Michael Magrath, pictured, Director of Global Regulations and Standards, at authentication and mobile app security product company OneSpan, looks back at 2018 and what we learned from another year of data breaches.
We seem to have had many ‘year of the data breach’ contenders over the last few years and, although it would be nearly impossible to pick a definitive winner, 2018 has certainly got a strong claim for the top spot. Verizon’s 2018 Data Breach Investigations Report found there to be 2,216 confirmed data breaches last year. The severity of the situation becomes clear when you consider that, according to NordVPN, just 13 of 2018’s data breaches affected more than one billion people.
But the key security lesson we’ve learned from 2018 is not just that big-name brands are still struggling to keep out the hackers, it’s that any industry can be affected. It has become abundantly clear – if it wasn’t already – that privacy-sensitive industries like government and finance aren’t the only ones being targeted. Let’s take a closer look at where these breaches have occurred over the last 12 months and what this all means for businesses as we move into 2019.
Is no industry safe?
When going back through the biggest security incidents to have hit the headlines this year, one thing that immediately stands out is the spread of industries that have been affected. For example, although social media is often overlooked as an “at-risk” industry, the sector was bruised and battered in 2018. Facebook, of course, was the most high-profile victim. Following on from the Cambridge Analytica scandal where it was revealed that 87 million Facebook accounts were put in the hands of the political data analytics firm, the social behemoth revealed that a security flaw had left up to 50 million accounts vulnerable.
But it wasn’t the only one. Reddit, one of the world’s biggest news aggregation websites, and Timehop, a popular social media nostalgia app, were both breached after employee login credentials were compromised. This resulted in hackers gaining access to users’ names, email addresses, passwords and in some cases, phone numbers. Then there’s e-commerce, where hackers were equally as prolific. Up to 40,000 UK Ticketmaster customers were believed to be affected after a breach caused by malicious software on a third-party customer support product. Additionally, Dixons Carphone admitted to a huge data breach involving 5.9 million payment cards and 1.2 million personal data records. More recently, Amazon suffered a technical glitch just two days before Black Friday that caused customer names and email addresses to be disclosed on its website – although it is unclear how many users were affected.
The travel and hospitality sectors has also had its fair share of security incidents and is increasingly coming under pressure. Marriott International reported that a breach of its Starwood guest reservation database exposed the personal information of up to 500 million people. According to Marriott, the hackers accessed people’s names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood loyalty program account information, and reservation information. Credit card numbers were encrypted, but other information including passport information was left unencrypted.
Another example was the “sophisticated” hack on British Airways that compromised the financial details of over 300,000 customers – although travel and passport data was not believed to have been impacted. But this pales in comparison to the breach suffered by Chinese airline Cathay Pacific, where the personal data of 9.4 million customers – including names, dates of birth, addresses, passport numbers and credit card numbers – was accessed by an unauthorised third party. This all shows how hackers are spreading their nets far and wide in their attempts to access confidential systems and get their hands on customer information. Thinking that heavily-regulated industries such as government, healthcare and financial services are the only ones being targeted is an outdated concept and one that has the potential to cause serious financial and reputational harm.
The Reddit and Timehop breaches in particular show that poor authentication continues to play a major part in many attacks. With weak, stolen or compromised credentials behind 81% of attacks, the first step to re-building customer confidence is putting measures in place to help solve this problem. For example, there is no excuse for any business today not to be deploying multi-factor authentication (MFA) to protect user accounts and move away from the outdated approach of relying solely on a single secret. MFA combines at least two out of three of the following technologies: something you know (such as a PIN), something you have (such as an authentication app on the smartphone) or something you are (such as a fingerprint or facial recognition).
MFA can be critical in preventing account takeovers, so business leaders and IT teams should ensure that they’re applying the appropriate level of protection. Simply adding push authentication without the addition of a second factor, such as fingerprint, PIN or facial recognition, does not mean the system is MFA-protected and puts the advantage back in the hands of the attackers.
With cyber-criminals managing to repeatedly breach some of the world’s biggest brands, businesses need to do all they can to stem the tide. Today’s cyber security threats are dynamic and businesses need to adopt a dynamic approach – one that doesn’t rely on static data, but is able to assess risk and intelligently provide the required level of security at the right time.
About Michael Magrath
He’s responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is a board member of the Electronic Signature & Records Association (ESRA) and Co-Chair of the FIDO Alliance’s Government Deployment Working Group. He also served on the Identity Ecosystem Steering Group’s (IDESG) Board of Directors, and as Chairman of the Health Information Management Systems Society (HIMSS) Identity Management Task Force and Chairman of the Secure Technology Alliance’s (formerly the Smart Card Alliance) Health & Human Services Council.
