2018 marked the year that governments, businesses, and other organizations around the world started implementing GDPR — not just in Europe but worldwide.
However, even as businesses have clamored for enhanced data protection, there have been major missteps along the way, many of which resulted in catastrophic compromise of important user data.
Why does data hold such importance?
Firstly, I need to discuss why data has become the currency of today’s businesses.
This not only includes customer or user data, but also data on processes, finances, transactions, and just about anything relating to how a business operates. With the rise of the internet-of-things, this now includes sensor and device data, which is increasingly becoming important in automation and business intelligence.
Data is important in a company’s analytics strategy, which means data and trends are essential to decision-making processes.
In recent times, data has also become important in communications strategy, meaning advertisers and marketers utilize aggregated – and sometimes personal – user data in targeting their messaging. This, however, has been beset with controversy, especially as users are now starting to feel the intrusiveness of such use of data for targeting.
The downside to this is that, as businesses and service providers ramp up on their data collecting activities, there is always the risk that such data can be exposed to unwanted use.
This article showcases a few notable instances of security missteps, and the actual or potential damage they have brought to users.
In September 2017 to July 2018, Facebook users had been victim to a massive data collection scheme, wherein attackers gained access to data from 29 million users, and access to an additional 1 million accounts. Such data included sensitive information, including gender, religion, relationship status, home towns, current cities, birth dates, login devices, education, checked-in locations, recent searches, and contact details.
Hackers exploited vulnerabilities in Facebook code to gain “access tokens” which are digital keys that gave them access to user data. Facebook has since addressed the vulnerability, and likewise cooperated with law enforcement agencies in the investigation.
It wasn’t over for Facebook, however, as it was embroiled in an even bigger controversy. It was in 2018 when the Cambridge Analytica scandal came to light. A personality prediction app built by a professor from Cambridge University improperly passed on information to companies. The real-world impact was that data was sent to an analytics firm – Cambridge Analytica – which was utilized by Donald Trump’s campaign in targeting ads using data from millions of Facebook users.
Facebook has since made changes to the way applications on its platform share data, to avoid a recurrence.
Reddit, Tinder, Pinterest, Amazon Music, etc.
In an era wherein social networks, e-commerce services, dating sites, and pretty much everything can be accessed from one’s mobile phone, security breaches can be devastating — especially if one’s data, identity, or money were to be stolen. In 2018, a large-scale Cross-Site Scripting (XSS) vulnerability was discovered to have affected major social, e-commerce, and other services, potentially affecting 685 million users across the globe.
An XSS vulnerability essentially enables malicious hackers to inject third-party code into an otherwise legitimate website, which is often used as an attack vector in delivering payloads to users’ client machines or stealing user data through spoofing. When users access a website or service, this involves several sessions wherein the client and server send and receive data back-and-forth. Given the interactivity of content, this can also involve retrieving data from third-party sites, and here’s where the XSS vulnerability stems from.
The misstep highlighted here doesn’t directly involve the sites mentioned, but rather a third-party service that optimizes user experience for mobile users. Apart from the ones listed above, other sites like Reddit, Western Union, Yelp, Ticketmaster, and others. The issue has since been addressed, rendering users safe from the said XSS vulnerability. There is no mention, however, of whether attackers were able to use this vulnerability, nor how much damage was done, if any at all.
Google is practically the go-to search engine for billions of users across the globe, especially those using Android devices. Its social service Google+ is not as popular though – but this might be a good thing, considering a recent vulnerability.
In March to November of 2018, Google+ had a software glitch that potentially exposed personal profiles of 500,000 users, as reported by the Wall Street Journal. In December that year, Google itself discovered another vulnerability that exposed around 52 million users to potential data theft.
Vulnerable data included names, employers, job titles, email addresses, birth dates, and relationship statuses of users.
Google has since announced that it will shut down Google+ by April 2019. There is no indication, though, of whether data was actually stolen, although the potential for data being had been huge.
Not exactly a tech company, but Aadhaar is India’s national identification system, which meant that a data breach would impact the country’s 1.1 billion population. That’s just what happened when private information, including names, 12-digit identification numbers, and other data such as bank account info, were stolen.
The vulnerability involved a data leak experienced by a state-owned utility, Indane, which did not secure access to its API. This meant that anyone with access to the API could access Aadhar data – which encompasses identity and biometric information, not to mention related data, such as bank account numbers, addresses, etc.
It is not known when the breach actually began, but it was discovered only on March 2018, nine years after the Aadhar platform launched in 2009.
Imagine data on every US citizen being exposed to access by an attacker. This is just what happened with Exactis, a marketing and data aggregation firm that faced a data leak that potentially exposed user data from 340 million records. Not such a popular brand or name, but apparently, the company works with businesses and platforms in brokering data access.
The data broker left around 2 terabytes of data out in the open, and this included personal and private information on both individuals (hundreds of millions of American adults) and businesses.
While the data potentially leaked does not include social security numbers, it included highly-personal data, such as phone numbers, home addresses, email addresses, interests and habits, as well as the number, age, and gender of the person’s children. It even had in-depth information on people, such as whether a person is a smoker, pet owner, and the like. Even if there was low likelihood of identity theft (since SSNs were not included), such detailed personal information could have been used for social engineering attacks.
As with the previous slip-ups, it is not clear whether malicious entities actually accessed the database, although it would have been easy enough to find. The vulnerability was discovered by a security researcher, who found out that the database was not protected behind a firewall.
This list includes a mix of “what ifs”, which means we are perhaps fortunate that some of the biggest security missteps were just that – missteps.
Leaving databases out in the open could potentially be harmful if such data gets into the wrong hands. The pressing question now is whether it got into the wrong hands at all, and if the data could be used for malicious activities later on.