How famous cyber security breaches could have been prevented

Cybercrime data breaches caused by phishing attacks and ransomware attacks are becoming so frequent that it takes something shocking to surprise us anymore. Organisations around the world work diligently to secure stored personal information such as bank accounts, tax file numbers, and more. We are at a precarious point in time where we can protect ourselves better than ever, but we could also see the most egregious cyber security breach of all time. 

The following are five notorious cyber security data breaches that have taught harsh lessons. These accounts should prompt you to put security measures in place to ensure you will be protected, rather than victimised. If nothing else, they have taught us, that cyber attacks can happen to anyone. 

Baltimore 

Baltimore may become 2019’s most infamous cyber security breach, simply because the city’s mayor refused to give in to the hacker’s ransom demands. In early May, ransomware infected government computer systems, including voicemail and email accounts, as well as a payment system for water bills and parking fines. Officials reported it would take months to restore these vital resources if the mayor stood firm in his refusal to hand over the requested Bitcoin ransom to the hackers.

The ransomware, or malware, was a relatively new strand known as RobbinHood. This form of malware targets vulnerabilities and allows hackers to remotely take control of a network computer to gain sensitive information. It encrypts the files on computers and virtual machines, rendering them useless until a ransom is paid. 

Unfortunately for Baltimore’s public relations department, reports emerged that an IT manager warned the city about ineffective cyber security a year before the attack. At an open city council hearing, she said their cyber security response was understaffed, underfunded and in need of updates. Perhaps if the city had more cyber security experts in their team they could have prevented this ransomware attack.

Marriott 

On a data visualisation of the world’s most significant data breaches, Marriott International looms large for a hack on user accounts reported in late 2018. The hotel giant’s shares dropped, and a class action suit was raised when they revealed the personal information of up to half a billion guests had been compromised. For 327 million of those guests, the information included user data such as addresses, phone numbers, emails, passport numbers, dates of birth and more.

For Marriott, its ring of protection appears to have been penetrated in 2014 when it acquired the Starwood chain of hotels. Along with a sizeable credit card hack from that year, Starwood contributed a compromised website that was a popular conversation piece amongst hacker groups on the dark web.

This acquisition oversight highlights the need for businesses to have cyber security experts in areas other than IT departments. A cyber security expert on the board or in senior management might have contributed to due diligence when they acquired the compromised Starwood. And if the red flags surrounding Starwood weren't enough to cancel the sale, they should have been enough to drive an overhaul of cyber security practices.
 

Uber

Unlike the City of Baltimore, Uber decided to pay a USD$100,000 ransom to keep a colossal data breach quiet in 2016. Unfortunately, but not unsurprisingly, their data leak on 57 million user accounts and drivers eventually became public.

The weakness in Uber’s cyber security was a third-party cloud-based service that collaboratively built, managed, and bug tested computer code. But it’s what happened after the breach that revealed Uber's cyber security shortcomings.

Uber’s co-founder and CEO at the time, Travis Kalanick, was not informed about the cyber breach for a month even though they were working with United States regulators on separate claims of privacy violations at the time. Then, instead of acting on their legal obligation to report the hack, Uber paid the hackers to delete the stolen data. It would be another year before authorities were alerted, at which time New York’s Attorney General launched an investigation into the attack. When the dust settled, Uber was forced to pay state authorities USD$148 million for the data breach.

Putting aside the fact that hackers were able to access sensitive customer data, as an online business, Uber should have had a prepared response for managing a data breach. All companies need to work with cyber security experts to prepare a policy that identifies roles and responsibilities in the event of a cyber-attack. In this case, a lack of preparedness violated the privacy of the people of New York and put their personal data at risk. Even just a little more data security could have kept cyber criminals at bay. Likewise, a planned response to cyber security breaches could have limited the damage.
 

GoGet  

Australian car sharing service GoGet waited six months to inform users that a hacker had accessed their personal data. However, in this case, the delay was for a good reason. This instance is slightly unusual because it involves an individual gaining unauthorised access to GoGet's computer system to avoid paying for his rental car. A former information security researcher was able to access the GoGet booking system and divert rental fees of around $3500 from his account to other users. This access also meant that he had access to GoGet customers' user names, addresses, email addresses, phone numbers, dates of birth, driver licence information, credit card information and more.

In this instance, it appears that the GoGet IT team had an effective cyber security policy in place. After identifying the breach, they worked closely with the police to monitor the hacker’s activity until they had enough evidence to bring him to court. Not informing the public of the breach was necessary to keep the hacker from knowing they were on to him. In the meantime, they engaged additional cyber security experts to improve their systems.

As a result of all this, GoGet now has an improved cyber security policy. Meanwhile, the hacker has 400 hours of community service to perform while authorities most likely destroyed his laptops, phones and storage devices.
 

Ticketmaster

In May 2018 the European Union introduced the General Data Protection Regulation, which not only forced companies to declare what data they were collecting but to report any data breaches within 72 hours. So, one month later, when hackers accessed Ticketmaster’s data, they knew exactly what to do. And as an international company, they let Australians know that their personal information might now be in the hands of hackers.

Ticketmaster said the vulnerability was in their extended network, which included artificial intelligence provider Inbenta. Likewise, Inbenta pointed the finger back at Ticketmaster for introducing some JavaScript code without their knowledge. This particular instance highlights the importance of incorporating all elements of the extended network in a cyber security policy. It also reinforces the maxim that any cyber security policy is only as strong as its weakest link.

For more information on how to prevent cyber security breaches via phishing or ransomware attacks, refer to a Master of Cyber Security.