Thursday, November 21, 2024
HomeCyber AttackGreatest Data Protection Fails By Massive Cyber Attack in 2019

Greatest Data Protection Fails By Massive Cyber Attack in 2019

Published on

Most of us should start to think more carefully about the data that we put online. It is becoming clear that no data we put online can ever be 100% safe, and 2019 had some of the worst data protection breaches yet.

WhatsApp Hack Used to Install Spyware

Any corporate cybersecurity breach is embarrassing for the business affected, but even more so when that business is one that trades so heavily on their focus on privacy and, in order to keep their customers safe, takes various security precautions (such as using VPNs or proxy networks).  When news broke back in May that WhatsApp had been used by hackers to install Israeli spyware on users’ phones, it seemed like very bad news for WhatsApp.

All the attackers had to do was call their targets through WhatsApp; it didn’t matter whether the targets answered or not. WhatsApp has been unable or unwilling to reveal just how many users might have been victims of vulnerability. But with a userbase of 1.5 billion, even 1% of their users would be 15 million people.

- Advertisement - SIEM as a Service

Israel has a history of working with domestic cybersecurity businesses to produce spyware, and malware, in this case, bore all the hallmarks of being built by a state actor or someone with experience of working with them. Among the users confirmed to have been targeted was a prominent human rights lawyer from the UK who has represented Palestinians throughout her career.

US Customs and Border Protection Hack

Crossing the US border has been a very different experience since 9/11. Customs and border agents now routinely copy data from travelers’ digital devices and have begun to request passwords and access to any computers they bring with them. This in itself has caused a lot of consternation among travelers but most had assumed that at the very least, the data that was taken from them would be kept safe.

That illusion was shattered when the Washington Post reported that images of up to 100,000 travelers’ faces and license plates had been taken. CBP has laid the blame at the feet of an anonymous subcontractor. This breach highlights that our data is increasingly being passed through multiple processors and it only takes one of them to drop the ball for our data to be compromised.

Fortnite

With more than 200 million users worldwide across all age groups and backgrounds, Fortnite is one of the most popular and profitable games in the world right now. However, even the best of us make mistakes sometimes. Fortnite developer Epic’s mistake was using an old, unsecured web page that was vulnerable to a basic XSS attack. All the attackers had to do was get their victims to click a link.

Compromising someone’s account for an online game might not sound very serious, but attackers were able to record audio of players without their knowledge, take over their accounts, and spend any virtual currency they held. Unlike most data breaches, this one impacted a lot of children, who make up a significant portion of the userbase. For a major tech business like Epic Games to publish such a vulnerable web page in 2019 is a huge embarrassment for the company.

Quest Diagnostics Data Breach

Aside from our financial data, our medical data is the most personal and sensitive information that other people hold on us. The importance of maintaining doctor-patient confidentiality in the digital age is reflected in HIPAA – the set of regulations that any business handling personal medical data has to adhere to. Breaches of HIPAA are taken very seriously, and lapses can lead to some very serious consequences.

In June, Quest Diagnostics announced that almost 12 million peoples’ data had been accessed by an unauthorized party. Not only did this include medical data but also credit card information and social security numbers. The hacker had access to the data for more than seven months before Quest Diagnostics discovered the breach.

This is another case where it transpired that a third-party contractor was responsible for the security lapse. The contractor in question ultimately lost four major clients following the revelations and filed for bankruptcy soon after.

Facebook’s Big Whoops

Poor Facebook seems to have no luck when it comes to granting third-parties access to its massive ocean of data. The Cambridge Analytics scandal highlighted Facebook’s generally lax attitude when it came to regulating how app developers handled user data. However, two incidents in 2019 demonstrate that nothing has changed since then.

First of all, an app developer based in Mexico left data for 540 million users on a publicly accessible server. This included user IDs, account names, likes, comments, and basically everything a hacker could want if they wanted to highjack a Facebook account.

Around the same time, Facebook was forced to admit that they themselves had “unintentionally” uploaded the email addresses of 1.5 million users without their permission. Security researchers also noted that Facebook wasn’t just asking new users for their email addresses, but also for the passwords to their email accounts, a widely-condemned practice.

These data protection fails to highlight that no data you put online is truly safe. Even if you are handing it over to someone who can be trusted with it, you never know exactly who else will be involved in the processing and storing of it. All it takes is one weak link in the chain to ruin your data security entirely.

Latest articles

Halo Security Launches Slack Integration for Real-Time Alerts on New Assets and Vulnerabilities

Halo Security, a leader in external attack surface management and penetration testing, has announced...

Researchers Detailed FrostyGoop Malware Attacking ICS Devices

FrostyGoop, a newly discovered OT-centric malware that exploited Modbus TCP to disrupt critical infrastructure...

5 Hackers Charged for Attacking Companies via Phishing Text Messages

Federal authorities have unsealed charges against five individuals accused of orchestrating sophisticated phishing schemes...

Two PyPi Malicious Package Mimic ChatGPT & Claude Steals Developers Data

Two malicious Python packages masquerading as tools for interacting with popular AI models ChatGPT...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

ANY.RUN Sandbox Automates Interactive Analysis of Complex Cyber Attack Chains

ANY.RUN, a well-known interactive malware analysis platform, has announced Smart Content Analysis, an enhancement...

Hackers Hijacked Misconfigured Servers For Live Streaming Sports

Recent threat hunting activities focused on analyzing outbound network traffic and binaries within containerized...

Volt Typhoon Attacking U.S. Critical Infra To Maintain Persistent Access

Volt Typhoon, a Chinese state-sponsored threat actor, targets critical infrastructure sectors like communications, energy,...