From a Republican National Committee contractor exposing voting data on nearly 200 million people to Equifax revealing a breach impacting over 143 million people – it’s safe to say that when it comes to data breaches, 2017 has kept us on our toes. So much so that more data was lost or stolen in the first half of 2017 (1.9 billion records) than in the entire of 2016 (1.37 billion) according to research released earlier this year.
Many of 2017’s data breaches occurred at the hands of cybercriminals who leveraged security issues with data storage, misconfigured security settings, and/or the overall lack of security solution in place to protect data. This shows that attackers don’t even need to seek sophisticated and sneaky ways to steal data and that often the data is simply left without protection.
Furthermore, according to Ponemon’s Cost of Data Breach 2017, the cost of a data breach dropped 10% this year – however, the global average cost of a data breach is still a whopping $3.62 million. We hope that statistics like this one, plus the awareness that should come from a recap of 2017’s biggest breaches will make organizations aware of the risk – aware enough to move forward and take the necessary measures to keep data secure.
Looking to 2018, the year of GDPR, data protection is officially getting the spotlight. However, how many major breaches are we in for? Let’s wait and see. But for now, here’s a recap of the biggest and baddest breaches of 2017.
Arguably the most buzzed about breach of 2017, Equifax really managed to shake a nation. In September, the American credit monitoring company disclosed a massive data breach that impacted over 143 million customers. The breach is said to have occurred due to a vulnerability found in an open source software used by Equifax which allowed attackers to access the sensitive files.
The breached information included full names, birth dates, Social Security numbers, addresses, and more. Furthermore, the stolen data included around 200,000 credit card numbers and almost 200,000 additional documents containing personal-identifying information.
As the breach was disclosed, the Equifax’s then CEO, Richard Smith, released an apology video (which later was placed at #1 on a list of Worst Apologies of 2017). Yet overall, how this breach was handled was widely criticized and shows a real need for proper breach notification procedures.
In July, the personal data of more than 14 million Verizon customers was exposed. The data was found on an unprotected Amazon S3 storage server controlled by Nice Systems, a technology supplier. The data contained names, PINs, phone numbers – all information that could be used to access a user’s Verizon account.
While ZDNet’s report didn’t indicate whether or not a malicious criminal accessed or stole the information, that the data was left exposed and easily discovered by something as simple as guessing a URL. The lesson learned here is that it’s incredibly important to validate that drives are properly configured. Plus, this highlights how critical it is to move data protection practices to the cloud.
Nope, 2017 was not Uber’s year. In November, Uber disclosed that hackers previously stole the personal information of approximately 57 million riders and drivers in a mega data breach that occurred in October 2016. Back when it actually happened, Uber paid the criminal $100,000 to keep quiet about the breach and keep the data safe.
The stolen data included email addresses, phone numbers, and names belonging to riders and drivers. Some of the drivers also had their drivers license numbers stolen as well. According to Uber’s new CEO, Dara Khosrowshani, the deal Uber struck with the thieves was arranged by the company’s former CSO and CEO.
4. RNC Contractor
In June, the voting data of nearly 200 million people was exposed in a massive leak on an Amazon Web Services server. The data itself belonged to a marketing firm called Deep Root Analytics which was contracted by the Republican National Convention, and the breach occurred due to a misconfigured database stored on a publicly-accessible cloud server hosted by AWS’s Simple Storage Service (S3).
The breach affected American voters and the data included full names, dates of birth, addresses, phone numbers and voter registration details. According to the UpGuard report on the breach, anyone with an internet connection could easily download the contents of this data trove.
According to a report by The Guardian, Deloitte’s global email server was hacked which allowed the attackers to access customer information on some of Deloitte’s top clients in addition to internal emails sent to and from company staff.
Furthermore, attackers gained information including usernames, passwords, and IP addresses. The report also states that Deloitte discovered this hack in March, though the hackers have been lurking in the company’s systems since late 2016.
The email server was hosted on the Azure cloud service and Deloitte is said to not have been using two-factor authentication. The server was ultimately compromised through an accessed admin account.
6. Dun & Bradstreet
In March, news broke of a data breach in which a 52-gig database including 33.7 million email addresses and additional contact information was exposed. The data belonged to Dun & Bradstreet, a company that provides commercial data, analytics and insights for business.
Among the information breached were names, job titles, work email addresses, phone numbers, as well as general corporate information belonging to employees of AT&T, Dell, IBM, WalMart, and many more major organizations. Adding to that, around 100,000 of the stolen records belonged to employees of the Department of Defense. It was never quite discovered how the data was exfiltrated.