In a year when businesses around the world took their operations fully online, cybersecurity is more important than ever.
It seems that every year brings with it a new list of major cybersecurity failures, from successful phishing schemes to exploited vulnerabilities to accidental leaks of customer information to the public. This year has been no exception. If anything, it has been a more significant year than most, with institutions around the world moving their operations online, often with little preparation. The result has been more businesses with more vulnerabilities to target.
The good news is that, with each story of failed cybersecurity comes a lesson for others to learn. So with the year winding down, we thought we would take a moment to recap some of the most significant breaches of the year, review what went wrong, and offer a solution for how businesses can harden their own systems against similar attacks.
1. Twitter.
In the middle of July, several dozen verified Twitter accounts with their distinctive blue check marks—including those of Barak Obama, Elon Musk, and Jeff Bezos, began tweeting strange messages, asking followers to donate bitcoin to “the community.” While the hackers only managed to scam $120,000 in the attempt, the havoc they wreaked across the platform in the meantime severely undermined the trust of many users.
The Twitter hack succeeded with the cooperation of an internal employee, who managed to change the email addresses and reset two-factor authentication to lock the owners out of their accounts while sending the fake messages.
Internal hacks are some of the most frightening and difficult to ward against. However, companies can stay safe by restricting access to sensitive information only to those who need it. Requiring employees to log access requests can be an effective deterrent, because it creates a paper trail that would identify a hacker should anything to wrong.
2. Zoom.
The Covid-19 pandemic saw the sudden rise of remote work, which in turn launched the teleconferencing company Zoom into international prominence. Unfortunately, in a case of sudden success leading to sudden failure, Zoom soon fell victim to numerous instances of hacking. In the most serious case, a hacker leaked the login credentials for hundreds of thousands of accounts, resulting in interrupted meetings, stolen data, and information that could be used to try to break into other accounts with shared login information.
The fault seems to lie with Zoom itself, which insufficiently invested in its own cybersecurity. It’s a misstep that businesses should be careful to avoid for themselves. And for customers who had their login credentials leaked, it’s one more reminder to set unique passwords on all accounts.
3. Marriott.
In late March, the Marriott hotel chain disclosed a security breach that had compromised the personal information for over 5 million guests. The hackers succeeded by gaining access to two employee accounts, either through password stuffing or though phishing, and then remained undetected for a full month while they quietly compiled customer information.
This story highlights the importance of early detection in the case of a security breach. The longer a bad actor is able to lurk on an account, the more dangerous they become. It also underscores the need for two-factor authentication, which would have alerted the account owners to the attempts to gain access to their accounts.
4. MGM
If the Marriott breach seems bad, it was overshadowed by the leak of user account information from MGM. Although original reports of the breach indicated that 10.6 million users had had their account information stolen from MGM Resorts, later information showed that a second breach had occurred at MGM Grand Hotels that increased that number by an order of magnitude. In fact, over a 142 million account profiles were later offered for sale on the dark web.
The source of the first leak appears to be from data stored on an exposed server. The second leak came as a result of a security breach at a different company—DataViper, a leak monitoring service that had been compiling data from other security breaches before it was itself hacked.
5. LiveJournal
In May, the IT magazine BleepingComputer reported that the credentials for 26 million LiveJournal accounts were being passed around the dark web. The damning part of this story, however, is that the initial data breach appears to have happened years ago—as far back as 2014. The leak included plaintext passwords, which had originally been stored as MD5 hashes—an encryption format which has suffered from known vulnerabilities for years.
Hackers have been using account information to extort LiveJournal users for years, drawing on details from unpublished drafts to give their threats more weight. The story offers two important lessons for businesses. First, failing to keep up with security standards is dangerous. And second, when a breach happens, customers must be notified as quickly as possible so that they can protect themselves.
6. Wishbone
In May, a database containing over 40 million user records from the social media app Wishbone was put up for sale on the dark web. The leak is troubling for two reasons. First, the users of the Wishbone app are younger—mostly in their teens. And second, the app exposed extremely sensitive data—not just names and email addresses (which would have been damaging enough), but gender identities, passwords, and geolocations.
The leak was damaging because, like LiveJournal, Wishbone had been using MD5 encryption—a standard which industry experts consider to be cryptographically broken and unsecure. The scope of the breach was also especially damaging because Wishbone had taken no steps to differentiate between the sensitivity of its data, and did not take any steps to safeguard the most critical information accordingly.
The good news? 2020 has also been a year for thwarted attacks.
As we said at the beginning, this year has also had some prominent failed security attacks. In the spring, the WHO fended off a rise in cyberattacks, from a variety of sources, and with a range of goals. While these attempts were unsuccessful, the volume of attacks and the sophistication of some of them made it a harrowing experience.
Just a few months ago, Tesla made headlines when a ransomware hack was thwarted when an employee notified their superior that they had been offered $500,000 to install ransomware on their network. Tesla notified the FBI, who set up a sting operation that was successful in apprehending the Russian national behind the extortion attempt.
The lesson we can learn from this is that businesses aren’t helpless in the face of cybersecurity threats. With the right preparation, they can ward off hacking attempts and data leaks, securing their own sensitive data, network security and that of their customers.
