Gaining news exposure is generally a good thing for most businesses, especially if it is something positive presented. However, there is one type of headline that no organization wants to make. In recent years, there has been an explosion of almost unbelievable data breaches making news headlines that have resulted in anything but a positive outcome for the organizations involved.
As the world we live in has become much more digital in nature, information and data volumes are increasing exponentially. This data can fall into the wrong hands if it is not protected appropriately. Hackers and other threat actors have this enormous mass of data squarely in their sights. No one is excluded from this threat. It exists across all sectors, industries, and technologies.
Securing data has arguably become the most important task at hand for IT professionals, DevOps engineers, developers, and executives alike. As we look at the past year of 2018, it is all too easy to see that data breach or leak of sensitive information is not a problem that is going away anytime soon. In fact, with each passing year, data breach has become an increasingly prevalent security issue across the board. Let’s take a look at Top Cloud Data Breaches of 2018 Lessons Learned to examine some of the largest data breaches and what organizations can learn from these events in terms of protecting their data as well as how these risks affect data stored in the cloud.
Table of Contents
What is Data Breach and Why It’s Concerning?
Data Breach is the taking of information by an attacker, generally using malicious means, in an unauthorized way. When thinking about data breach, it is akin to someone stealing tangible physical items from a store without paying for them or having permission to do so. The difference is data breach involves stealing valuable digital items usually containing sensitive information.
Data Breach is an extremely concerning threat to the security of any organization using, processing, storing, or otherwise working with data. Data can be comprised of a number of things. However, typically speaking, data that is utilized by businesses today may contain records including customer or partner information. In the context of data breach, generally data breaches that make the news headlines are breaches of customer data and their personally identifiable information.
These are perhaps the worst kind of breaches as they expose the consumer to data and privacy theft, ruin customer confidence in the business, and lead to major repercussions for the business from which the data was leaked. What is personally identifiable information or PII? It may include name, address, phone number, email address, financial information including credit card numbers, social security numbers, and many other types of information that personally identify an individual.
The theft of personally identifiable information can be used to compromise an individual’s identity which can be extremely concerning. The theft of this information can lead to major problems for an individual including fraudulent charges, ruined credit, and legal woes. Health information is also becoming a target of attackers. The healthcare industry in general houses a massive amount of electronic data about patients including protected health information to financial information. Modern healthcare is extremely reliant on technology. Today’s hospitals use a myriad of electronic devices to service patients. This leads to a wide and appealing target for attackers from an attack surface perspective.
No one wants to have their information stolen or taken without permission. This includes private personal information, financial information such as credit cards or banking information, or private health information. Yet, these are the prime targets for attackers today looking to steal or intentionally leak data in an unauthorized way to the outside world. The key takeaway for businesses is they must be vigilant, treat security as a priority, implement security policies and procedures, training, and technology to ensure customer data is secure.
Top Cloud Data Breaches in 2018
It is extremely valuable to examine past data breaches that have leaked data as these often expose key areas that organizations need to be looking at to hopefully help prevent security breaches and data leaks in general. Let’s take a look at the top Cloud Data Breaches in 2018 and see how they were carried out, what data was leaked, and the weakness that was exposed by the breach. We will examine the following data breaches of 2018:
- Aadhaar India National ID Database
- Cambridge Analytica
- Marriott Starwood Hotels
Let’s take a look at each of the data breaches that took place with the above data leak events and see how these were carried out as well as the fallout from the event.
Aadhaar India National ID Database
This was a major breach of data that exposed literally over a billion India citizens – 1.1 billion to be exact. The Aadhaar Indian database is a government ID database that serves up identity, biometric, and other information on more than 1.1 billion registered Indian citizens. The database has far reaching impacts for Indian citizens as they can use the data found in the database to carry out many activities including opening bank accounts, purchasing items, signing up for utility services, and receiving aid or assistance financially. It has been noted that Amazon and other major companies utilize the Aadhaar database to identify customers.
