It’s every company’s worst nightmare….. Hackers break into your system and steal valuable information, lock down sensitive files or leak private data to the public. The truth is – no matter how big or how small an organisation – it is, to some extent, vulnerable to hacks and they do happen. The important thing is to have a strong security policy in place and to do all that you can to keep that “mission critical” data safe.
As pointed out by Brian Honan at our Cybersecurity Conference, the root cause of breaches are often the same and it is possible to make a few minor changes to help prevent them:
- Poor Passwords, leading to Web Based Email Attacks.
- Missing Patches.
- Vulnerabilities in Web Platforms e.g. from Out of Date Software (Windows XP).
- Out of Date Anti-Virus Software.
- Poor organisational processes e.g. lack of staff training
- Lack of Monitoring.
Thankfully, organisations right around the world are taking note – putting the correct security measures in place and employing highly trained cybersecurity professional to protect their data. However, we still see breaches taking place – here’s a few of the most high profile reported attacks from 2018…..
Marriott
Towards the end of November 2018, the Marriot hotel group announced that it had suffered a massive data breach that affected the records of up to 500 million customers. The group revealed that their Starwood division’s guest reservation database had been compromised. The information accessed included payment details, names, addresses, phone numbers, email addresses and passport details. It would appear that the hackers had access to the data for quite a long time before it was spotted by their IT department.
Several news outlets have since reported that the hack was part of Chinese intelligence-gathering that also attacked and hacked health insurance data and security clearance data of million more Americans.
FIFA
Over the past two years FIFA have had a couple of significant security breaches where approximately 3.4 terabytes of data and 70 million documents were leaked online which lead to several corruption allegations. The data was passed to German newspaper Der Spiegel who claim they were given the data by a whistle-blower referring to himself as “John”. John’s aim was to shine a spotlight on the high level of corruption that exists in the world of sport.
John claimed that there was no hacker responsible for the data he held and that it was given to him by multiple different sources.
Since then it appears that in a separate incident more of FIFA’s information was accessed through a phishing attack.
British Airways
Last year British Airways had a breach which appears to have affected up to 380,000 transactions. It looks like external scripts on its payment system was the cause of the hack. Essentially this meant that as the website users typed in and submitted their details, they were copied by the malicious code which sent the info. to the cyber criminals. Both payment details and personal details of BA’s customers were exposed in the attack.
Following on from this initial breach, BA’s parent company, International Airlines Group, released a statement to say that it had found a further 77,000 customers may have had their names, billing addresses, email addresses and complete card details including CCV numbers stolen as customers used their reward points system. On top of this 77,000, another 108,000 customers had the same details accessed and stolen – except luckily for this group, their CCV numbers weren’t stolen.
What Should You Do?
There are a number of basic precautions that can and should be taken regarding security; use strong passwords, keep software, anti-virus and your website up to date, have a strong policy in place to tackle breaches and make sure that staff are regularly trained.
It’s fair to say cybersecurity should remain front and centre for all organisations in 2019. With that in mind last October we launched our Cybersecurity Skills Initiative (CSI) with the aim of growing the awareness around security issues and helping companies to upskill and keep their data safe.
We have a number of excellent training courses planned for 2019 so keep a close eye on our website and Twitter profile for updates.