7 notable hacks or breaches in 2018 so far...
It is fair to say that 2018 has seen a huge amount of cases where both well-known and not so well known brands have seen data breaches that have raised serious questions. With the introduction of GDPR back in May this trend will only continue to rise. This is why you should ensure you don’t miss Kevin Mitnick's session on Wednesday 17 October at Cyber Security Atlanta 2018 .
Kevin knows better than most what motivates those on the other side of the ethical hacking fence and equipped with his white hacker hat, he will illustrate the latest threats and risks most people don’t even know exist.
These 7 examples will further emphasize just why this session is not to be missed.
Tribune News Service in January, paid 500 rupees for login details from unnamed sellers over WhatsApp. The reporters were able to enter any Aadhaar number within the platform (a 12-digit unique identifier assigned to every Indian citizen). This enabled them to access a variety of information stored by UIDAI (Unique Identification Authority of India) for an individual. The data they were able to access consisted of email, name, address, and contact numbers. For a further 300 rupees, the sellers provided software access allowing the reporters to print ID cards associated to the Aadhaar number. The breach is believed to have contained data for 1.1 billion registered citizens in India, making this a serious data breach indeed.
2. Walmart Jewellery Partner
In February, 1.3 million customer details were breached as identified by researchers at Kromtech security, when they came across another publicly accessible Amazon s3 bucket. This example involved an MSSQL database backup, which held personal information, including names, addresses, zip codes, phone numbers, e-mail addresses, IP addresses, and, plain text passwords, for shopping accounts throughout the US and Canada.
It was first thought that the data was owned by Walmart as the storage bucket was called ‘walmartsql’ although, it was later confirmed to belong to MBM Company Inc, a jewellery company from Chicago Illinois, which also operates under the name Limogés Jewellery.
3. Under Armour
Back in March, Under Armour realized their fitness platform ‘MyFitnessPal’ had been accessed by an unauthorized person. The platform tracks diet and exercise information for its customers. They feared upwards of 150 million user’s data has been compromised. The information which the hackers were able to access consisted of usernames, email addresses, and hashed passwords. Fortunately, payment information, social security numbers, and driver’s license details were not breached, however, Under Armour did not announce the discrepancy until the end of May.
The travel comparison site Orbitz advised us in March that 880,000 customers who made a purchase in 2016 or 2017 may have been involved in a data breach. They advised that they had fallen victim to a hacker, who was able to access names, addresses, payment details, and dates of birth. Unfortunately, Orbitz have not been able to identify exactly what has been accessed by the cybercriminal.
5. Atlanta City Government
The city of Atlanta Government also fell victim to a ransomware attack this year. The city made the announcement via Twitter, stating that its customers were experiencing problems making payments and accessing court sensitive information. The hackers left a message on the system demanding $6,800 to unlock each computer or $51,000 to provide the keys for all affected systems. A spokesperson advised that they were working with Microsoft and the FBI to resolve the issue.
The ransomware used resembled a variant of the Samsam ransomware that affected a number of hospitals in the past. These previous attacks exploited a Java de-serialization vulnerability in Java-based application servers. But it's not clear that the Atlanta outbreak started in the same way.
Adidas was another high profile brand to announce in June that it had fallen foul to an unauthorized third party. They advised that customer data had been accessed via their US website. They were able to identify that only those who purchased items from Adidas.com had been affected. The information most likely affected by the third party was email, home addresses, and login details, however, passwords were hashed. Although the exact number of records accessed illegally were not confirmed, it was announced to be in the region of “a few million”.
7. Facebook Security Breach
The latest breach to have affected Facebook is the biggest so far in its 14-year history, as another 50 million users were believed to have had their personal details exposed. The social media giant would go on to force 90 million users to log out of their accounts. The hackers took advantage of a feature in Facebook’s code to access user accounts, which would potentially allow them to take control.
The tool which allowed this breach was meant to allow users to upload birthday videos, the error in the code has been rectified, however, the extent of the attack is not clear. Essentially the flaw allowed attackers to take “access tokens” which act as a key to allow access to accounts.
The attackers attempted to capture information such as name, gender and hometown. Facebook have been unable to confirm the full extent of the breach and this case highlights the complexities of looking after such a large amount of data. Current users for Facebook stand at upwards of 2.2 billion users worldwide.