A royal wedding, the UK’s joint hottest summer on record and England reaching the semi-finals of the World Cup, what a year we have had… and let us not forget, the all-important implementation of the GDPR in May.
As the new year draws nearer, we take this time to reflect on the past twelve months, in particular, the cyber security industry and it’s headline-hitting news stories. As cyber security continues to grow mainstream, more and more organisations become targeted on a daily basis. Take a read to find out more about twelve of the most significant cyber security stories of 2018.
Facebook has become a household name across the globe, however, this September they hit the headlines for the wrong reasons when they suffered a data breach where 50 million of its users were left exposed by a security flaw.
The attackers used a vulnerability in the ‘View As’ feature to gain control of users accounts. The breach could have been worse than what Facebook originally said, in that the attackers may have been able to access other people’s accounts that are integrated with Facebook’s system such as Airbnb and Tinder.
Founder of Facebook Mark Zuckerberg said, “People’s privacy and security is incredibly important, and we’re sorry this happened.”
Find out more here.
With a customer base serving more than 230 million people a year, Ticketmaster confirmed that around 5% of their customers could have been affected in a data breach for anyone who purchased tickets using their website between February and June 2018.
The breach involved malicious software being used to steal people’s names, addresses, email addresses, phone numbers, payment details and Ticketmaster login details. Customers of two other UK websites owned by Ticketmaster, TicketWeb and Get Me In!, we’re also affected.
3. British Airways
British Airways hit rough turbulence when payment details for over 380,000 of its customers were stolen in September. There’s never a good time to be the victim of a cyber attack, but what made matters worse for BA was that they were only just recovering from an IT issue in June which cost them an estimated £58 million. Ouch!
We covered the full story here.
4. Under Armour
On the 25th March, sportswear manufacturers, Under Armour, found out that hackers had gained unauthorised access to MyFitnessPal, an application that tracks users’ diet and exercise activity. Up to 150 million MyFitnessPal users’ details were compromised including names, emails and passwords.
Payment details were not exposed as Under Armour process this information separately. Under Armour bought the MyFitnessPal fitness application in 2015 for an estimated $475 million.
Cybercriminals were able to steal data from over 2.7 million UK Uber customers, including names, addresses and phone numbers from 2016.
Details of both the customers and drivers details were not told about the breach until a year later, with Uber paying the attackers $100,000 to destroy the data in an attempt to cover up the violation.
Two years on from there breach, and Uber were fined £385,000 by the Information Commissioner’s Office, along with £532,000 by data regulators in Holland, where customers were also affected.
Take a read of our blog to find out what we can learn from the Uber hack.
In March, FIFA experienced their second breach in just two years. Reports show that the breach occurred through a phishing email which a FIFA employee fell victim to – allowing the hackers to gain access to their system.
Hackers are believed to have used the phishing email to gain access to confidential data, which they then leaked to Football Leaks, a website that became well known back in 2015 after it started publishing internal FIFA documents revealing the ‘dodgy deals’ of the football player market.
The Marriott hotel said that an unauthorised party had compromised their guest reservation database of its Starwood division and that they discovered the breach because they were notified by an internal security tool that had detected somebody trying to access their Starwood database. After investigating this, they found that an “unauthorised party had copied and encrypted information.”
An internal investigation found that the attacker had been able to access the network since 2014. This data breach affected up to 500 million victims and included name, address, phone number, email, gender, date of birth, arrival/departure information and passport numbers. Some records included encrypted car information, but it is possible that the encryption keys had also been stolen.
Between the 15th and 19th of October, Eurostar experienced an ‘unauthorised automated attempt to access customer accounts’. They said that no card details were stolen as they ‘deliberately’ never store card information. Emails were sent to customers saying:
“We’ve since carried out an investigation which shows that your account was logged into between the 15th and 19th October. If you didn’t log in during this period, there’s a possibility your account was accessed by this unauthorised attempt.”
9. Dixons Carphone
One of the most significant cyber stories of 2018 was Dixon Carphone announcing a breach from July 2017 that affected 5.9 million payment cards and 10 million personal data records, nearly 9 million more than the first estimated figure of 1.2 million.
Luckily for Dixons, the breach happened before the implementation of the GDPR in May meaning they avoided much larger fines, but reputational damage was still heavily impacted.
Dixons Carphone Chief Executive Alex Baldock said, “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right.”That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.”
On the 20th August, T-Mobile US systems were hacked with the organisation confirming that around two million of its customers had been affected.
“You should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid),” the carrier told its subscribers.
According to the company, additional sensitive information such as financial data, social security numbers and passwords were not compromised. T-Mobile notified all of its customers about the breach via a text message.
Global delivery firm FedEx delivered bad news to its customers when they found that they had left customer records on an unsecured Amazon S3 server.
The server contained around 100,000 files including numerous scanned documents from people scattered across the globe, including citizens of the US, Mexico, Saudi Arabia and many other countries.
On the 28th of June, Adidas announced that their US website had suffered a data breach exposing customers’ data, such as contact information, usernames and encrypted passwords.
The German sportswear suppliers said, “Adidas became aware that an unauthorised party claims to have acquired limited data associated with certain Adidas consumers. Adidas is committed to the privacy and security of its consumers’ data. Adidas immediately began taking steps to determine the scope of the issue and to alert relevant consumers.”
They complied with the new GDPR requirements and reported the incident within the 72-hour time frame, notifying affected customers, telling them to change their passwords and check their bank statements.
The list goes on and on, but one of the most significant learning points from all these stories is that organisations are now targeted irrelevant of industry, size or location and that it is now definitely a matter of WHEN not IF!
Here at Bob’s Business, we are the experts when it comes to educating your staff on how to become more cyber aware and ensure you have robust cyber security policies in place. Get in touch today to find out more about how we can help you.