There are almost daily news reports about some company, either large or small, that just discovered a data breach. Millions of consumers are informed their personal information may have been hacked. The companies who suffer from the loss of the stolen data often pay huge fines and millions of dollars to repair the breach. In addition, their reputation suffers and they lose future business.
The individual consumers are also big-time losers when their credit cards are used by the cyber thieves, their identities are stolen, and they have to jump through proverbial hoops to restore their funds to their hacked financial accounts. The consequences to all involved are severe.
Major Data Breaches of 2018
Marriott International Inc.
On November 30, 2018, Marriott International Inc. disclosed “a massive security breach.” The discovery of the breach has been described as the largest such breach in history. It went undetected for four years during which time the hackers accessed the personal information of more than 500 million guests who had stayed at a Marriott hotel or used a credit card to secure a room even if they ultimately did not stay at a Marriott.
In Marriott’s news release about the attack, it revealed that the following private information had been obtained by the hackers:
- Name, mailing address, phone number, email address, credit card number, and passport number.
- For those who had a Starwood Preferred Guest (“SPG”) account, additional information was discovered including date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Of major industries that were targets of hackers in 2018, retail and finance came in first and second with the hospitality industry coming in third. In addition to the hackers accessing the personal information of its guests, Marriott Hotels also lost its reputation and may face up to $1 billion in fines and litigation costs.
The source of the breach was initially described simply as unauthorized access to the data system. In December 2018, the New York Times reported the invasion was “a Chinese intelligence-gathering effort.” It is suspected that the same hackers also invaded health insurers and security clearances of millions of more Americans.
Facebook: 2016 Breach Announced in 2018
Before the announcement of the Marriott breach, back in March 2018 Facebook CEO Mark Zuckerberg confirmed that personal information of at least 87 million Facebook users had been compromised by Cambridge Analytical during the 2016 national election. Although the actual breach did not occur in 2018, it fits into the 2018 category since that is when Facebook confirmed to its users that there was a breach.
Personal information, including users’ birthdates, addresses, and telephone numbers were all easily discoverable. In addition, the “like” of any user was included in the information Cambridge Analytical hacked into and used.
If an individual’s privacy settings allowed it, information about a user’s friends was also obtained. The reason for the Cambridge Analytical hack was so it could use the data “to change audience behavior.”
On December 19, 2018, the attorney general for the District of Columbia filed a lawsuit in the District of Columbia’s superior court against Facebook. The lawsuit alleges, among other things, that users were misled “about how their data was accessed” and that Facebook acted “fast and loose” with user data.
The attorney general’s office states that the fines can be as much as $5,000 per violation. Since there are 340,000 people in the District of Columbia who were affected by the data leak, Facebook may be looking at a fine of about $1.7 billion as a result of this one lawsuit. Other lawsuits may follow. A Facebook spokesperson responded that the complaint was being reviewed and that the company looks forward to cooperating with the D.C. attorney general.
In an article published on December 20, 2018, the author, a Facebook supporter, and investor, emphasized that at least with the Facebook breach, no credit card or other financial information or Social Security numbers were discovered.
Companies who use the positive aspects of a social media presence, like having a Facebook page, need to be aware of the possible snafus that can occur, including the ramifications of a security breach.
Under Armour MyFitnessPal App
In March 2018, Under Armour, a food and nutrition website, announced a breach in its cybersecurity. More than 150 million MyFitnessPal app users were affected. Although no financial information, such as credit card numbers or Social Security numbers are collected by MyFitnessPal, the breach revealed the names of users, their email addresses and their encrypted passwords.
Although the attack was somewhat limited in the information stolen, according to Fortune, the number of people affected put it in the category of “one of the largest breaches on record.” Under Armour stock dropped 4.6 percent on the day the attack was announced.
Major Data Breaches of 2017
The year 2017 was a banner year for cybercriminals. More data was lost or stolen in the first half of 2017 than what was reported lost or stolen for the entire year of 2016. From Equifax, a credit reporting company, to hotels, health care organizations, retail stores, and fast food companies, it seemed as though no business was safe from a data breach.
Equifax
Equifax, one of only three credit reporting companies, works with individuals, their credit data, including credit card companies, retail stores, individual banks, and other financial institutions so it can monitor the credit history of individuals and businesses. On September 7, 2017, the company revealed that on July 29, 2017, it had discovered a data breach.
Between May and July 29, hackers tapped into the sensitive personal information of at least 143 million people. This information included Social Security numbers, birthdates, addresses, driver’s license information, and phone numbers.
Financial experts say that since Social Security numbers are assigned for life, this breach will leave those consumers who were affected vulnerable to identity theft for the rest of their lives. A criminal with access to a person’s Social Security number can wreak havoc on the victim’s life by obtaining credit cards, getting a driver’s license, impersonating the victim, and so forth. Experts have said that this breach may be the worst in the history of breaches of financial institutions.
