(By Morey J. Haber, Chief Technology Officer, BeyondTrust)
Privileged attack vectors and stolen personally identifiable information (PII) obtained have been a constantly paired news item throughout 2018. In 2019, expect privileged attack vectors to continue to reign as the number one root cause of breaches for both consumer and business data theft.
Below, I have compiled my list of the top-5 most noteworthy breaches for this year (so far). My ranking may be surprising to some of the readers, and some of the incidents are not even that high profile, but the size, duration, and type of business all contribute to the ranking.
(Morey J. Haber, Chief Technology Officer, BeyondTrust)
Adidas announced in June that an “unauthorized party” gained access to customer data on Adidas’ US website. While no details have thus far been publicly released regarding the attack and breach methodology, the company says that they believe only customers who purchased items from the US-hosted version of Adidas.com may have been affected by the incident.
While it is unknown if the attack vector involved a configuration flaw, vulnerability and exploit combination, or privileged attack, the threat actors did obtain contact information, usernames, and encrypted passwords. It is also unknown whether or not it was possible to decrypt the heisted passwords since the rest of the breach details do not fall under regional jurisdiction laws like GPDR, and were not publicly released.
#4 Saks Fifth Avenue and Lord & Taylor
On April 1, 2018 (and not an April Fools joke), Lord & Taylor and Saks Fifth Avenue announced that their stores were the subject of a massive credit card data breach. This security incident is believed to have compromised 5 million customers’ credit card information.
While the size is significant, what is perhaps even more shocking is the extended duration in which the security compromise was ongoing. Clients who used a credit or debit card at any of the stores’ retail locations between May 2017 and April 2018 were most likely affected. However, the breach was not identified or disclosed for almost a year!
Similar to Adidas, few details were publicly released regarding the attack vector. However, The New York Times reported that the attack was likely initiated by an email phishing scam sent to Hudson’s Bay (Canadian-based owner of Saks and Lord & Taylor) employees. The threat actors reportedly targeted accounts with malicious software via a link, file, or other attack vector to infiltrate the environment.
#3 Under Armour
Scarcely a month after the Saks Fifth Avenue and Lord & Taylor breach, Under Armour learned that someone had gained unauthorized access to MyFitnessPal, a platform that hosts IoT device data for tracking a users’ diet, exercise, and health. Upwards of 150 million MyFitnessPal users are believed to have had their information compromised.
CNBC reported at the time of disclosure that threat actors claimed responsibility for breaching individuals’ usernames, email addresses, and hashed passwords. While the incident did not expose users’ credit card information (unlike Saks and Lord & Taylor) due to architectural designs in data, process segmentation, and payment storage, it lay bare the cyber risks inherent of storing IoT data in the cloud.
Based on reports from Forbes and CNBC, the incident arose due to “unauthorized access” to user data. That alone reflects inadequate privileged access management and underscores this attack as another reason mature identity and privilege management capabilities and processes are critical for organizations to embrace.
Fast forward a few months to August and land on our second worst breach of 2018. T-Mobile announced that threat actors stole the personal data of approximately 2 million of its customers (3% of its clients). The leaked data was typical: usernames, billing zip codes, phone numbers, email addresses, and account numbers, as well as information on whether customers prepaid or postpaid their accounts.
T-Mobile’s cybersecurity team reportedly “discovered and shut down an unauthorized capture of some information” after the breach. Those words are key. Was it a man in the middle attack (MITM), was data stolen from a database or log files, or did someone have inappropriate privileged access? The public may never know the full details, but the word “unauthorized” implies the threat actor did not have authorization to collect the privileged data in the first place. This brings us full circle back to yet another privileged attack based on poor identity and privilege management hygiene.
In 2016, Marriott acquired the Starwood hotel chain. Two years before the acquisition, an incident began that was only identified last week. So, for four years, “unauthorized access” occurred within the Starwood reservation system that ultimately involved the leaking of names, phone numbers, email addresses, passport numbers, birthdates, and reservation information (arrival, departure, and points) for an estimated 500 million customers. Additionally, a subset of those customers numbering in the millions may have also had their credit card numbers and expiration dates disclosed. The size, severity, duration, and breach lasting over a major acquisition puts the Starwood breach atop all others in 2018.
In an official statement from the company, “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.” And, “Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.”
As the statement reveals, the threat actors had “unauthorized access” which implies inappropriate identity and privileged access to key systems that, strictly by the nature of the data, should have been segmented. For example, in line with PCI DSS standards, credit card access should never allow reassembly, even if encrypted, to allow association with the data owner.
The threat actor must have gained lateral access across zones and systems in order to perform the many types of operations needed to exfiltrate the data. Outside of poor incident monitoring technology, log monitoring, privilege management, and network and data segmentation, Starwood failed in an epic fashion to identify and contain the incident.
Considering the recency of the Starwood breach announcement, I expect there to be more revelations regarding the incident over the coming months.
Since the breach falls under the European GDPR regulations for some of its 1,200 properties, Starwood may incur significant financial penalties of up to 4% of its global annual revenue if found to be liable for breach rules. That is significant for any business and should be a strong message for every executive, employee, stockholder, and board member.
Will 2019 bode any better with regard to improved security and data protection? Only if we really start to heed the security lessons of 2018 and years past.