2018 Cybersecurity Roundup: What Went Wrong and What We Learned

Throughout 2018 we got so used to stolen passwords and personal information that sometimes we don't even blink anymore when a cyber attack happens. Only the most significant cases make the news nowadays, and quite a lot of breaches go unnoticed by the general public. If we were to believe the cybersecurity trends security researchers at Revision Legal, we could say that at least 100 cyber attacks against business entities are carried out every month on average. This amounts to a whole lot of data that security blogs and data banks have to process at the end of the year.

Although our blog is not there to provide you with extensive reports on cybersecurity trends, we can at least give you an insight into what caused the biggest uproar in the cybersecurity world in 2018. In this entry, we will cover seven of the biggest security issues in 2018, and then we will go through a list of things individual users and businesses can do to protect themselves from such attacks. No one wants to deal with stolen passwords and personal information, so it is always a good idea to take all the precaution measures to avoid the most obvious threats.

Marriott Data Breach

Arguably the largest security breach that shook the cybersecurity trends for 2018 was reported by Marriott International last November. The biggest hotel group experienced an extensive data breach that affected at least 500 million customers. The reservation database of one of the hotel chain's subsidiaries got hacked by an unauthorized party. As a result, names, addresses, phone numbers, payment information, and even passport numbers of millions of customers got leaked.

While some researchers suggested that the hack has been carried out by Chinese state hackers, the point of this breach lies elsewhere. It is not about pointing fingers trying to figure out a whodunit mystery (although that is also important). Right now, for us, it is the implications that this hack can have on the cybersecurity trends, and what companies and business can do to improve the safety of the personal data entrusted onto them by their customers.

Perhaps the biggest question that arises looking at Marriott's data breach is why such sensitive information as passport number does not get encrypted automatically. When it comes to credit card data, the requirement to encrypt it is clear, but it is interesting as to why the identity documents do not get the same treatment as the financial information. If companies were required to encrypt such personal information in their databases, it would be harder for unauthorized third parties to steal that data or to make use of it.

Twitter Security Breach

We could say that the security breaches that occurred in 2018 showed us the main cybersecurity trends. The first one is that these hacks expose the biggest vulnerabilities in corporate data storage systems. And the second one is that some companies rush to fix the vulnerabilities that had led to data leaks.

Take Twitter, for example. Last May, Twitter experienced a data leak within the company that effectively exposed user passwords in plain text. More than 330 million users were affected by this bug, but Twitter scrambled to strengthen the personal data security, making sure that it gets harder to hack and steal sensitive information. Consequently, now Twitter has improved the sign-up process, and the users are also encouraged to use multi-factor authentication to secure their login process, too.

As a matter of fact, multi-factor authentication must've been one of the biggest cybersecurity trends in 2018 because we could see a lot of popular service providers switching their login system to two-factor or multi-factor authentication. For example, if you use such websites as Booking.com or PayPal, you will have noticed that these services encourage you to enable multi-factor authentication whenever you try to access your account. It is actually a good idea to enable this type of authentication because it certainly might help you avoid multiple security breaches.

Facebook Security Breach

If we're talking about multiple security breaches and stolen passwords and personal information, we certainly cannot forget Facebook. The social media giant went through at least three security breaches in 2018. As a result, it affected at least 147 million user accounts.

The first breach occurred last March when it was revealed that a political consulting firm Cambridge Analytica could use more than 50 million Facebook profiles for research purposes. However, rather than using the data for actual research, the firm used the collected information to create profiles that would eventually influence the US presidential campaign in 2016. As a result, Facebook got sued over the Cambridge Analytica scandal, but the entire story unearthed a worrying cybersecurity trend: users can trust no one. In other words, even if one was to take all the measures to protect their data, it will not be enough if the data is shared with a third party by the entity that manages that sensitive information.

A few months later, more than 90 million users were affected by Facebook's "View As" feature. It was discovered that the feature had a bug that could allow hackers to steal usernames and location information from numerous accounts. Finally, last December, Facebook got in trouble again because of third-party apps. Whenever users use a third-party app on Facebook, they give that app certain permissions. Unfortunately, a lot of those apps got unauthorized access to personal photos. Although it was not possible to tell whether anyone used the photos in any way, it clearly proved that Facebook does not have much control over the data it collects. And it happens to collect extreme amounts of information.

British Airways Security Breach

When it comes to stolen passwords and personal information, the biggest companies might be the most common targets, but sometimes even a smaller breach can cause a lot of harm. The British Airways security breach last September saw details stolen from around 380,000 booking transactions. However, these details included extremely sensitive data, such as credit card numbers, expiry dates, and CVV codes. If you often book your flights and hotels online, you definitely know that sometimes it is impossible to place a booking without the CVV code. So if hackers get the hold of this information, they can easily perform unauthorized financial operations.

This attack revealed another cybersecurity trend. Perhaps, it would be more appropriate to call it a cyber attack trend, because the hack showcased a type of attack technique that was clearly used several times in the biggest security breaches last year. The method used is called a credit card skimming. The cyber criminals were able to steal credit card information the moment it was being typed into the entry form. The fact that hackers used this technique to target British Airways shows that the company does not implement strong cybersecurity measures. The hackers didn't even need to infiltrate the British Airways servers. They just injected a malicious code into the booking website and then collected the sensitive data over a certain timeframe. Unfortunately, British Airways isn't the only company that suffered from similar cyber attack techniques in 2018. The same happened to Ticketmaster.

