Cyber criminals aren’t letting up. Each year, high-profile data breaches dominate the headlines, and 2018 has been no different. Despite the introduction of the GDPR in May, major security breaches are still rife, as cyber criminals continue to find new and innovative ways to breach company defences, and big businesses are left reeling from the fall out.
Personal information is being traded on the web for serious money, making the economics of supply and demand straightforward, and the theft of data increasingly commonplace. According to McAfee, over 780,000 records were lost daily in 2017 and judging by the serious breaches we’ve seen in 2018, it doesn’t look like things have slowed down since then.
So while cyber-crime might not be the jolliest subject for December, as you start thinking about plans for the new year, it’s a timely reminder to do as much as possible to secure your own data and, most importantly, your customers’.
Here’s a rundown of some of the biggest and most significant breaches we’ve seen this year:
Probably the biggest incident of 2018, affecting as many as 500 million guests, this enormous breach actually dates back to 2014, when hackers were first able to access Marriott’s network via the recently acquired Starwood Hotels group. However, it wasn’t until September 2018 that the hotel chain became aware of the issue, by which time hackers had run off with a mountain of customer data, including names, addresses, passport numbers and check-in and check-out information. It hasn’t been confirmed whether the hackers were able to access credit card details, but the hotel group hasn’t ruled it out. And the fallout is so serious that Marriott is already facing numerous lawsuits in the US and has agreed to pay for new passports for many of those who’ve had their data compromised.
British Airways faced a sophisticated attack earlier this year, which compromised the personal and financial data of over 380,000 transactions. Unlike many data breaches, which are plugged as soon as they’re discovered, the British Airways website and apps were insecure for over 2 weeks, making this one of the highest-profile and most serious attacks of the year. At present, the Information Commissioner's Office is investigating, and British Airways could face a fine of up to £500 million under the GDPR regulations, which stipulates fines up to 4% of turnover.
Facebook’s reputational issues continued throughout 2018, not least when a loophole in its developer APIs was used to compromise the security of around 30 million users, revealing information including name, relationship status, religion, birthdate, workplaces, search activity, and recent location check-in. Hackers initially gained access to a series of seed accounts, which were then used to attack the accounts of friends, then friends of friends, and so on down the line, eventually amassing a group of 400,000 compromised accounts. The breach also sparked broader concerns for accounts on Facebook-owned WhatsApp and Instagram, although Facebook later said these services hadn’t been affected.
A fundamental component of the GDPR is that businesses disclose any breaches within 72 hours, something which Google categorically failed to do when it discovered a vulnerability in an API for Google+, compromising the data of nearly half a million users. The bug was very similar to that which caused so much trouble for Facebook in the Cambridge Analytica scandal, giving third-party app developers access to data not just of those who had given their permission, but also their friends. Since the problem occurred before GDPR came into effect, Google will likely be spared the higher fine, but may well face lawsuits and public backlash for the attempted coverup. And it’s an important lesson to all businesses that these things always come out in the end.
And finally, just last week, everybody’s favourite Q&A site was also hit by hackers, who managed to access the details of around 100 million users, including names, email addresses, encrypted passwords and data imported from linked networks. To their credit, Quora responded quickly and transparently to the incident, with chief executive Adam D’Angelo publishing a blog explaining the situation and apologising to users. Quora has also said that it has retained a digital forensics team to find out more about what happened and how to avoid similar issues in the future.
So yet again, it’s the brands you expect to be best at keeping the hackers at bay that end up the falling victim, showing that nobody can rest on their laurels when it comes to cyber security. It’s also a reminder that, while you can’t always stop a breach, you can control how you respond once it’s discovered. And that can make all the difference, to your reputation, potential fines, and overall financial damage that you’ll suffer as a result.
For more cyber security advice, check out our Ultimate Guide to Cyber Security. Drop us a line at firstname.lastname@example.org or give us a call on 0333 772 0759 to discuss how cyber liability cover can help.
Food for thought
It only takes 2 minutes to get a quote.