Specifically, information exposed to the outside included such information as the Aadhaar DB member’s names, their identity numbers which are unique 12-digit numbers assigned, and information about services they are subscribed to such as bank details, etc. Signing up in the Aadhaar database is not a mandatory action, however, Indian citizens are fairly coerced to do so since they are not able to access basic government provided services if they do not.
What led to the massive breach of data from the Aadhaar database? An unsecured API endpoint. A security researcher found an exposed API endpoint directly from the website which allowed entering a hardcoded access token which then allowed querying Aadhaar numbers indiscriminately. Additionally, there were no rate limits in place for query lookups. This meant the security researcher could send thousands of lookups a minute to the server and have it return results.
One of the extremely surprising details of the story is the Indian authorities did nothing to close flaw for weeks after they were made aware of the exposure of data. Only after Internet news stories of the leak began to surface was the vulnerable endpoint taken offline.
This was a story that made major news headlines with Cambridge Analytica accessing Facebook data to profile voters. Cambridge Analytica is a British political consulting firm started in 2013 that set out to use technology including data mining and analysis during electoral processes. In 2018, the news broke that Cambridge Analytica was accused of harvesting data from Facebook profiles without consent and using this data for political means in an unauthorized way.
This was not the first time that Cambridge Analytica had been accused of using harvested data in an unethical way. In 2015, it was thought that Cambridge Analytica was working for Senator Ted Cruz to harvest data from millions of Facebook accounts without consent. After various tidbits and other whistleblowers, Cambridge Analytica was found to have indeed collected Facebook information in an inappropriate manner prompting an investigation by the U.S. Congress into the allegations which led to Mark Zuckerberg testifying.
Data of up to 87 million users was compromised in this data leak which included information such as found in the Facebook public profile, page likes, birthday and current city. Some Facebook users were found to have granted app permissions to their news feeds, timelines, and messages. All of the information gleaned from the leaked data allowed Cambridge Analytica to build political profiles of each Facebook user and target specific political advertisements to influence them in a particular way.
Marriott Starwood Hotels
In a statement released on November 30, 2018, Marriott Starwood Hotels indicated they had recognized a data security breach of their guest database which it believed compromised up to approximately 500 million guests who made a reservation at a Starwood property. Some 327 million guest records were compromised that contained information such as name, mailing address, phone number, email address, passport number, Starwood Preferred Guest accounting information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, however, this information also included payment card numbers and expiration dates encrypted with AES-128 encryption. Marriott was unsure if the two components needed to decrypt the numbers were obtained or not.
In very recent news Marriott CEO revealed that:
…383 million guest records and 18.5 million encrypted passport numbers were breached. Details included 9.1 million encrypted payment card numbers and 385,000 valid card numbers in addition to 5.25 million unencrypted passport numbers. He denied that China was to blame for the hack.
It appears that a Remote Access Trojan was found on the Starwood IT systems that allowed hackers to covertly access and assume control over critical IT systems including the guest database.
Exactis is a Florida-based marketing company that collects and trades consumer data for the purposes of creating more specific targeted advertising. The alarming detail of the Exactis breach is the data exposure is of a highly personal nature of the exposed victims. What information was exposed? The data leaked included phone numbers, physical address, email addresses, interests, details about their children, their ages, genders, etc. Other highly personal information was included as well such as details about one’s religion, smoking habits, and even pets.
A security researcher named Vinny Troia found the massive data exposure of Exactis by using a well-known search tool called Shodan. He uncovered databases on publicly accessible servers. One of those databases that was an Exactis database that was completely exposed, unprotected.
Details of the scope of the data leak exposure are staggering. Some 340 million records containing information made up of two-thirds consumers and the rest businesses were exposed. One positive bit of information about the Exactis breach was that it didn’t include payment card information or other details such as social security numbers. The highly personal and behavior information compromised with this data breach could allow cybercriminals to improve success of social engineering attacks or using targeted spear phishing through email or social media based on the profile acquired from the information exposed.
