Jun 20 · 5 min read2018 was a tough year for businesses when it comes to protecting private assets. Cambridge Analytica shocked the netizens of the world wide web and gave birth to intense debates on online privacy, cyber security, and accountability of the companies that experienced data breaches. In the European Union, GDPR was actively discussed and developed a notion of breach notification, giving affected parties 72 hours to report the breach to the authorities.
However, most were late to do so. Facebook was barely recovering after Cambridge Analytica when their databases were hit by another attack, that exploited three zero-day vulnerabilities. In India, the government denied Aadhar security breach altogether, as well as warnings from cyber security experts that their systems were poorly secured. Even barely used Google+ social network experienced security issues.
All these incidents revealed how accessible our personal information is, and that even IT giants can’t properly secure their services. In this article, I will briefly discuss the three biggest and most controversial data breaches of 2018.
Aadhar data leakAadhar is Indian government ID database controlled by the Unique Identification Authority of India (UIDAI). Even though participation is voluntary, some social securities like free food were only available for citizens with Aadhar number. Furthermore, opening bank accounts and using mobile phones were made more comfortable if one has an Aadhar number. Considering India’s population a phenomenal amount of 1.1 billion people gave out their personal information to UIDAI.
The shocking truth is that UIDAI was probably aware of security issues at least for a few years. This was not the first time Aadhar’s security came to question, but in 2018, it was demonstrated how easy it was to extract personal data from their databases. Moreover, the data was nothing short of severe: ranging from dates of birth to iris scans, the full packet gave the ability to deeply personalize each registered user, which in turn could be used for impersonation.According to ZDNet, once they learned and confirmed the security breach, they contacted Indian authorities regarding the issue but received no answer. After several attempts, they informed that they would be publishing the story and “at the time of publishing, the affected system was still online and vulnerable — but, within hours after our story posted, the affected endpoint was pulled offline.” Later, Indian authorities denied the issue altogether, making this breach of unprecedented scale the biggest cyber security issue of 2018.
Facebook security breach
In 2018 Facebook was recovering from Cambridge Analytica scandal. They have made an irresponsible deal with a data-mining company that managed to scrape up to 87 million user data. However, this story is not about that. On September 25th, Facebook discovered a security issue, that potentially affected 90 million of their users, which were logged out of the services. Later, the number was lowered to 50 million and 30 million after that, though the exact amount is unknown.
The FBI joined the investigation, and there’s little information on who’s behind it. One thing for sure, this was a highly coordinated attack. On September 15th, Facebook noticed an unusual spike of activity related to the “View as” feature. The spike was caused by cyber criminals that exploited three zero-day vulnerabilities. Zero-day vulnerabilities are complicated, dangerous, and expensive. It is a security flaw in the software, that is unknown to both developers and users. Exploiting one zero-day vulnerability is already a severe crime, but three at once hints to a contemplated and coordinated action.
Cyber criminals were able to steal access tokens, that can be used to gain control of affected users’ accounts. Furthermore, they can potentially be used to access Instagram and WhatsApp accounts, though Facebook denied that ever happened. The spectrum of information leaked was broad, ranging from age and gender to the photos the user was tagged in. Moreover, earlier this year, Facebook admitted to storing their user’s passwords in plain text, which is an amateur and irresponsible mistake, putting Facebook in second place and raising well-grounded doubts about its security structure.
Marriott massive data breachMarriott hotel line is another example of how not to do cyber security. On September 30th, they finally revealed that they were affected by a large scale data breach. However, it took three months for them to inform their customers that they could’ve been affected. The leaked information included names, phone numbers, payment information, mailing addresses, email addresses, and passport numbers. In the wrong hands, this is a full pack to launch a personalized impersonation or phishing campaigns.
Security Is Not Privacy
The issue was first noticed on September 8th, so it took more than 20 days for Marriott to inform their customers that their personal data might be in danger. The incident was caught by IMBs The Guardium software developed to secure databases. On September 7th it alerted an anomaly, a query from an administrator’s account that asked to return the count of rows from a table in database. This hinted of human interference, and proved to be correct.
Marriott launched an investigation and within one week discovered a trojan, a penetration software, and a trail of two compressed and encrypted files that have been deleted. Shockingly, evidence shows that the hackers may have had access to their systems as early as 2014. Once the investigators decrypted the files, it proved to be their client’s personal information, and the full disclosure took place nearly three months after. This caused considerable damage to Marriott’s reputation, and financial losses, if there were any, are yet to be seen.