Every convenience comes at a cost, and in the case of an Internet-connected and data-dependent business world, one significant cost is the risk of a major data breach.
Recent data breaches have come from many directions and sources. A data breach can be as subtle as hacking into a database to steal a list of email addresses, to “spoofing” or “phishing” techniques that aim to confuse users, to bold ransomware attacks in which the data itself is held hostage. Often the target of a data breach is personally identifiable data like phone numbers, email addresses, mailing addresses, Social Security Numbers, credit card information, and birthdates. That information might belong to employees, customers, vendors, and other professional contacts. The scope of every breach is different, but usually by the time it has been discovered, the damage has been done.
Every business should be taking all possible steps to prevent a data breach throughout the lifecycle of their equipment and systems. Here are five of the most recent data breaches and what could be learned from them:
The breach: The origin of the attack that compromised nearly 12 million patients’ records was a third party, the American Medical Collection Agency (AMCA), a vendor that provided debt collection services on behalf of Quest’s billing vendor. While Quest’s own systems were not touched directly, any patients whose information had been shared with AMCA for billing purposes were affected by this breach.
The attack itself was understood to take place sometime between August 2018 and March 2019, by an “unauthorized user” that accessed AMCA’s system through its web payment page. AMCA reported the breach to Quest in May of 2019, and customers were informed in June. The information that was compromised may have included personally identifiable data (including Social Security Numbers), information related to providers and services, credit card information and bank account numbers, insurance information, and diagnosis codes. This data breach also hit another AMCA client, LabCorp, affecting 7.7 million customers.
The fallout: Quest immediately ceased using AMCA for collection, and by June, AMCA had filed for bankruptcy. You might think that the email addresses and credit card numbers were the prize data that attackers were after, but the inclusion of personal medical information introduces other ways for attackers to target the victims – through fraudulent emails that promise products related to someone’s medical conditions or are made to look like they come from a medical provider, for instance. The implications are chilling.
The lesson: The more third- and fourth-party vendors you use to execute various parts of your business, the more exposure you have to data security vulnerabilities that are out of your control. Do not assume that your vendors have you protected or will assume liability if something goes wrong: it was Quest, not AMCA, making headlines when this news broke.
Houzz (Home improvement website)
The breach: Houzz has published little about the details of the attack, so it’s unclear just how many and whose information was compromised. The site had about 40 million users at the time, though according to the company, not all were affected. It is also not clear when the data breach took place, and if it came from an external source or an internal leak, but it was discovered in December 2018 and communicated to affected users in January 2019.
The types of information that were potentially compromised in this data breach include public profile information (whatever a user chose to fill out, including name and location), metadata related to users’ browsing habits, and most importantly, internal account information including usernames and passwords. While the potentially stolen passwords were encrypted, depending on the encryption protocol used, hackers could plausibly restore them. And because users tend to re-use log-in information and passwords across many platforms, this kind of information is exactly what cybercriminals hope for.
The fallout: Houzz urged its users to change their passwords immediately (though, see above – doing that on Houzz alone would not protect a user who recycles the same password on other sites). As of this writing, no fines have been levied against the company by any disciplinary agency.
The lesson: Enforce extra secure password protocols for employees and users alike. Without knowing more about the origins of the breach, it’s hard to say what could have been done to protect against it, but discouraging (or even prohibiting) the use of same and similar passwords across multiple portals could limit the damage. This is particularly true if your staff use common online services that require log-ins, such as Dropbox or Google Drive, that are not centrally managed or monitored.
The breach: This one is unusual. The data breach itself appears to have happened in stages between March and April of 2019, and Capital One was tipped off in July. Rather than turning up through the usual channels, the tip came in when someone found suspiciously private-looking data posted on GitHub, a popular online archive and sharing platform for programmers. Within a month, an arrest was made, thanks to a trail of clues that the alleged hacker left.
The data breach was made possible because of a misconfigured Amazon server that communicated with Capital One’s own systems; the alleged hacker was a previous employee of Amazon Web Services, potentially enabling her to exploit this security flaw.
The personal data of over 100 million people was stored on and obtained from that server, including 140,000 Social Security Numbers (and an additional one million of Canada’s equivalent ID number), 80,000 bank account numbers, and tens of millions of credit card applications dating back to 2005. Between 20 and 30 terabytes of data were stolen.
The fallout: Capital One is now the subject of many lawsuits and expected the incident would cost them $100 to $150 million in 2019 alone. Authorities are still investigating the breach. Paige Thompson was released from custody in November 2019 while her trial proceeds. She is charged with computer fraud and abuse and wire fraud, and has pleaded not guilty.
The lesson: The alleged hacker developed a program that automatically scanned Amazon web servers for misconfiguration vulnerabilities. Imagine if Capital One had a similar tool in place and could have caught the error before she did?
The breach: Approximately 150 million accounts for users of the MyFitnessPal mobile app were compromised. UnderArmour learned about the breach in March 2018, and it’s estimated that the breach itself took place in February. The exposed data potentially included usernames, email addresses, and encrypted passwords, but not payment information or official ID.
The fallout: UnderArmour informed its users of the breach within four days of its discovery in March and issued the standard advice: change your passwords, don’t click on any suspicious links, etc. UnderArmour’s stock dropped following the news. The company was also subject to a class action lawsuit that was eventually dismissed in March 2019.
The lesson: At least some of the passwords that were stolen in this data breach (a minority, UnderArmour says) were protected by a weak encryption protocol that hackers could fairly easily decrypt. Stronger encryption protocols were available and in use in some parts of the system, but not all, so not all passwords were equally protected. The warning from the tech community following this breach was that the more secure encryption protocol, while not preventing the breach, could have protected the data even after it was stolen.
Cobalt’s perspective: Data breaches can happen at any stage of your hardware’s lifecycle.
The history of corporate data breaches shows just how many different ways there are to access and compromise sensitive information. Some attacks are more sophisticated than others, but what makes it worth the hacker’s time is not the data itself, but the price tag they can put on it. No matter what kind of information they steal, you can bet there’s a buyer for it.
Most companies focus on the security protocols of their live, active, online equipment – as well they should. But it’s important not to overlook the risks when those data-bearing devices are retired and move on to other hands.
Working with an R2 Certified IT asset disposition provider like Cobalt gives you peace of mind that your decommissioned electronics won’t expose your company, data, and brand to security vulnerabilities. Contact us to discuss your unique risks and liabilities and get our insights on how you might be better protected.