The 2018 year was not a good year for Facebook as following the Cambridge Analytica scandal, Facebook security was compromised and an attack on its systems in September 2018 led to nearly 50 million user accounts and personal information being compromised. This turned out to be largest breach for Facebook in its 14-year history as a company.
CNN reported the breach for the 50 million users could mean the hackers saw everything about that user. They could have even logged in as that user and accessed all historic information and private messages for those compromised. The true extent of the breach is most likely unknown or the true fallout is yet to be seen. What is known is this is a massive breach for Facebook with massive amounts of personal data exposed for viewing to the outside. Due to this breach and the earlier Cambridge Analytica scandal, Facebook has certainly suffered some financial loss and end user confidence in their ability to both use their data in a way that is “above board” and be able to ensure the security of that data.
The Challenge of Securing Against Data Breach in the Cloud
These and many other Data Breaches in 2018 should lead organizations today, both large and small, to take note. The extremely complicated IT infrastructure systems that exist today are spread across often numerous hybrid networks and from on-premises to the public cloud. Traditional means of securing networks is simply not going to work in the future. Organizations today are moving massive amounts of data to the public cloud and leveraging cloud storage and email services more than ever.
This means that traditional means of securing files, folders, emails, and other resources are no longer relevant in today’s very cloud-centric infrastructure landscapes.
Perimeter firewalls are certainly not irrelevant for on-premises organizations; however, they are certainly no effective when the “perimeter” extends out to the public cloud. Due to public cloud connectivity, users can now access data from anywhere and from any device. This presents a very real challenge for organizations to secure their data.
Enforcing policies and access control processes that exist on-premises can be a real challenge when organizations look to extend policy enforcement to public cloud environments. Additionally, many organizations, especially smaller ones, may struggle to understand how to extend both security monitoring as well as data protection out to the public cloud as these have totally different controls as opposed to on-premises environments.
An additional danger to public cloud environments includes misconceptions as to the vulnerability or supposed lack of vulnerability the cloud has. What are common misconceptions that can lead to public cloud security disaster? Many have fallen victim to the misconception the public cloud is immune to malware and specifically ransomware as well as immune to data loss. These two misconceptions couldn’t be farther from the truth. As has been details by security professionals including the legendary Kevin Mitnick, public cloud environments such as Microsoft Office 365 are vulnerable to ransomware which can certainly lead to data loss.
“RansomCloud” infections can certainly wreak havoc on public cloud environments, encrypting emails, OneDrive files, and other public cloud resources as has been well documented and demonstrated. Organizations often struggle to understand how to properly protect data that exists in the public cloud as the proper native backup functionality has been missing from the available tools that are offered to tenants. What does this mean? This means that organizations must take data protection concerns into their own hands and provide their own solution for data protection. These are extremely crucial aspects of placing data and services in the cloud that must be given due attention.
Organizations must get a handle on being able to control and have visibility to the activities and behaviors of end users in the cloud environment as well as have ways to monitor and control resources that are shared inside and outside the cloud environment. This type of data sharing, whether intentional or inadvertent, can lead to serious data leak and potentially exposing sensitive data.
All of these factors and many others can present challenges for organizations today tasked with preventing data leak while housing resources in the cloud. Let’s take a look at best practices for preventing data leak in the cloud and see how businesses today can learn from the mistakes of others and ensure their data is secure.
Best Practices for Avoiding Data Breach or Leak in the Cloud
With all of the risks and dangers presented to data today, it may seem like a monumental task to secure data from being breached by an attacker or leaked inadvertently. However, by following a few best practices in regards to securing data, organizations stand a much better chance of ensuring their data is kept safe. Let’s look at the following best practices for avoiding data breach or leak in the cloud:
- Audit for Misconfiguration
- Patch Known Security Vulnerabilities
- Enable Least Privilege User Permissions and Access
- Proactively Monitor Security Events in the Cloud
- Use CASB and Machine Learning Technologies
Audit for Misconfiguration
It is not hard to see that misconfiguration of access, permissions, visibility, and other aspects of IT infrastructure can lead to massive data leaks. As well shown in the Aadhaar database breach, a misconfigured API endpoint with improperly configured permissions led to a massive leak of data from the database. Organizations housing resources in the cloud need to ensure the environment is audited for any misconfiguration or improper configurations as these lead to easy targets for hackers as is often the case with many of the major breaches.
