This year’s wave of data breaches is nothing short of disastrous. Several aspects make these breaches stand out:
- the size of the companies affected,
- the sensitivity of the leaked data; and
- the massive effect they’ve had on individuals, businesses, and government agencies alike
Alarmingly, for many cases, there has been a notable delay between the actual breaches and their discovery by the targeted companies. Such a trend demands assessment of data protection and breach-prevention policies. We will look at three recent cases involving Equifax, Deloitte, and—most recently—Yahoo.
Equifax: If Something Can Be Patched Today—Don’t Wait Until Tomorrow’s Breach
The breach at Equifax was unprecedented, affecting around 143 million customers in the US, Canada, and the UK. Sensitive information, like names, social security numbers, addresses, etc., were compromised. Hackers obtained access to this private data by exploiting a two-month-old un-patched vulnerability on the company’s website.
The breach was discovered on July 29th, but the data may have been first exposed as early as mid-May. An announcement by Equifax followed on September 7th, but it was the news that Equifax executives wereselling company stock before the breach announcement that disrupted the remaining trust of customers. At StopAd, we have compiled a short guide on how to prevent identity theft for those affected. Please note that the website established by the company to provide information has been unstable. We suggest confirming with the company’s call center before visiting.
Deloitte: The Cobbler Always Wears the Worst Shoes
On September 25th, the Guardian reported that Deloitte, one of the Big Four accounting firms, fell victim to a hacker attack that breached confidential data. Information leaked includes emails, passwords, and personal details regarding six of the firm’s high-profile clients, among them certain government agencies.
Ironically, Deloitte itself is providing consultancy on cybersecurity to some of major businesses across various industries.
According to researcher and author Brian Krebs, citing an anonymous source within Deloitte, the company isn’t able to determine the exact period during which their email servers were accessible to adversaries. Based on the Guardian’s sources at Deloitte, the intrusion was first noticed in October 2016—a statement that parallels information obtained by Brian Krebs and other indirect evidence, i.e., a password change email for U.S. employees from October 2016.
Ironically, Deloitte itself is providing consultancy on cybersecurity to some of major businesses across various industries.In the statement given by Deloitte after the Guardian publication, it stressed that very few clients were affected. Given that the firm has failed to assess the longevity of the breach and is trying to diminish the impact of the attack, there might be more severe consequences that are yet to be discovered.
Similar to Equifax, the Deloitte attack exploited weakness of authentication policy, allowing access to email administrator accounts with a single password. No two-factor authorization was required. Deloitte’s reputation will inevitably suffer, while the stolen data is most likely going to appear for sale on the Dark Web.
Yahoo: Always Assume A Breach
Yahoo has been around for quite a while and has accumulated a tremendous user base over the years. In December 2016, Yahoo’s Chief Information Security Officer disclosed a data breach associated with 1 billion Yahoo’s user accounts. It was a result of an attack carried out by an unidentified party dating back as far as August 2013. The leaked data included personally identifiable information, like names, email addresses, phone numbers, hashed passwords, and encrypted/unencrypted security questions or answers. The statement indicated that neither financial information nor passwords in plain text had been compromised.
In the following weeks, security researchers claimed that copies of stolen data has been available for purchase and circulated on the Dark Web. Yahoo notified their affected users and has implemented additional security measures.
What used to be the most significant data breach in history, turns out to have been much bigger. Following Yahoo’s acquisition by Verizon this year, an independent team of forensic experts uncovered clues suggesting that all three billion Yahoo accounts were compromised. The evidence was found during the integration process and points to the same 2013 attack, whose actual impact has been underestimated or overlooked.
Verizon’s subsidiary company, Oath, now manages Yahoo, and published a statement on October 3, 2017, saying that additional notifications have been sent to account owners and no banking/card information was compromised.
I Have a Yahoo Account, What Should I Do About the Breach?
- Visit Yahoo’s Security Update page. It contains the most Frequently Asked Questions regarding the breach and steps to take for securing your account.
- Change passwords on all your Yahoo accounts.
- Do not open or download attachments from suspicious emails.
- Alternatively, you may use a Yahoo Account Key to access your account with the help of your phone.
What Are The Main Takeaways From All This Lack of Security?
There are several common traits that we as customers should be aware of when interacting with businesses and sharing our sensitive data with them.
In all three cases discussed, it took businesses an enormous amount of time to identify the breach, acknowledge it, and proceed with attack mitigation. Large companies hate to assume responsibility, which is explicitly evident in the case with Equifax when the company tried to place blame on a single person who didn’t patch the system—isn’t this too careless for an organization of their size and importance? The same goes for Deloitte, which basically admitted they couldn’t implement a simple policy for secure access to privileged IT infrastructure accounts.
A Few Things to Help You to Stay on the Safe Side
- Check the company’s partners and which portion of your data it may share with them and under which conditions.
- Find out whether the company to which you’re submitting your info has passed a third-party audit for their data protection and cybersecurity policies. Does it conduct proactive monitoring and testing against security risks?
- Do not submit more data than needed (additional contacts, etc.) In case of a breach, this extra information may end up in wrong hands.
- When working with the websites, it is preferable to operate over an encrypted connection (HTTPS).
- Make sure that the website where you’re submitting your data has a valid SSL certificate, preferably an Extended Validation Certificate. You can use COMODO SSL Analyzer to check whether a site has a valid certificate with all required settings. Here’s an example report for StopAd. If the certificate has been revoked temporarily from a website for some reason, it’s better to find out why or avoid using it.
- Try to use two-factor authorization on most of your accounts.
- Make sure you have an antivirus on your computer and mobile device. It should always be on and updated.
- Read our article on protecting your financial data for details on financial protection specifically.