One year after Equifax informed its consumers that the breach had occurred, the U.S. General Accounting Office released its conclusion that the breach was caused by “an array of errors inside the company, largely relating to a failure to use well-known security best practices and a lack of internal controls and routine security reviews.” The report noted that the breach had gone undetected for 76 days despite 9,000 unauthorized queries that went unnoticed.
Equifax responded by budgeting an additional $200 million for security and technology for 2018, but there were no real changes made in the credit reporting industry. Several states passed laws that will impose huge fines in the future for cybersecurity breaches in this industry, but most of those laws will not go into effect until 2020.
Hyatt Hotels
Some might call the Hyatt Hotel chain a slow learner. It was hacked in 2015 and again in 2017. Information from credit cards that were either swiped or manually entered at check-in desks of Hyatt Hotels from March 18, 2017, to July 2, 2017, may have been discovered by hackers. The information included cardholder names, credit card numbers plus the expiration date and security code for each credit card. The breach apparently affected 41 Hyatt properties in 11 countries.
The source of the breach was under investigation but likely done at the hands of a criminal organization that targets the hospitality industry, which seems vulnerable to repeated cyber attacks.
Forever 21
In November 2017, retail store Forever 21 announced that those who had shopped in a store from March through October 2017 may have had their credit card information stolen. In its announcement, the company stated it did not know how many people might be affected. Since there are nearly 800 stores in 48 countries, the data breach likely involved millions of people.
Apparently, the breach occurred when some point-of-sale devices had the encryption turned off. In its latest report, the company said that the information provided by online purchasers had not been compromised.
Sonic Drive-in and other Sonic Companies
In September 2017, Sonic discovered that a breach in its data system allowed hackers to discover credit card numbers of millions of its customers. The breach was discovered after 5 million credit and debit card numbers were posted for sale on a credit card theft website.
Sonic has 3,600 locations in the U.S. Essentially all use the same point-of-sale system. Sonic is looking into changing that system so if there should be another breach, at least it will not compromise the personal information of quite so many people.
Sonic engaged forensic experts to help track down the cause and reported the data breach to law enforcement in a concerted attempt to determine the source of the breach. Once it discovers the exact cause, it plans on taking whatever measures necessary in order to prevent it from happening again.
Major Data Breaches of 2016
It is not possible to discuss lapses in cybersecurity without including the hack into the Democratic National Committee (DNC) which occurred in June 2016 and may have influenced the presidential election. The ramifications of the breach are still felt and are still talked about today. In addition, the Department of Health and Human Services experienced hacking which compromised the private information of millions of people.
The Democratic National Committee
In the biggest data breach of the year, Russian government hackers gained access to the DNC’s database of opposition research on Donald Trump, then-candidate for president of the GOP. The hackers also discovered all emails and chats between members of the committee that had been stored on the system. It was determined that the hacking had been going on for approximately an entire year before it was discovered.
No financial information of any donors or any personal information seemed to have been accessed. That contributed to the conclusion that the breach was not the work of criminal hackers searching for financial information, but by “spies” engaging in traditional espionage.
The Cybersecurity specialist called in to handle the breach discussed how difficult it is “for a civilian organization to protect itself from a skilled and determined state such as Russia…Their job when they wake up every day is to gather intelligence against the policies, practices, and strategies of the U.S. government.” Even with this knowledge, and clues that set off alarms that the system had been hacked into, it was not determined exactly how the hackers got into the system.
The main theory about how the attack occurred is that it was by “spearphishing” emails. That happens when an unsuspecting person receives an email that appears to be legitimate, apparently from a known colleague. The email contains either a link or an attachment that, when clicked on, deploys malicious software that then enables the hacker to gain access to the computer.
The U.S. Department of Health and Human Services
In April 2016, the Department of Health and Human Services (HHS) reported that intruders had stolen a laptop and portable hard drives that contained the personal information, including birth dates, Social Security numbers, addresses and phone numbers, of more than 5 million people. The breach was attributed to a disgruntled employee who shared access information to cyber thieves. Apparently, no health records were stolen.
Healthcare Data Breaches Hit an All-Time High in 2016
According to Healthcare Informatics, in 2016, there were 328 healthcare data breaches resulting in exposing nearly 17 million people to the unauthorized disclosure of their health records. Each leaked record costs a healthcare firm approximately $402.
In 2016, it was estimated that by 2021, one in 13 people will have been the victim of a health information hack, which will cost the healthcare industry more than $305 billion. Healthcare records are particularly valuable to cyber thieves because not only do they provide detailed health information, they also provide birthdates, family history, credit information, addresses, Social Security numbers, and credit card numbers. This data can be sold on the black market for premium fees.
Can we help you?
At Bryghtpath, our experts have built incident response plans for the Fortune 500 & many public sector agencies to address major cybersecurity incidents and the related reputational impacts. We’ve also assisted many organizations in their critical moment as they have faced difficult crisis and reputation management situations.
We’d love to talk with you about how we can tailor a solution to address your specific needs. Contact us online or give us a call at +1.612.235.6435.
Top Business Continuity & Crisis Management Executive Programs