It’s nearly the end of 2018, and it seems like the year has gone by like a flash. If you’re like us, you might still be working on some of your New Year’s Resolutions from 2018 – that beach body can wait until spring of 2019 anyway.
But in between holiday parties and New Year’s celebrations, there is a good opportunity to reflect on the last 365 days and consider what has happened and what was learned. In the business technology sector, there was no shortage of major headlines this year that helped remind us of the state of things in 2018.
While improvements in tech continue to help modern businesses be more productive and connect workers more efficiently, we’re reminded constantly of the consequences of not staying vigilant and protecting data from bad actors. 2018 was a year of record-breaking data breaches which resulted in millions having sensitive data stolen or sold on the dark web.
It was also a year that brought the most expensive fines levied against companies who were negligent about data storage. As an IT department will probably admit, accounting for fines and public relations nightmares in the wake of a data breach don’t often make it into the annual budget planning meetings.
Even if it hasn’t happened to your company yet, the statistics suggest that it’s only a matter of time. Moving into 2019 unequipped to defend against an attack, or with a staff that’s uninformed about the best practices for cybersecurity means it’s just a matter of time before your business is the subject of the next disaster headline.
Today, we wanted to look back at some notable events that occurred in 2018. We’ll provide a brief recap of the situation, and highlight where the offending parties went wrong, and what they might have been able to do to avoid the situation.
Making a New Year’s Resolution for your business? Consider some of the lessons learned by these companies and use them to avoid a reputation-ruining headline about your business in 2019 and beyond.
2018 was a year filled with ups and down for the social media platform Facebook. An apropos starting point for today’s article because it impacted nearly every individual with a Facebook account.
That’s not hyperbole.
There were several notable breaches in 2018, but the worst of them occurred in September and left some 50 billion users compromised. Hackers were able to exploit a security vulnerability in Facebook’s code when users would use the “View As” feature. Somewhat ironically, this was a privacy tool which allowed a user to see how their own profile would be seen to someone they did not yet have a connection with.
Facebook has been in the spotlight for playing fast and loose with user data, but you might be tempted to think, “What’s the big deal?”
Consider this, in addition to the hackers being able to see how you spent your summer vacation, if you ever used your Facebook credentials to log into other accounts or applications – there’s a strong possibility hackers could have collected this data as well.
Future Planning Suggestion: Most businesses will never have to worry about being tasked with storing and protecting as much user data as Facebook. But with the frequency that the social media platform seems to be leaking user data, one might wonder how it could have gone any other way. This is a sobering reminder that a “one-size-fits-all” password philosophy can be very dangerous.
We recommend not using the same password across multiple platforms. Social media, online banking, credit cards, and employment credentials should all use a unique password and should be changed frequently. Try setting a quarterly calendar reminder.
If you’ve recently stayed at a Marriott hotel chain, there’s a good chance your data has fallen into the hands of hackers. Towards the end of the month in November, the Starwood hotel division announced a huge data breach that affected nearly 500 million customers.
As far as data breaches go, this would be considered a treasure trove. Payment card information, names, mail addresses, phone numbers, email addresses, and even passport numbers were all contained within the breach.
Future Planning Suggestion: The Marriott attack is worth highlighting because this fits the definition of a coordinated, sophisticated cyber-attack which involved multiple IT systems over a relatively long timeline. The average small business likely won’t be targeted in this manner, but what Marriott did right was seen in how they handled the news after they became aware of it internally.
Part of an effective disaster recovery plan should include public relations if a data breach occurs. A transparent, timely announcement creates a much stronger sense of social goodwill than an announcement months or years after the fact.
The GDPR (General Data Protection Regulation) was signed into law in the UK earlier this year. It places clear timelines when a company must divulge to the public that a data breach has occurred and places significant financial penalties for businesses that violate this timeline.
Business owners and IT managers should take the opportunity to learn from these events and proactively re-work their existing data security practices. An article in Forbes provides a helpful post-mortem for the Marriott incident:
It's not the data breach that will be most impactful to the company; it's the regulatory and class actions that follow, says Ian Thornton Trump, head of cyber security at Amtrust International. “But the big question is, why was this data not encrypted while at rest? Why are passport numbers and details not required by law to be encrypted at rest? The Marriott breach was not just about failing to protect the data they have; it's a failure of governments to insist identity documents are treated with the same requirements as credit card data.”
An Iowa-based company was the victim of a phishing attack which compromised email systems and approximately 1.4 million patients. The interesting (or disturbing) here is the phishing attack was the company’s second successful cyber attack 2018.
Future Planning Suggestion: Phishing might be one of the oldest tricks in the playbook for hackers, but this is a reminder that employees still fall for them. Cleverly disguised emails, ostensibly from executives can give employees the impression that sensitive information about patient needs to be shared over email.
It’s important to have regular training sessions to help provide staff with updated “best practices” for employees who might not always have cybersecurity at the top of their mind.
MyFitnessPal – The maker of the fitness application suffered an attack that allowed hackers to gain access to some 150 million users. Addresses, passwords were among the sensitive data collected.
Quora – The popular Q&A website was the victim of an enormous cyber attack which impacted around 100 million users. At this time, the company is unsure of what information ended up in the possession of hackers, but a spokesperson did suggest that real names, email addresses and passwords could have been among the type of data collected by malicious third parties.
Timehop – Frequent users of Timehop likely had their personal data exposed, including names and emails, after reports of a July 4th data breach. Approximately 1/5th of the users, around 4.7 million people were affected by the breach.
Aadhar – Perhaps the mother of all rapid-fire data breaches might come from Aadhar, which had to disclose a breach that affected 1.1 billion users. The government storage portal for the Indian government provided hackers with names, ID card numbers and bank account information for a huge volume of Indian citizens.