Ticketmaster Data Breach

Last June, more than 40,000 Ticketmaster users experienced personal data theft. This breach exposed a security vulnerability that comes with using third-party suppliers. A certain website provides a chat-bot for their customers if they want to check something immediately instead of resolving to emails. The thing is that the chat-bot on the Ticketmaster website is operated by Inbenta Technologies that uses a modified line in its JavaScript code.

Ticketmaster happened to use the same code for their payment page without Inbenta's knowledge, and this code was exploited by hackers to steal passwords and personal information. Although the breach itself wasn't as massive as other hacks in 2018, some users have reported heavy financial losses. The security breach also shed light onto another worrying cybersecurity trend: negligence.

As we have mentioned before, users cannot do anything alone. Cybersecurity is a joint venture, where customers, suppliers, and partners have to work hand-in-hand in order to ensure that the sensitive information remains safe. It requires a certain level of transparency and trust. Otherwise, using someone else's code behind their backs can backfire as it happened to Ticketmaster. In other words, we can say that everyone has to be more responsible for their obligations. After all, negligence can always result in a lawsuit, as it happened to Uber.

Uber's Cover-up

Although the Uber data breach we're talking about here occurred back in 2016, it resonated throughout 2018 because of the fines that the company had to pay for withholding the information about the hack. So here's another cybersecurity trend for you: It is possible that a business entity will cover up their mishap in order to retain their image and reputation.

In the Uber's case, the company had to pay $148m for the data breach cover-up in the United States. The data breach had then affected more than 600,000 drivers and 57 million user accounts. What's more, aside from the financial settlements, Uber also committed to improving their personal data security. So hopefully, the company has learned from its past mistakes, and it is turning a new leaf.

Healthcare Data Breaches

Another worrying cybersecurity trend of the 2018 was the healthcare data breaches. Judging from what we know about such attacks, it is hardly unlikely they will stop in 2019, too. Large security breaches at such companies as Accudoc Solutions, Unitypoint Health, CNO Financial Group, Health Management Concepts, and others affected millions of customers in the United States. With such high data breach tendencies, it is not even surprising that up to 30% of Healthcare databases are thought to be exposed online.

The problem is that healthcare organizations often operate on a very tight budget, and they cannot afford to invest a lot into cybersecurity. It makes them a perfect target for personal data thefts. The information that hackers manage to steal from healthcare organizations can be later on sold on the dark web, and it can result in someone else getting the healthcare benefits they didn't even pay for. So perhaps the main point here is that healthcare organizations need to step up their cybersecurity game if they want to avoid getting targeted by hackers every single day.

What to Expect in 2019

Overall, the year 2018 did not see a cybersecurity breach as significant as the Equifax breach in 2017. However, the overall cyber attack numbers have increased. According to Positive Technologies, the first quarter of 2018 saw a 32% increase in cyber attacks compared to the same period in 2017. The second quarter of 2018 saw an even bigger 47% increase in the cyber attacks as compared to the same period in 2017. While the security breaches may not seem massive, the sheer amount of them is clearly growing, and we can expect this cybersecurity trend to continue well into 2019.

What's more, security specialists suggest that the year 2019 will see a new type of attack on big firms called the GDPR bounty hunting. The criminals are well aware of the General Data Protection Regulation, and they make it work in their own favor. To put it simply, hackers may fool companies into believing that their personal data has been breached in order to extort money. The point is that companies are more likely to pay the hacker a fee for their "loss,” rather than address the Information Commissioners Office (ICO) and pay their fines. So it is clearly an interesting cybersecurity trend that might take off in 2019 beyond our expectations.

Cybersecurity: What Can You Do?

As you already know, cybersecurity depends on several factors. You need to work together with the service supplier and their partners to ensure that the sensitive information is safe. However, if you are wondering what you can do on your end to mitigate a data breach threat, here is a list of things you could consider:

  • Strong passwords. Reusing passwords for years is a big no-no when it comes to cyber security. You want your passwords to be strong and unique. So each account needs to have a long and complex password, and you cannot use it for any other account. Coming up with new strong passwords can be too much of a task for you, so you can always make use of Cyclonis Password Manager to help you with that. This password manager will generate strong passwords, and it will even store them for you in its vault! So you won't have to work hard on memorizing them.
  • Suspicious emails. Phishing emails are probably the main cyber attack contributors because people are still clicking those links and downloading those attachments without giving it a second thought. Even if an email looks innocent, you should always ask yourself whether you know why you received it, whether you really know why you're opening the attached file or clicking the outgoing link. Don't do everything automatically.
  • Software update. Quite a few users turn off software updates because they find them too bothersome. They also hate it how certain programs prompt them to download an update in medias res. However, updates are there to patch up the bugs and vulnerabilities the software might have, so if you turn off the update feature, you eventually risk a potential data breach, provided the hackers find and exploit a vulnerability in a certain program.
  • Credit freeze. This is the last resort that you can employ if your personal information and passwords were stolen. If you freeze your credit, the hackers who have your personal data cannot do much with it. You basically tie their hands.

There are definitely more ways to improve your cybersecurity, but the most important thing is to remember that you have to be responsible for what you do online. Just because a cyber attack doesn't hit you square in the face (physically), it doesn't mean it cannot affect your life directly.

January 9, 2019

Leave a Reply