used with permission from Tektonika (HP)Jasmine W. Gordon

Hanging lightbulb with glowing Data Breach concept.

Cybersecurity incidents just don’t have the same shock value they used to—not after Facebook, Uber, Target, and Equifax were all breached. However, even if you ignored 2018 data breach news, there were some absolute whoppers, including two incidents which likely exposed data on the entire population of India and the US; that’s 1 in 3 global citizens with a digital footprint.

Before you run to double down on your data breach protection, take a look at what happened in three of last year’s biggest incidents, as there’s a lot to learn from the missteps that allowed them to occur.

1. Aadhar (1.2 billion Indian citizens affected)

Aadhar, India’s massive citizen database, experienced a series of data breaches over the course of 2018. 90 percent of India’s population of 1.32 billion people are enrolled in the company’s unique identification number program, UIDAI. The leak became public when journalists paid 500 Indian rupees (approximately $8) for unique access credentials to a professional credential broker over WhatsApp. The seller paid about $95 for access and enough privileges to create new users, according to TechCrunch.

Selling Aadhar access was a profitable side-gig for Indian hackers since a UIDAI is similar to a social security number and can be used to enroll in school, receive food disbursements, or participate in other government programs. It was an identity theft nightmare for countless Indian citizens. The ruling Bharatiya Janata Party responded to the media by denying the reports. FirstPost reports that other Aadhar 2018 data breach incidents happened due to:

  • App security flaws
  • Data published on government websites
  • Third-party leaks
  • Endpoint leaks
  • A government agency’s Tweet

What did we learn?

Aadhar’s security issues are rich with lessons for security programs, and this series of incidents shows why you need to double-down on access governance, perform penetration testing, and manage third-party cyber risks. The main failure, in this case, was likely not performing a security assessment after the initial 2018 data breach to discover other vulnerabilities.

You don’t know your blind spots unless you know what’s on your network. The best time to assess the situation is before you’re hacked, not after the fourth data breach.

2. Exactis (340 million records exposed)

In June 2018, security researcher Vinny Troia discovered that data broker Exactis had two terabytes of data on a public cloud server, including 340 million individual records. Wired reports that, while the breach didn’t expose social security or financial data, there was a lot of creepy stuff involved. The records likely included addresses, phone numbers, and “behavioral insights” on every US citizen’s household—including the names, ages, and interests of people’s children. Troia uncovered the breach and 7,000 other open databases using the search engine Shodan to query for open ElasticSearch databases with US IP addresses.

What did we learn?

Troia’s method is not especially high tech, as Jason O’Keefe demonstrated when he used Shodan at Black Hat 2018. However, it’s similar to the methods hackers use to find unprotected databases and IoT devices like printers with open ports. Basic cyber hygiene is important to protect your endpoints and cloud data.

Don’t bother worrying about zero-day malware and other advanced threats until you have the basics locked down.

3. MyFitnessPal (150 million user accounts hacked)

This Under Armour-owned web and mobile app for logging fitness and diet disclosed a breach of 150 million records in March, according to Wired. Fortunately, the data records exposed were limited to usernames, passwords, and email addresses. MyFitnessPal was hacked in early February and disclosed the incident on March 25, 2018, which is impressive, relatively speaking. It took U.S. companies an average of 201 days to discover a data breach in 2018, per Ponemon Institute.

There were certainly missteps, however. An unknown percentage of the passwords in the breach were encrypted using the outdated SHA1 hashing algorithm instead of the secure alternative bcrypt. The National Institute for Standards and Technology(NIST) deprecated (or retired) SHA11 in 2011, and Windows terminated support in 2017. Few other details are known about the hack. Consumer trust was shattered despite Under Armour’s impressive response. Under Armour stock dropped as much as 4.6 percent as a result, according to Forbes.

What did we learn?

John Hopkins University cryptographer Matthew Green told Wired that the company made a mistake in not engaging outside experts fast enough. “My suspicion is they upgraded from something terrible, SHA-1, to . . . bcrypt but had to keep the old data around for customers who hadn’t logged in recently.”

Sometimes, data breach protection means asking for help. Hiring an expert is the best way to assess your vulnerabilities or fix huge risks like weak encryption.

2018 data breach lessons

Billions of records were exposed last year in these three incidents alone. Proper data breach protection requires getting the basics right with strong cyber hygiene, endpoint protection, and proactive security assessments.