Understanding how some of the wildest data breaches occurred can teach us valuable lessons about staying protected — and mitigating damage — in the face of cybersecurity threats.
From Equifax to Facebook to the smallest local companies, one thing that’s clear is that no one is immune to an attempted data breach by a malicious actor. With so many opportunities to make money on the data black market, it’s no surprise that damaging breaches have become a regular occurrence.
So how can organizations large and small stay secure in the face of these growing threats?
The good news is that data breaches often occur due to avoidable errors. In this piece, we’re taking a look at some of the wildest incidents that have happened in recent years — and exploring what we can learn from these breaches.
Here are a few examples of data breaches that should never have happened.
The Rise of Zoombombing
When the COVID pandemic struck, the popularity of Zoom exploded overnight with thousands of new users joining the platform and millions more video calls occurring than ever before. This led to several cybersecurity weaknesses that bad actors were only too ready to exploit.
For instance, in April 2020, more than half a million Zoom passwords were being sold on the dark web. Then there was the advent of “Zoombombing,” where hackers crashed and hijacked meetings — a broken authentication attack that was possible due to Zoom’s weak software encryption.
While the hackers who came into private Zoom rooms and made inappropriate comments were certainly a high-profile issue, they likely only represent a small part of the problem. Zoombombing exposed more widespread vulnerabilities, indicating that hackers were likely able to eavesdrop on many more private conversations without alerting the meeting participants.
The Multi-Level MGM Hack
What happens when the very service you hire to increase cybersecurity after a data breach itself gets hacked? The answer — as the MGM resort in Las Vegas learned — is nothing good.
In early 2020, the MGM resort suffered a major data breach that exposed the records of 10 million guests. In response to this, the resort retained the services of cybersecurity startup Data Viper. By July, the MGM breach had grown 10-fold, with 142 million stolen guest records.
While MGM did the right thing in hiring a cybersecurity company, they failed to do their due diligence when vetting that company. Within months, Data Viper had itself been hacked, with the attackers claiming they’d stolen around 2 billion records worth of compromised credentials, including many of MGM’s resort guest records.
The hack of Data Viper was, in a way, inevitable due to several errors. The company had poor cloud-based implementations with little to no access controls or authentication in place. They also left their API keys exposed. All of this meant that their data was freely accessible for anyone on the web to exploit.
The Security Service that Made Customers Vulnerable
Anti-identity theft company LifeLock experienced an extremely close call when its marketing emails set customers up to be victims of email phishing scams.
Whenever a customer tried to unsubscribe from LifeLock’s marketing emails, they received a standard-looking unsubscribe page that included the customer’s email address. The problem was that LifeLock revealed customer “subscriber keys” right in the https-address of the unsubscribe page. This meant that by manually changing the subscriber key in that address, anyone could bring up various customers’ unsubscribe pages, each of which prominently displayed the customer’s email address. Because the subscribe keys were in a simple sequential order, it would have been easy to write a code that sequenced the keys and pulled every customer email from every page. From there, sending fake emails that looked like LifeLock would have been a piece of cake.
Luckily, outside security pros discovered the issue fast and alerted LifeLock, but the impact of this error could have been devastating.
The above breaches may be some of the wildest examples, but that doesn’t mean they can’t teach us valuable cybersecurity lessons. Overall, one of the most important lessons to gain from these breaches is to always hold your partners and outside vendors to the highest standards of scrutiny before trusting them with valuable data. Far too often, businesses experience data breaches due to the negligence of an outside vendor.
The other main lesson is to always be prepared for an attack. This means embracing comprehensive cybersecurity measures like installing firewalls, encrypting data, enforcing password best practices, investing in access control and authentication, and educating your employees about potential cybersecurity risks like social engineering attacks.
Should a data breach occur, it’s also important to have a disaster recovery plan in place. Often organizations create data backups without thinking about how they will actually recover their data in the face of a breach or ransomware attack. Businesses looking to minimize the impact of a data breach need a disaster recovery plan that lays out exactly how and when data will be restored from backups and what each individual’s role is in completing that process. The best way to avoid becoming one of the 93% of companies without disaster recovery strategies in place is to work with your cybersecurity partner to develop a detailed, tested plan of action.
In addition, your disaster recovery plan should incorporate public relations and reputation management efforts to mitigate any long-term damage. Before a breach ever happens, you should have a public response ready so you can react right away. If a breach occurs, you’ll be ready to communicate and provide updates in a timely manner. You’ll also need to deliver a sincere apology as soon as possible to get ahead of any backlash.
From there, you need to make sure you continuously deliver updates on the breach to your customers. This means working directly with your cybersecurity team to get concrete details that you can then share with your audience. In particular, you should keep your audience up-to-date on any measures you’re taking to avoid another breach in the future. In this way, you can start building a foundation of trust again, which is essential for staying in business following an attack.
Preventing a data breach is an ongoing challenge that involves staying ahead of bad actors at every turn. The best way to do that is by implementing the top architecture, tools, and practices to keep your organization secure against both external and internal threats. Another key ingredient for success is a cybersecurity partner you can trust. Turn-Key Technologies, Inc. (TTI) is that partner.
At TTI, we’re ready to help you prevent breaches, as well as mitigate the damage should a data breach occur. With thirty years of experience supporting companies across industries, we can help your business stay secure. Contact us today for a free consultation.