Patch Known Security Vulnerabilities
When it comes to data leak, attackers can often find systems that have a known security vulnerability that has not as of yet been patched or resolved. This allows them to take advantage of the known security vulnerability they may have found on an exposed system that can readily lead to compromise. By taking advantage of a known unpatched security hole, attackers can often easily infiltrate a system and then move laterally across the network, further compromising and exposing data along the way. Organizations must ensure they have patched systems such as servers or other resources they may have running in cloud environments so these are protected against known security holes that may be used for exploit.
Enable Least Privilege User Access and Permissions
All too often, it is found that users have more permissions and access than they actually need. This leads to dangerous security repercussions when thinking about how this changes the scope if a particular user account is compromised by an attacker. If the user account is assigned more permissions than needed, the attacker now has more access from the overprivileged user account. Organizations need to assign permissions based on a “least privilege” model where users only have the bare minimum permissions required to carry out their job role. This greatly helps to reduce the scope of any credentials that may be compromised.
Proactively Monitor Security Events in the Cloud
This best practice cannot be underscored and emphasized enough. Security monitoring is a must for organizations that are serious about securing their data. Monitoring events and activities of users can often shed light on malicious behavior that may indicate attackers have compromised part of the system. It can also lead to discovering unscrupulous behavior of employees who may be involved in “shadow IT” activities. This is often a challenge for organizations that are accustomed to monitoring tools and utilities on-premises but who are no as familiar with public cloud environments. Setting up and configuring monitoring is absolutely necessary for security of data in the cloud.
Use CASB and Machine Learning Technologies
One of the points already mentioned that can be a challenge for organizations migrating to the cloud is applying and enforcing policies that exist on-premises in the cloud. CASBs scrutinize and make sure that network traffic that is traversing between on-premise networks and public cloud networks are in line with sanctioned company use. The API-based CASB does this effectively by integrating into the native APIs of the public cloud and allows it to enforce access to public cloud resources, apply policy, and ensure visibility to activities and user behaviors. This is done regardless of the end user device type or network they are coming from.
Using a monitoring and security solution that utilizes machine learning to monitor the public cloud environment can be extremely powerful. Computers are able to collect and analyze data much more efficiently and quickly than humans and machine learning algorithms can watch the environment 24×7. Using machine learning, solutions can build profiles of a particular environment, including user behavior and activities and then quickly recognize anomalies in this profile that may very well indicate a breach in security.
How to Prevent Data Breach in the Cloud Effectively
Organizations faced with securing data in the cloud need look no further than Spinbackup. Spinbackup’s API-driven CASB technology is incredibly powerful and allows organizations to have a very capable and intelligent solution to not only monitoring the public cloud environment but also enforcing security controls as well. In both Google G Suite and Office 365 (coming soon), security is natively built-in as part of the Spinbackup solution allowing organizations to:
- Proactively monitor public cloud environments for security related issues
- Identify data that is shared inside and outside the organization
- Identify and stop risky third-party applications
- Recognize internal threats to security such as unscrupulous employees
- Proactive, bullet-proof, ransomware detection and automatic remediation
- Effectively use machine learning to profile and recognize anomalies instantly
- Receive alerts and security digests for security events in the public cloud
On top of the top-notch security features, Spinbackup provides enterprise-grade data protection and backups for G Suite and Office 365 that you won’t find in combination with the intrinsic security capabilities with any other solution!
Sign up for a free trial here!