In 2017, the world experienced more data breaches than any year prior. The numbers show 45% more breaches than 2016. We’re already more than halfway through 2018 and the number of data breaches is ramping up. In a disturbing trend, this year has seen more third-party services being breached and customer data stolen from multiple companies in one go than ever before. Many of today’s data breaches occurred at the hands of cybercriminals who leveraged security issues with data storage, misconfigured security settings, and/or the overall lack of security solution in place to protect data. This shows that attackers don’t even need to seek sophisticated and sneaky ways to steal data and that often the data is simply left without protection. But if we look beyond the headlines and the resulting fines, the disturbing fact is that most would have been preventable if companies had been diligent and prepared adequately. Let’s look at few high-profile examples:
• January 8, 2018: Electronic toymaker VTech Technologies has reached a settlement with the FTC following a two-year investigation. The company will pay $650,000 as a result of a cyberattack that exposed the personal data of an estimated 6.4 million children worldwide. VTech had clearly failed to get verifiable parental consent before collecting children’s information including their name, gender, birth date and more.
Conclusion: In addition to not requiring parental consent, they failed to protect the data with reasonable security safeguards.
• February 15, 2018: Researchers from a security firm discovered the personal information of 119,000 FedEx customers sitting on an unsecured Amazon Web Services (AWS) cloud storage server. This information included passports, drivers’ licenses, names, home addresses, phone numbers and ZIP codes. This server came into FedEx’s possession as a result of their 2014 acquisition of Bongo International, and apparently got lost in the shuffle. It has since been secured.
Conclusion: This example goes to show the importance of tight security measures in the merger and acquisition process to prevent similar data breaches from occurring.
• March 29, 2018: In one of the largest cyberattacks on record, Under Armour announced that 150 million users of its fitness app, MyFitnessPal, had their information acquired by an unauthorized party. The data compromised in this breach included usernames, email addresses, and hashed passwords – the kind of information that can lead to identity theft. After making their announcement, shares of the company dropped 3.8 percent as investors reacted to the news.
Conclusion: Under Armour can expect a large fine for its failure to secure these records.
• April 20, 2018: SunTrust has experienced a data breach impacting 1.5 million clients. The Atlanta bank said a former employee is responsible for the data theft, which exposed customers’ names, addresses, phone numbers, and account balances. Because of the breach, SunTrust is offering identity protection for all of its customers at no cost.
Conclusion: Many companies usually ignore the possibility of internal employees being responsible for the loss of private information. It can be hard to scrutinize the people working daily to build up your organization, but data breaches coming from inside the business aren’t something to be taken lightly.
• May 12, 2018: The restaurant chain, Chili’s has announced a data breach exposing customers’ credit and debit cards. Brinker International, who owns Chili’s, said that it believes hackers used malware to access guests’ payment card information. The company also stated that the incident occurred between March and April 2018. The number of customers affected is not yet known, but we will update this post as more details emerge.
Conclusion: Customers’ card details were used and stolen.
• June 3, 2018: Concert ticketing service Ticketfly announced a data breach impacting more than 26 million customer accounts. The company’s website is currently offline as a result of the cybersecurity incident. The stolen information included customer names, addresses, email addresses, and telephone numbers.
Conclusion: Their business is effectively offline instantly.
• June 11, 2018: In a hack of South Korean cryptocurrency firm, Coinrail, hackers stole up to 30 percent of the coins from its storage – valued at approximately $37.2 million. News of this hack prompted the value of more popular cryptocurrencies, Bitcoin and Ethereum, to plummet. This brings the total to $1.1 billion worth of cryptocurrency that has been stolen so far this year.
Conclusion: Crypto Hacks became more frequent and destabilized the market by creating panic. Investors do not have the safety pillow as promised before.
• July 10, 2018: If you shopped online at Macy’s between April 26 and June 12 of this year, expect a letter in the mail. The giant retailer is informing customers that a third party accessed their accounts, gaining access to names, phone numbers, email addresses, birth dates, and credit and debit card numbers with the expiration dates. This marks the latest in a string of massive retail data breaches, with no signs of slowing down.
Conclusion: Macy’s must shoulder consumers’ protection services at no cost.
In all these examples, firms have failed to carry out an adequate security review that looks at not just the obvious areas, but the unseen risk areas that are created during their business. Data breaches are on the rise for both retailers and other businesses. Data breaches are a real danger for both brands and customers, and they can affect a customer’s trust in brands. Despite the promise of advancements in fields like AI and machine learning, and despite the hope that we would learn from our mistakes and adhere to better practices in the future, it isn’t clear yet those technologies or our own marginally improved habits ― will adequately defend us against increasingly more sophisticated attacks. So, before any further hacking incidents can happen, it is always better to detect early signs of anomalies and threats within the system. Think Security. Think Ahead.