We often come across news headlines of data breaches and wonder whether our personal information is truly safely secured and how it could affect us in an event of a data breach. This is, unfortunately, one of the cons of the internet age.
We shouldn’t ask our customers to make a tradeoff between privacy and security. We need to offer them the best of both. Ultimately, protecting someone else’s data protects all of us.Tim Cook
In this article I will be discussing where data storage went wrong, listing the top data breaches in 2019-2020, including:
- how the breach or leak occurred?
- how many people were affected?
- what was done to contain the situation?
DEFINITION OF A DATA BREACH AND THE CAUSES
A data breach is a confirmed incident in which sensitive, confidential, or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets, or intellectual property.
Data breaches are caused either by human error, computer error, or bad actors such as hackers. Data protection laws such as the GDPR and POPI require companies who are responsible for the collection or processing of information to provide mechanisms to safely secure personal information or data and to notify consumers of a breach.
In September 2019, several unprotected databases were found to contain the phone numbers of 419 million (20%) of Facebook users, some contained the names and locations of the users. The server wasn’t protected by a password. As a result, this allowed anyone on the internet to access their information. The breach was not caused by hackers, but the fact that the database containing the scrapped information allowed developers access to it.
Techcrunch reached out to Facebook in which Facebook’s spokesperson Jay Nancarrow responded:
“This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers,” the spokesperson said. “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
Information compiled by data aggregation firm were found on an insecure server. It included complete scrapes of Linkedin data, including recruiter information in November 2019. As a result, 380 million profiles were affected.
Researchers Bob Diachenko and Vinny Troia found that the leak is unique because the data sets appear to have come from two different data enrichment companies: People Data Labs (PDL) and OxyData.io. Both companies deny ownership of the servers.
“The lion’s share of the data is marked as ‘PDL’, indicating that it originated from People Data Labs. However, as far as we can tell, the server that leaked the data is not associated with PDL.”
It remains uncertain who is accountable for the leak.
3. INDIAN CITIZENS
The Discovery of a huge unprotected MongoDB database was found in May 2019. The database contained personal information of over 275 million Indian citizens, including their education, resume, and current salary. The database was left unprotected for over 2 weeks.
Researcher Bob Diachenko discovered the publicly accessible MongoDB database hosted on Amazon AWS using Shodan. The database lacked authentication due to the fact that it was not password protected. Diachenko alerted Computer Response Team in India (CERT-In). The hacker group known as Unisteller has taken control over the database and demanded a ransom to return control over to the owner.
MongoDB has provided an article on how to properly secure a database and a security checklist for administrators to follow. Diachenko states that the two most important steps that will prevent these types of attacks are to enable authentication and to not allow these databases to be remotely accessible.
250 million Microsoft customer records were exposed to an online database without password protection in January 2020. The record contained customer service and support logs which included conversations between support agents and customers from 2005 to December 2019.
Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers. Diachenko immediately notified Microsoft and Microsoft secured the database within 24 hours.
Most personally identifiable information was redacted. However, for some customers, additional information containing plain text data was exposed such as customer email addresses, IP addresses, Microsoft support agent emails, case numbers and resolutions, and internal notes marked as confidential.
Microsoft conducted an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics Microsoft said that they
“found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”
Microsoft reassured that they are committed to the privacy and security of their customers and are taking action to prevent future occurrences of this issue. These actions include:
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation.
Paul Bischoff, a privacy advocate and VPN expert at Comparitech stated that the dangers of the exposed data should not be underestimated as the data can be valuable to tech support scammers who pretends to be Microsoft support representatives. Paul warns customers to be on the lookout for such scams via phone and email.
“Remember that Microsoft never proactively reaches out to users to solve their tech problems—users must approach Microsoft for help first. Microsoft employees will not ask for your password or request that you install remote desktop applications like TeamViewer. These are common tactics among tech scammers.”
TIPS TO PROTECT DATA
For more information on how to protect yourself against tech support scams visit the UC Berkeley website. (Click on the hyperlink for more information)
Digital guardian provides advice from 30 data security experts on the biggest mistakes companies make with data and information security, they compiled a comprehensive list of tips from experts. This information is valuable if you are conducting business online and want to ensure that your customers’ data is safely secured by avoiding making these mistakes which put you and customers’ valuable information at risk. (Click on the hyperlink for more information)
This brings us to the end of this article. Any company can suffer from a data security breach due to failures on the companies’ part to safely secure and protect customers’ personal information. It is therefore essential for every company to maintain and protect personal data using data security safety mechanisms.
Thanks for reading, I hope you found this article resourceful.
Feel free to share this post, click on social icons below to share.