First American Financial
No one, not even the overprotected insurance institutions are safe from severe errors. The year 2019 was marked by the major charges from the New York State Department Financial Services. An overly serious case: 885 million bank account and social security numbers, statements, tax and mortgage data, wire transaction receipts, and even driver license images compromised.
Underlying an authentication error, the breach manifested an absolute freedom to view the institution’s docs, just because the Insecure Direct Object Reference, a common web design flaw, let basically anyone who was seeking for the direct link access it. Be it even a single link up for grabs, criminals could utilize Advanced Persistent Bots to assemble and index all the rest of the docs.
Lesson learnt: For years, the error remained undiscovered. The company allegedly failed to follow its own security policies, leaving the flawed program be. Read the Forbes coverage of the story.
A huge leak knocked on Facebook’s door in 2021 when the company found a 533 million-user database posted on a hacking platform. Tons of sensitive data came into the open, including names, phone numbers, email addresses, and locations. Facebook stressed that the breach wasn’t due to hacking — the info was scraped from publicly available sources.
Yet, a multitude of the social media’s databases that covered locations from the U.S. up to the U.K. and Vietnam appeared to be lacking either encryption or passwords, which made them a low-hanging fruit for any internet user.
Lesson learnt: A year before the incident, Facebook announced they were going to enhance the protection of personal data, but in 2019 the vulnerabilities within their security systems were still in place. The bigger you grow, the bigger your problems, and there's still only that much time to fix them, even if you’re Facebook.
10 biggest security breaches of the last decade (in MM users affected)
Sony Pictures Entertainment
Back in 2014, Sony faced a wicked phishing attack targeted at their major executives. The victims fell prey to the elegant scheme devised by hackers. The fraudsters have composed a fake Apple ID verification email that looked perfectly authentic, yet redirected to a phishing website and stole passwords.
The logins were connected to social media accounts, and by using them one could get into the Sony network. So, this was just the beginning for Sony, — the company ended up with towers of wiper malware attacking their computer networks, alongside 100 terabytes of data gone to be then shown up online. The loss was assessed around $35M at the very least.
Lesson learnt: Although the whole story resembles more of a comedy drama produced by the victim itself (here’s a detailed coverage by the Washington Post). As for the lessons learnt, the Sony attack used pieces of the WannaCry ransomware, which shows how hackers can use old attacks to formulate new efforts (read the full report by SecureOps on the matter).
The year 2018. The world-known hospitality provider discloses an attack that has started from 2015. How could this happen? Let’s trace back the events.
In 2016, Marriott acquired Starwood data platform, which suffered a data break attack not long before that (the attack remained uncovered for eight months). It wasn’t two years later that the internal security system alert traced a Chinese intelligence group attempting to gather U.S. citizens’ data via MimiKatz and a Remote Access Trojan. The attackers had infiltrated the legacy database while encrypting and withdrawing sensitive information.
Still, it’s even unknown if the stolen credit card info was ever used. All in all, the attack damaged around 383 million people.
Lesson learnt: “Starwood did not have the best security culture before its acquisition by Marriott; the Wall Street Journal reported that Starwood employees perennially found the reservation system difficult to secure.” - an article by CSO says. A typical issue for a legacy system, yet not so typical for a big player like Marriott to ignore. Beware security issues when integrating legacy solutions.
In 2020, Microsoft was all over the headlines for disclosing a leakage of whopping 250M records on customer service and support worth a 14-year period. According to the tech giant’s statement, personal information underwent redaction prior to being stored. Yet, a number of unhashed IP addresses and emails turned up online.
Though not a sign of harmful usage was found, the data was public for under a month.
Lesson learnt: The company explained the massive security failure with a defect of their corporate database's safety rules.
Wrapping it up (and announcing our own cyber security guide!)
From neglecting their own software security practices, to provoking North Korean cyber criminals, to incorporating legacy software prone to cyber attacks – the reasons why big companies suffer severe software security failures are as diverse as they are commonly prosaic.
Stay with us for one more part of this software security series of articles. In the following blog post, we’ll share with you our own best cyber security practices.