, and more personal info.

    The only required input was an Aadhar ID, which is just a 12-digit number. So, one can easily enumerate the identity numbers by random-picking or cycling through combinations like 1234-5678-9001 to 1234-5678-9999. Then, one can call the endpoint with it — if there comes a response, one gets a person’s data.
  2. The target endpoint didn’t just supply data about the utility provider’s customers, but anyone with an Aadhar. “it seems that everyone’s information is available, with no authentication — no rate limit, nothing,” posted ZDNet.
  3.  “the Indian authorities did nothing for weeks to fix the flaw. ZDNet spent more than a month trying to contact Indane, and the Indian authorities — including … National Informatics Centre. Nobody responded to … emails,” wrote ZDNet.

They even reached out to the Indian Consulate in New York, but after 2-3 weeks of explanation and follow-up emails, the vulnerability was still not fixed.


What could’ve been done?

  1. First of all, a production endpoint must be secured by following the data security measures and practices relevant as per the industry standards. Then, there must be an authentication scheme like OAuth (Open Authorization) for REST APIs and Web Services Security (WS Security) for SOAP APIs.

    If it’s openly connected to the Internet, then it must have additional measures such as encryption (like TLS) and signatures as well as quotas and throttling. An API gateway is also helpful for analyzing and controlling the incoming traffic.
  2. Then, an endpoint must return compartmentalized data; for example, an endpoint for student’s data from a school database must supply student data. If it can supply teacher’s data as well, the endpoint is not compartmentalized.

    In this breach, an endpoint for a specific utility provider returned data about other utility providers too. So, it allows a malicious person to access more data than what would have been possible if the endpoint was compartmentalized.
  3. An organization must publicly provide the contact details of their security teams or concerned departments for informing a vulnerability or an active data leak or breach. Also, the responsible department or team must be prompt at finding the actual problem and fixing the vulnerability after knowing about it.

Marriott Starwood [416.9 Million Records]

Marriott International is a multinational hospitality company that franchises and manages more than 6,500 of hotels and lodging facilities worldwide.

In 2014, hackers gained access to the guest reservation system of Starwood. Marriott International purchased Starwood Hotels and Resorts in September 2016, but it was not until 10th September 2018 that the breach was noticed.

What was the problem?

  1. IBM Guardium — a database security solution — detected an anomaly in the reservation database of Starwood. It indicated that someone was hampering it. So, Marriott called third-party experts to review the database in question.

    Soon afterwards, malware on the Starwood IT systems was found: A Remote Access Trojan (RAT), which allows hackers to covertly access, surveil and gain control over a computer,” posted Kate O’Flaherty on her blog on Forbes.

    After the later investigations, it was clear that customer data was breached. And two databases were leaked — one containing passport info and the other having guest data including their names, addresses, and credit card information.
  2. The Guardian reported: “The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Elizabeth Denham, the information commissioner. “… include carrying out proper due diligence when making a corporate acquisition, and … proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”
  3. Marriott took a long time to reveal this breach: Despite the fact it was found in September, disclosure did not occur until nearly three months later. It also failed to protect valuable customer information and the firm is already the subject of class action lawsuits that could cost it hugely,” summarized Kate O’Flaherty.

What could’ve been done?

  1. Marriott should have taken due diligence during the acquisition of Starwood by verifying the sensitive data and its security after the purchase. Maybe it could have migrated Starwood’s data to its data warehouse or at least secured it with its security system that was protecting Marriott’s data.

    Then, they should have utilized encryption, tokenization, and other security measures as they planned it after the breach. “CEO Arne discussed Marriott’s strategy moving forward. … Marriott will now rely on encryption and tokenization tools to secure all data they currently keep …,” wrote Security Boulevard.
  2. An organization must inform the stakeholders about a security incident as soon as possible. That includes informing the customers if their data is leaked. It serves two purposes. First, if customers know about it quickly, they can secure their other accounts or related data. The more time it’s disclosed, the more time an attacker gets to utilize the leaked or stolen customer’s data for his profit.

For example, if an attacker gains email IDs and passwords, he can use the info to gain access to the victim’s other online accounts. Then, it builds a victim’s trust in the company since they were open and transparent about the data breach.


Please enter your comment!
Please enter your name here

Latest News

Does CCI Verdict On Reliance Future Group Deal Hints Who Will Have The Last Laugh?

Biyani's Future Group, Ambani's RIL, and Bezos' Amazon have been in a three-way dispute for the past...

4 Ways to Incorporate Technology Into Your Brick-and-Mortar Business

While more internet and online-only companies are popping up than ever before, there are still millions of brick-and-mortar businesses across the country....

A New Facebook Bug Let Hackers Listen To You Before You Pick Up Messenger Call

Despite all the claims and assurances, for one or some other reason, Facebook is far away from winning the trust of users.

Free Netflix In India From December: Netflix In A Pursuit Of New Subscribers

A month ago, we reported how Netflix might be brewing something interesting that could lead to a free Netflix subscription in India. Well,...

Elon Musk Added Over $100 Billion To His Net Worth In Just 1 Year, Leaves Jeff Bezos Behind

Jeff Bezos may the world's richest person in the world but it's Elon Musk who has been attracting the eyeballs of everyone...

Tesla Stocks Skyrocketing: Elon Musk Could Overtake Bill Gates to Become the 2nd Richest Person in the World

It's been a good week for Elon Musk and his electrical vehicle business Tesla. Earlier this week, after Tesla Inc.'s rocky road...

In-Depth: Dprime

Will ‘TikTok By Microsoft’ Be A Winner?

For the last two years, TikTok has been in the public eye for all sorts of reasons. First, it was the exploded...

Facebook Subscription Model: Looking Beyond Ad Dollars?

Seldom do job listings create a stir this gripping. However, when the job listing in question is a stealth post from Twitter,...

Will The Online Food Delivery Market in India End Up Becoming A Two-Horse Race?

It's pretty much evident that the food delivery space in India is all set to get riled up soon enough as one...

More Articles Like This