What You Can Learn from 2018’s Worst And Biggest Two Data Breaches?

Must Read

Zomato Sets Eyes On $10.2 Billion Online Grocery Delivery Market in India

The 21-day nationwide lockdown imposed in India due to the Covid-19 outbreak fueled a massive change in...

Billionaire Mark Cuban’s Invaluable Advice for Startups in Crisis!

In an interview with CNBC last week, owner of NBA’s Dallas Mavericks, Mark Cuban, spoke out about...

Over 13.6 Crore Jobs in India Would Be Lost Due to Coronavirus Outbreak!

The 21-day lockdown induced by the deadly outbreak of the Covid-19 has completely dismantled and disrupted the...

With 5 billion records exposed in 6,515 data breaches in 2018, it was the second most active year for publicly exposed breaches after 2017, reports Risk Based Security (RBS) in its The Year End 2018 Data Breach QuickView Report.

Among the data breaches, 12 breaches exposed 100+ million records. Also, the web gained the top spot for breach type, owing for 39.3% of the breaches; and 65.8% of the exposed records resulted from the business sector.

So, the questions arise after witnessing the facts: 

  • what can one learn from these breaches?
  • What data security measures could have practised to avoid them?

In this post, you’ll find answers to these and more such questions. You’ll learn about the mistakes that led to the top two breaches and how to avoid them.

India’s National ID [1.1 Billion Records]

Aadhar — India’s national ID database — contains identity information including biometric data of 1.1 billion registered Indians. Any organization — like Amazon and Uber — registered with Aadhar can tap its records to verify customers.

In March 2018, Karan Saini — a security researcher from New Delhi — found a vulnerability in Aadhar that allowed anyone to access all data in its database.

What was the problem?

  1. Indane — a state-owned utility provider — used to access and verify customers via an unsecured endpoint. It was leaking data of all persons with an Aadhar, exposing their names, bank details, and more personal info.

    The only required input was an Aadhar ID, which is just a 12-digit number. So, one can easily enumerate the identity numbers by random-picking or cycling through combinations like 1234-5678-9001 to 1234-5678-9999. Then, one can call the endpoint with it — if there comes a response, one gets a person’s data.
  2. The target endpoint didn’t just supply data about the utility provider’s customers, but anyone with an Aadhar. “it seems that everyone’s information is available, with no authentication — no rate limit, nothing,” posted ZDNet.
  3.  “the Indian authorities did nothing for weeks to fix the flaw. ZDNet spent more than a month trying to contact Indane, and the Indian authorities — including … National Informatics Centre. Nobody responded to … emails,” wrote ZDNet.

They even reached out to the Indian Consulate in New York, but after 2-3 weeks of explanation and follow-up emails, the vulnerability was still not fixed.


What could’ve been done?

  1. First of all, a production endpoint must be secured by following the data security measures and practices relevant as per the industry standards. Then, there must be an authentication scheme like OAuth (Open Authorization) for REST APIs and Web Services Security (WS Security) for SOAP APIs.

    If it’s openly connected to the Internet, then it must have additional measures such as encryption (like TLS) and signatures as well as quotas and throttling. An API gateway is also helpful for analyzing and controlling the incoming traffic.
  2. Then, an endpoint must return compartmentalized data; for example, an endpoint for student’s data from a school database must supply student data. If it can supply teacher’s data as well, the endpoint is not compartmentalized.

    In this breach, an endpoint for a specific utility provider returned data about other utility providers too. So, it allows a malicious person to access more data than what would have been possible if the endpoint was compartmentalized.
  3. An organization must publicly provide the contact details of their security teams or concerned departments for informing a vulnerability or an active data leak or breach. Also, the responsible department or team must be prompt at finding the actual problem and fixing the vulnerability after knowing about it.

Marriott Starwood [416.9 Million Records]

Marriott International is a multinational hospitality company that franchises and manages more than 6,500 of hotels and lodging facilities worldwide.

In 2014, hackers gained access to the guest reservation system of Starwood. Marriott International purchased Starwood Hotels and Resorts in September 2016, but it was not until 10th September 2018 that the breach was noticed.

