Thursday, March 28, 2024

Greatest Data Protection Fails By Massive Cyber Attack in 2019

Most of us should start to think more carefully about the data that we put online. It is becoming clear that no data we put online can ever be 100% safe, and 2019 had some of the worst data protection breaches yet.

WhatsApp Hack Used to Install Spyware

Any corporate cybersecurity breach is embarrassing for the business affected, but even more so when that business is one that trades so heavily on their focus on privacy and, in order to keep their customers safe, takes various security precautions (such as using VPNs or proxy networks).  When news broke back in May that WhatsApp had been used by hackers to install Israeli spyware on users’ phones, it seemed like very bad news for WhatsApp.

All the attackers had to do was call their targets through WhatsApp; it didn’t matter whether the targets answered or not. WhatsApp has been unable or unwilling to reveal just how many users might have been victims of vulnerability. But with a userbase of 1.5 billion, even 1% of their users would be 15 million people.

Israel has a history of working with domestic cybersecurity businesses to produce spyware, and malware, in this case, bore all the hallmarks of being built by a state actor or someone with experience of working with them. Among the users confirmed to have been targeted was a prominent human rights lawyer from the UK who has represented Palestinians throughout her career.

US Customs and Border Protection Hack

Crossing the US border has been a very different experience since 9/11. Customs and border agents now routinely copy data from travelers’ digital devices and have begun to request passwords and access to any computers they bring with them. This in itself has caused a lot of consternation among travelers but most had assumed that at the very least, the data that was taken from them would be kept safe.

That illusion was shattered when the Washington Post reported that images of up to 100,000 travelers’ faces and license plates had been taken. CBP has laid the blame at the feet of an anonymous subcontractor. This breach highlights that our data is increasingly being passed through multiple processors and it only takes one of them to drop the ball for our data to be compromised.

Fortnite

With more than 200 million users worldwide across all age groups and backgrounds, Fortnite is one of the most popular and profitable games in the world right now. However, even the best of us make mistakes sometimes. Fortnite developer Epic’s mistake was using an old, unsecured web page that was vulnerable to a basic XSS attack. All the attackers had to do was get their victims to click a link.

Compromising someone’s account for an online game might not sound very serious, but attackers were able to record audio of players without their knowledge, take over their accounts, and spend any virtual currency they held. Unlike most data breaches, this one impacted a lot of children, who make up a significant portion of the userbase. For a major tech business like Epic Games to publish such a vulnerable web page in 2019 is a huge embarrassment for the company.

Quest Diagnostics Data Breach

Aside from our financial data, our medical data is the most personal and sensitive information that other people hold on us. The importance of maintaining doctor-patient confidentiality in the digital age is reflected in HIPAA – the set of regulations that any business handling personal medical data has to adhere to. Breaches of HIPAA are taken very seriously, and lapses can lead to some very serious consequences.

In June, Quest Diagnostics announced that almost 12 million peoples’ data had been accessed by an unauthorized party. Not only did this include medical data but also credit card information and social security numbers. The hacker had access to the data for more than seven months before Quest Diagnostics discovered the breach.

This is another case where it transpired that a third-party contractor was responsible for the security lapse. The contractor in question ultimately lost four major clients following the revelations and filed for bankruptcy soon after.

Facebook’s Big Whoops

Poor Facebook seems to have no luck when it comes to granting third-parties access to its massive ocean of data. The Cambridge Analytics scandal highlighted Facebook’s generally lax attitude when it came to regulating how app developers handled user data. However, two incidents in 2019 demonstrate that nothing has changed since then.

First of all, an app developer based in Mexico left data for 540 million users on a publicly accessible server. This included user IDs, account names, likes, comments, and basically everything a hacker could want if they wanted to highjack a Facebook account.

Around the same time, Facebook was forced to admit that they themselves had “unintentionally” uploaded the email addresses of 1.5 million users without their permission. Security researchers also noted that Facebook wasn’t just asking new users for their email addresses, but also for the passwords to their email accounts, a widely-condemned practice.

These data protection fails to highlight that no data you put online is truly safe. Even if you are handing it over to someone who can be trusted with it, you never know exactly who else will be involved in the processing and storing of it. All it takes is one weak link in the chain to ruin your data security entirely.

Website

Latest articles

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles