Last year saw some of the biggest data breaches on record, underscoring the importance of cybersecurity for businesses of all sizes. As we go into 2019, here is a look back at the biggest US breaches of 2018, along with the consequences and a brief assessment of how they might have been prevented.
What happened: The hotel chain discovered in November that their database had been breached. The initial breach occurred four years prior and the database had been repeatedly accessed until discovered. The personal information of 500 million guests including personal identifying information, contact information, passport numbers, account information, travel details, and accommodation specifics were exposed. Some credit card numbers were also exposed.
Consequences: Starwood-Marriott is facing at least one class-action lawsuit at this time. The financial cost will likely add up to hundreds of thousands of dollars. They released a statement saying they would reimburse customers whose passport data was compromised and was subsequently used in fraud. Investigations and recovery are ongoing, and the extent of both are uncertain.
Key points: Breaches can be on-going. Once a business is hacked it is more vulnerable to repeat hacking. Because of this, it is vital to stay on top of your cybersecurity. Regular checks and maintenance should be performed. The larger the business or the more sensitive your data, the more robust your security should be.
What happened: Exactis, a Florida-based marketing data broker, left a database of 340 million individual records exposed on a public server. This was not the result of hacking, but of negligence. The researcher who discovered the breach notified both Exactis and the FBI, at which point the data was quickly secured. It is unknown how long the data was left unsecured before this time. While Exactis has disclosed that they are investigating the breach, they have not publicly acknowledged the breach in a statement or on their website. In an interview with FlaglerLive, also based in Florida, the CEO, Steve Hardigree disputes the breach, claiming that no data was actually compromised.
Consequences: The fallout from this breach has been enormous for Exactis. In the FlaglerLive article, Hardigree discloses that the business has lost numerous clients. Exactis also faces a class action lawsuit. It is yet to be seen whether Exactis will manage to recover from this situation, or whether the breach will be the end of Hardigree’s business.
Key points: When you are in the business of dealing with other people’s data you can’t be too careful. Consider hiring a Managed Security Provider (MSP) to take of your security for you with a network security solution or security operations center.
What happened: The popular fitness app, MyFitnessPal, was hacked early in 2018. The account information of 150 million MyFitnessPal users was comprised, including usernames, email addresses, and hashed passwords. Payment information, which is processed through a separate channel, was not compromised. Under Armour announced the breach just four days after it learned of the situation.
Consequences: They announced quickly compared with others who wait months, or worse, try to hide the breach entirely. Still, there are some who criticize the company for waiting four days before notifying customers. In a breach situation, every moment counts.
Key points: Overall, Under Armour did some things right. They chose to segment their data collection, which is essential if you are collecting sensitive data, such as payment information, addresses, and birthdates. Encryption is also essential in these cases. If a breach does happen, encryption and segmentation minimize the damage. In such cases, get your ducks in a row and then notify your customer as soon as possible. The sooner you notify them, the sooner they can secure their data, and the more trustworthy you look to everyone involved.