What was the problem?

  1. IBM Guardium — a database security solution — detected an anomaly in the reservation database of Starwood. It indicated that someone was hampering it. So, Marriott called third-party experts to review the database in question.

    Soon afterwards, malware on the Starwood IT systems was found: A Remote Access Trojan (RAT), which allows hackers to covertly access, surveil and gain control over a computer,” posted Kate O’Flaherty on her blog on Forbes.

    After the later investigations, it was clear that customer data was breached. And two databases were leaked — one containing passport info and the other having guest data including their names, addresses, and credit card information.
  2. The Guardian reported: “The GDPR makes it clear that organisations must be accountable for the personal data they hold,” said Elizabeth Denham, the information commissioner. “… include carrying out proper due diligence when making a corporate acquisition, and … proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”
  3. Marriott took a long time to reveal this breach: Despite the fact it was found in September, disclosure did not occur until nearly three months later. It also failed to protect valuable customer information and the firm is already the subject of class action lawsuits that could cost it hugely,” summarized Kate O’Flaherty.

What could’ve been done?

  1. Marriott should have taken due diligence during the acquisition of Starwood by verifying the sensitive data and its security after the purchase. Maybe it could have migrated Starwood’s data to its data warehouse or at least secured it with its security system that was protecting Marriott’s data.

    Then, they should have utilized encryption, tokenization, and other security measures as they planned it after the breach. “CEO Arne discussed Marriott’s strategy moving forward. … Marriott will now rely on encryption and tokenization tools to secure all data they currently keep …,” wrote Security Boulevard.
  2. An organization must inform the stakeholders about a security incident as soon as possible. That includes informing the customers if their data is leaked. It serves two purposes. First, if customers know about it quickly, they can secure their other accounts or related data. The more time it’s disclosed, the more time an attacker gets to utilize the leaked or stolen customer’s data for his profit.

For example, if an attacker gains email IDs and passwords, he can use the info to gain access to the victim’s other online accounts. Then, it builds a victim’s trust in the company since they were open and transparent about the data breach.


Please enter your comment!
Please enter your name here

Latest News

Facebook Messenger Desktop App: The Rise Of Zoom Has Caught The Attention Of Zuckerberg?

Facebook Messenger Desktop app is making waves, and all because of an unexpected and sudden rise of...

A New Coronavirus Scam Is So Lucrative That People Are Falling Prey To Scammers Easily!

Fraudsters are out once again to steal your money and this time they are banking on a new Coronavirus scam.

What Businesses Need to Know About the Instagram Algorithm in 2020

Every social media platform, whether it’s Facebook or Instagram, is driven by an algorithm that controls the content exposure. This is the...

GRE And TOEFL Exams Now Will Be Undertaken From Home: Will Covid-19 Redefine Education Sector?

The sudden outbreak of the deadly pandemic Covid-19 has forced the existing education systems around the world to now rely on digital...

Over 13.6 Crore Jobs in India Would Be Lost Due to Coronavirus Outbreak!

The 21-day lockdown induced by the deadly outbreak of the Covid-19 has completely dismantled and disrupted the entire job market in India....

India Is Losing $4.6 Billion Due To Lockdown Every Day [REPORT]

The amount of havoc the Covid-19 outbreak and all the measures that have been imposed in place to curb it wreaked on...

In-Depth: Dprime

YouTube Should Have Bid Adieu To Dislike Button Much Earlier?

Online video sharing platform YouTube can be a ruthless place for content creators targeted by 'dislike mobs'. And the site owners totally understand that...

Facebook Has Pulled Off A Masterstroke By Integrating Its ‘Family Of Apps’?

It’s indeed hard to believe that ONE man sitting at Menlo Park, oversees how nearly a third of the world’s population interacts with each...

Facebook’s Crunch Conquest: By Relying Largely On The US Market, Is Facebook Running a Risk?

Two billion! That's Facebook, Inc. (NASDAQ: FB) for you - Right when you thought that this social-media giant has already connected the entire world, it's...

More Articles Like This