Lessons Learned From 3 Breaches in December; How to Protect Sensitive Data

How to Protect Sensitive Data

We’ll never live in a world that is completely free from data breaches.

Hackers are continuously creating and discovering new vulnerabilities to exploit. Employees continue using weak credentials — passwords that open doors to cyber criminals looking for their way into sensitive databases.

However, giving up or blaming these users is not a solution.

What companies can do is learn from major cases and continually improve their security, as well as classify and keep an eye on important data.

Here, we analyze three of the latest high-profile data breaches in which a threat actor succeeded in accessing high volumes of sensitive data and examine what can be learned from them.

23andMe Data Breach

In December, 23andMe disclosed that the data of 6.9 million users had been leaked in the data breach. In October, they initially reported that 14,000 users were affected by the hacking.

23andMe is one of the top five companies that offer genetic testing with home kits. Over almost two decades, it collected a lot of user data — both personal and sensitive.

In this attack, information that has been exposed includes:
  • Birth years
  • Names
  • Ancestry reports
  • DNA makeups
  • Reported locations
The breach was possible because hackers exploited weak user credentials. Once they guessed the passwords and got into some of the accounts, they could access the ancestry data of other related users.

The two-factor authentication for login was optional until this breach.

“What Are They Gonna Do, Clone Me?”

A large volume of stolen data is already being sold on hacking forums. Unsurprisingly, it didn’t take long until a class-action lawsuit was opened. Thousands of affected users already decided to participate.

However, there are still users indifferent to this major hacking incident.  
One said, “What are they gonna do, clone me?”

The company is currently trying to avoid the court by altering its terms of service. When users signed up for the service, they agreed to “binding arbitration”, giving up their rights to individually sue the company.

The new update limits user rights even further, allowing another faster lawsuit process that usually benefits companies more than its users.

Xfinity Data Breach

On December 18, Comcast (a telecommunications company operating under the name Xfinity) disclosed a data breach that affected almost 36 million users.

For Xfinity, which has 32 million users altogether, this could mean that the stolen data is that of customers as well as company employees.

Data compromised in this breach includes:
  • Passwords
  • Usernames
  • Names of customers
  • Birthdays
  • Contact data
  • Secret questions and answers
  • The last four digits of social security numbers
How did hackers gain entry into the systems and obtain sensitive and personal data? 

The culprit for this hacking incident is CitrixBleed vulnerability, a newly discovered zero-day flaw. This weakness has been used to bypass the password requirements but also two-factor authentication.

Fighting Zero Trust Vulnerabilities

Zero trust weaknesses mean that a hacker is using some kind of vulnerability that security researchers haven’t yet discovered.

We’re talking about a flaw that existing security solutions can’t block because they don’t yet know it exists.

Xfinity did patch up their system as soon as the patches were available (on October 10). But they soon discovered that a bad actor already exploited this vulnerability to get into their systems.

ESO Solutions Data Breach

On December 21, ESO Solutions shared that the data of 2.7 million users was compromised in the latest breach after they uncovered illicit access granted to their databases in September.

Healthcare is a vulnerable group that is one of the top targets of cyber criminals who seek institutions with large databases filled with personally identifying information. They can use data to demand ransom from users and companies or sell them on the dark web.

Since ESO is a software provider for hospitals and fire departments, it fits that profile perfectly. The breach affected multiple hospitals and medical centers that used their services.

Personal and sensitive data exposed in the breach includes:
  • Dates of birth
  • Names
  • Types of injury
  • Treatment information (date and type)
  • Social Security numbers
In the wrong hands, that kind of data can result in identity theft.

Ransomware and Data Loss

While no ransomware group claimed this incident, ESO shared that they’ve been the victim of a ransomware attack in September.

Their files were locked with encryption by the ransomware after the cybercriminal gained access to their systems and stole their data. Moving deeper into the infrastructure, the bad actor reached the healthcare information of millions of users.

The company offers complimentary identity theft protection for affected users.

Protecting Sensitive Data

People read about data breaches so often that they’ve gotten desensitized to this type of news. Why get all worked up about something that is beyond our control?

Even after a data breach is disclosed, not many people will decide to participate in the class action lawsuit in their country or even bother to change their passwords.

However, data breaches that do result in stolen information of sensitive nature (as well as personally identifiable data) can have severe consequences.

The companies suffer financial and reputational damage.

Once the bad actor sells sensitive data on hacking forums, be it their medical records or genetic information, it affects the lives of affected individuals as well. They’re more likely to get ransom requests, have their identities stolen, and be prone to further hacking.

Therefore, it’s okay to expect more from companies that handle a lot of our personal and sensitive data.

Such companies need to have better cybersecurity postures and management to prevent cyber threats such as ransomware that can compromise user data.

Also, they need specialized data security solutions that let them know which files they have and who can access them at all times.

They need to put their user data first.

Post a Comment

Previous Post Next Post