These days, cybersecurity breaches are a dime a dozen.
The Binance hack, where more than $40 million worth of Bitcoin was stolen, is just the tip of the ever-growing iceberg. Just a week later, Whatsapp experienced a security breach that affected its 1.5 billion users. Fast forward another couple of weeks, and 330.000 of Britain’s Investment Week user records were exposed.
Another week, another breach. And with 51% of small businesses not allocating any budget at all to cybersecurity risk mitigation, calling breaches “scandals” might actually be more appropriate. Because, as it turns out, some of the biggest cyber incidents of the past few years could have been easily prevented.
As we go over the five most infamous (and infamously preventable) cybersecurity scandals of the past few years, you’ll discover that, in large part, they were far from inevitable.
Let’s take a look.
1. Equifax Has No Cyber Response Plan, 148 Million Users Pay the Price
First and foremost, miscommunication within the company’s IT department resulted in an unnoticed expiration of 300 security certificates, which meant that Equifax couldn’t monitor encrypted network traffic.
Secondly, a critical vulnerability was left unfixed for 145 days due to internal problems with patch management. This very vulnerability allowed the attackers to breach the perimeter, while a security certificate that was left expired for 19 months let them steal data undetected.
All this could have been prevented if only Equifax had practiced proper data hygiene and had put security breach response procedures in place. Instead, the company allegedly chose to do nothing, even after having discovered the breach back in 2016.
148 million stolen records later, users had to pay the price for a cybersecurity scandal that could have been easily prevented years prior.
You may also like: DevSecOps Trend Report.
2. Marriott Ignores a Data Breach for Years, 500 Million Identities Get Stolen
On 30 November 2018, Marriott began warning their customers about a breach of its Starwood hotel reservations database. The data stolen from the database included more than 500 million guests’ names, phone numbers, email addresses, dates of birth, and passport information.
According to Marriott, the attack began in 2014 and went undetected until September 2018, giving the attackers at least 1441 days to siphon the data. All the while, Marriot sat on this information for more than 2 months until they began to warn their customers.
According to cybersecurity experts, all this could have been avoided. It turns out that Marriott might have known about the attack since 2015 when the company reported a smaller breach likely made by the same attackers who planted malware on Starwood’s point-of-sale systems to steal credit card data.
Had the company been just a little bit more thorough and followed up on its own cybersecurity reports, the criminals could have been caught back in 2015. Unfortunately, for 500 million people, this was not the case.
3. Facebook Forgets to Encrypt User Passwords, Puts 600 Million People in Danger
Another month, another avoidable Facebook cybersecurity scandal. This particular incident, however, might seem beyond unbelievable. Apparently, Facebook was storing hundreds of millions of user passwords on an Amazon cloud server in plain text. For years. Keeping passwords in plain text that can be read by anyone with access to the server is an embarrassingly insecure way of storing user credentials in this day and age.
By securing these passwords with the latest encryption protocols, Facebook could have prevented user credentials from being uncompromised even if unauthorized attackers gained access to the Amazon cloud server. Unfortunately, in a peculiar case of massive oversight, Facebook’s refusal to adhere to basic cybersecurity protocol resulted in another scandal for the social media giant.
4. Bodybuilding.com Employee Responds to Phishing Email, Up To 9 Million Accounts Get Hacked
As it turns out, any organization’s cybersecurity defenses are only as strong as those of their least tech-savvy employees. A data breach that unleashes a massive cybersecurity scandal for a company is just a click away.
Case in point: a single phishing email sent to Bodybuilding.com staff back in July 2018. At least one team member fell for the infected message, possibly resulting up to 9 million account records being stolen.
Once again, this didn’t need to happen. While such oversight might be excusable for a mom-and-pop shop, not educating your employees about potential cybersecurity threats should be unthinkable for online enterprises in 2019. And considering the average cost top companies spend on a malware attack is $2.4 million, cybersecurity training is also the more financially viable option.
5. World Forgets to Update Software, Attackers Hold Its Devices Ransom
On 12 May 2017, hundreds of thousands of people around the world, including countless government workers, turned on their computers, only to find ransom notes demanding $300 in Bitcoin staring back at them from unresponsive screens.
The reason: all the victims kept their operating systems out of date. As a result, an attack that should have been automatically repelled by an existing security patch delivered its digital payload to hundreds of thousands of devices.
As the infamous WannaCry ransomware attack has shown, clicking that “Remind me tomorrow” button too often can lead to anyone’s device (along with all the data stored on the hard drive) being hijacked today. As a matter of fact, every time a software update is postponed, attackers have 24 more hours to pinpoint and take advantage of its vulnerabilities.
The saddest part? Everyone affected could have prevented this with just a single click of the Update Now button.