5 (More) Data Breaches and What Businesses Can Learn From Them
The “winner” in business is often the company that controls the most data about customers, prospective customers, vendors and partners. Leaked information can be used to target those people more accurately for marketing and learn more about them for service improvements. Unfortunately, leaked data also can compromise your service to customers, your relationships with vendors and the integrity of your business or organization.
When a hacker steals your data, they’re the only winner. You’re left holding the bag of headaches, negative media exposure, irate customers, unrelenting regulators, damage to your brand and reputation, and financial liability.
In our previous article,“5 Major Data Breaches and What Businesses Can Learn From Them,” we established that every business and organization needs to take all possible steps to prevent data breaches throughout the lifecycles of their equipment and systems. Here are five MORE recent data breaches that underscore the point.
The breach: In February 2019, hackers posted data from video messaging app Dubsmash for sale on the dark web. In December 2018, the hackers had accessed account holder names, birthdates, email addresses and hashed passwords of close to 173 million Dubsmash users. Dubsmash informed customers whose information might have been compromised in the data breach and advised them to change their passwords.
The fallout: New York-based Dubsmash is a global company. The breach of its users’ data may have put it at odds with the European Union’s General Data Protection Regulation, which dictates that a company has only 72 hours of learning of a data breach to report it. It’s not clear yet as of this writing if that was indeed the case and, if so, what the consequences might be. Meanwhile, the sale of data on the dark web included approximately 617 million accounts from Dubsmash and 15 other websites.
The lesson: The stakes are high regardless of what industries companies are engaged in. State, federal and international regulators might become involved, and businesses can be censured or fined for both actions and inactions.
The breach: In September 2019, a hacker claimed to have cracked into the database of Zynga’s “Draw Something” and “Words with Friends” games, which contained 218 million user accounts. The hacker gained access to “…email addresses, salted SHA-1 hashed passwords, phone numbers, and user IDs for Facebook” for nearly 173 million users. Zynga urged users to avoid using passwords across multiple accounts, and implored them to “unique and strong” passwords.
The fallout: As many as 14 million kids were impacted by the data breach, and in March 2020 one of them and his parents filed a lawsuit against Zynga seeking class-action status and a minimum of $5 million in damages. “The allegations include the claim that Zynga failed to notify users directly, in violation of California law, and only posted a warning on its website.” Plaintiffs also “allege the gaming company acted deliberately to ‘intentionally and unconscionably’ deceive users regarding the safety of their personal information.” All told, there are 14 separate counts of action and claims for relief listed in the suit, “ranging from the violation of state data breach statutes to negligence.”
The lesson: First and foremost, companies need to take the safety and security of their customers’ and users’ personal information seriously, especially when they are minors. Delaying the inevitable by failing to notify them in a timely manner is not going to take the sting out of the attack.
Reminding customers to change their passwords, use stronger passwords, and not repeat passwords is sound advice. However, following a breach, it’s pretty much closing the barn doors after the horse is out – especially if months have passed since the information was stolen.
The breach: Atlanta-based Equifax is one of the three largest consumer credit reporting agencies in the world. The company collects and compiles information on more than 800 million people and 88 million businesses. In September 2017, the company announced the information of nearly 148 million people had been compromised in a data breach, including many who had never signed up for Equifax services. CNET reported that “The thieves spent 76 days within Equifax’s network before they were detected” and that “the hackers stole the data piece by piece from 51 databases so they wouldn’t raise any alarms.”
The fallout: People who were negatively affected as a result of the leaked information filed a class-action lawsuit in May 2018. In September of 2019, Equifax said it had “implemented a new management system to handle vulnerability updates” and that it was “going through a complete shift to make sure a breach like 2017’s never happens again.” In July 2019, Equifax agreed to settle the leaked data case for $380.5 million in restitution and another $125 million to cover “out-of-pocket losses.”
