Cyber security breaches are coming so thick and fast these days that it takes something really out of the ordinary to become famous. As organisations around the world scramble to catch up with cyber security, we are at a junction in time where we have a window of opportunity to protect ourselves, but also the potential to see the most famous cyber security breach of all time.
Here are five famous cyber security breaches that should prompt you to take the action required to ensure you’ll be protected, rather than famous.
Baltimore may become 2019’s most famous cyber security breach, simply because the city’s mayor refused to give in to the hacker’s ransom demands. In early May, ransomware infected government computer systems that provide voicemail and email, as well as a payment system for water bills and parking fines. It was reported that it would take months to restore these vital resources if the mayor stood firm in his refusal to hand over the requested Bitcoin ransom to the hackers.
The ransomware is a form of malicious software, or malware, known as RobbinHood. This is a relatively new form of malware – it targets vulnerabilities in remote desktop services that allow someone to take remote control of a computer over a network. It encrypts the files on affected computers and virtual machines – then hackers offer to decrypt the files if a ransom is paid.
Unfortunately for Baltimore’s public relations department, reports emerged that an IT manager warned the city about cyber security a year before the attack. At a public city council hearing, she said their cyber security response was understaffed, underfunded and in need of updates. Perhaps if the city had more cyber security experts in their team they could have responded more rapidly to the attack, if not preventing it altogether.
On a data visualisation of the world’s biggest data breaches, Marriott International looms large for a hack that it revealed in late 2018. The hotel giant’s shares dropped, and a class action suit was raised when they revealed that the personal information of up to half a billion guests had been compromised. For 327 million of those guests, the information included addresses, phone numbers, emails, passport numbers, dates of birth and more.
For Marriott, its cyber security ring of protection appears to have been punctured in 2014 when it acquired the Starwood chain of hotels. Along with a sizeable credit card hack from that year, Starwood brought with it a compromised website that was a popular conversation piece amongst hackers on the dark web.
This highlights the need for businesses to have cyber security experts in areas other than IT departments. A cyber security expert at board or senior management level could have contributed to due diligence on the acquisition. If the red flags they raised weren’t enough to cancel the sale, they should have been enough to drive an overhaul of cyber security practices in the acquired business.
Unlike the City of Baltimore, Uber decided to pay a USD$100,000 ransom to keep a colossal data breach quiet in 2016. Unfortunately, but not unsurprisingly (you can’t trust extortionist hackers) their leak of personal data on 57 million customers and drivers eventually became public.
The weakness in Uber’s ring fence of cyber security was a third-party cloud-based service where computer code was collaboratively managed, built and bug tested. But it’s what happened after the breach that revealed their cyber security shortcomings.
Uber’s co-founder and CEO at the time, Travis Kalanick was not informed about the breach for a month – despite the fact that they were working with US regulators on separate claims of privacy violations at the time. Then, instead of acting on their legal obligation to report the hack, Uber paid the hackers to delete the data. It would be another year before authorities were alerted, at which time New York’s Attorney General launched an investigation into the attack. When the dust settled, Uber was forced to pay state authorities USD$148 million for the data breach.
Putting aside the fact that hackers were able to access sensitive data, as an online business, Uber should have had a prepared response for managing a data breach. It’s essential for all businesses to work with cyber security experts to prepare a cyber security policy that identifies roles and responsibilities and what actions to take in the event of a cyber-attack.
Australian car sharing service GoGet waited six months to inform users that their personal data had been accessed by a hacker. This is a slightly unusual case because it involves an individual accessing the system to avoid paying for his rental car. A former information security researcher was able to access the GoGet booking system and divert rental fees of around $3500 from his account to other users. This also meant that he had access to GoGet users’ names, addresses, email addresses, phone numbers, dates of birth, driver licence information and more.
In this instance, it appears that the GoGet IT team had an effective cyber security policy. After identifying the breach, they worked closely with the police to monitor the hacker’s activity until they had enough evidence to bring him to court. In the meantime, they engaged additional cyber security experts to improve their systems.
As a result of all this, GoGet now has an improved cyber security policy. Meanwhile, the hacker has 400 hours of community service to perform while his laptops, phones and storage devices may all be destroyed.
In May 2018 the European Union introduced the General Data Protection Regulation which not only forced companies to declare what data they were collecting but to report any data breaches within 72 hours. So, one month later, when Ticketmaster’s data was accessed by hackers, they knew exactly what to do. And as an international company, they let Australians know that their personal information might now be in the hands of hackers.
Find out more about how to become a cyber security expert by studying a Master of Cyber Security.