The lesson: Security breaches are expensive and many of them can be prevented through regular maintenance and stress tests. Not only are there the fines and lawsuits to contend with, but the costs of upgrading entire systems to a better security protocol. That could mean new capital investments in equipment, software licenses, IT professionals and services. For a companies as large as Equifax, this isn’t just an “Oops.”
It’s also important to ensure your partners maintain network security tools and protocols that are as stringent as your own. Otherwise, when a partner gets hacked, your users’ and customers’ information could be placed in jeopardy, which puts your reputation and company viability in jeopardy, as well.
The breach: MySpace is a social networking service that was founded in Beverlly Hills, Calif., in 2003. By 2008 it had 100 million monthly users, making it the largest social networking site in the world.
In May 2016, MySpace announced its database had been hacked. That was nearly three years after the hacking actually occurred, in June 2013. In fact, the company only learned of the breach because of a listing on the dark web selling the data of 360 million MySpace users for just $2,800. The leaked data included usernames, passwords and email addresses. All of it was connected to accounts created on MySpace’s old platform, which became obsolete on June 11, 2013. At the time, the Myspace hack was considered by many industry insiders to be the biggest breach in history.
The fallout: MySpace and multiple trade publications told users that, if they weren’t MySpace users prior to June 11, 2013, or if they had changed to a strong password since that date, there probably wasn’t too much to worry about. That was especially true because MySpace didn’t store any financial information. Even so, MySpace advised users to change passwords, just to be safe, and the company invalidated user passwords for all affected accounts.
Ultimately, MySpace’s reputation took a serious hit. Time Inc. bought the company later in 2016, but it’s not clear whether the sale was related to issues that resulted from the breach.
The lesson: Important precautions can be overlooked during transitions and upgrades, especially if a company isn’t monitoring the obsolete platform. Any time you upgrade or update your hardware, software or apps, you should do security checks on all of your systems. Advise users to update passwords and use the strongest passwords possible before and after transitions. When something is outmoded, consider backing it up and making it completely inaccessible to anyone, including users. Finally, if you are going to keep an old platform or database available for whatever reason, make sure it’s included in your regular security checks.
The breach: eBay is a San Jose, Calif.-based online auction platform that allows users to buy and sell just about anything. In February or March of 2014, hackers broke into the company’s corporate network and accessed names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth of 145 million platform users. The company said there was “no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information.”
eBay, which also owned PayPal at the time, notified users of the breach through electronic communications and marketing channels and asked them to change their passwords. In addition, eBay asked them to change their passwords on other sites if they had used the same passwords in multiple places.
The fallout: An eBay user filed a class-action lawsuit in July 2014, alleging “…the breach resulted in ‘economic damages’ for eBay users, ‘actual identity theft,’ as well as damages resulting from having to mitigate an increased risk of identity theft, as well as lost time.” However, in May 2015 a federal judge dismissed the case, saying the plaintiffs failed to prove the injuries.
eBay got off easy from legal and restitution perspectives, but in terms of reputation, the leaked data cost the company plenty. eWeek said, “It’s not just about actual dollars stolen in a theft; it’s also about confidence and the overall trust that consumers place in a brand. If consumers are less confident about the security of a given site or service, they won’t do as many transactions.”
The lesson: The impacts and consequences of breaches are serious, often for both the company and its customers or users. Identity theft is definitely up there in terms of worst case scenarios of what a hacker could do with stolen personal information. But in some cases, like eBay’s, the breach can cause serious damage to customers’ confidence in your brand and an accompanying drop in engagement or sales. Clearly, when eBay users bought or sold items on eBay, they didn’t expect their personal data to be up for bid, as well.
Cobalt’s perspective: Data breaches can happen at any stage of your hardware’s lifecycle.
Most companies focus on the security protocols of their live, active, online equipment – as well they should. But it’s important not to overlook the risks when those data-bearing devices are retired and move on to other hands.
Working with an R2 Certified IT asset disposition provider like Cobalt gives you peace of mind that your decommissioned electronics won’t expose your company, data, and brand to security vulnerabilities. Contact us to discuss your unique risks and liabilities and get our insights on how you might be better protected.