There were 111 data breaches during the month of October, an alarmingly high number. It’s no news that 2019 is already shaping up to be the worst year for cyberattacks. In the US, there were 3,800 disclosed data breaches during the first six months. Hackers compromised a total of 4.1 billion records in that time. This article looks at the highest impact data breaches in recent months, and provides important facts and figures about them.
Cybercriminal Known as Gnosticplayers Hacks Into Database Owned By Zynga
Hackers compromised a database containing 218 million records for Words with Friends users. Zynga, the parent company, is a leading gaming developer, best known for FarmVille, Mafia Wars and others multiplayer experiences. Zynga publicly announced the data breach on September 12, initially revealing that unauthorized parties broke into the database.
The hacker stole steal names, email addresses, login usernames and passwords, phone numbers, password reset tokens and more. IThe attacker also claimed that s/he accessed the private information of players of more than 7 million Draw Something and the discontinued OMGPOP game. In those cases, the hacker gained access to plaintext passwords.
Data of More Than 7 Million Adobe Users Compromised
On October 19, Adobe, Inc. revealed a vulnerability that left a database containing customer email addresses accessible to the public. A researcher discovered the vulnerability, which left member IDs, subscription and payment status, plus other information accessible on the web. Adobe restricted visibility and addressed the matter the same day.
This is not the first time that Adobe was involved in a data breach. In 2013, cybercriminals stole usernames and encrypted passwords for 38 million consumers. The cybercrime occurred due to a misconfigured system vulnerability that left private data public. A similar accidental misconfiguration left Capital One Financial Corp vulnerable to a data breach in July, which also happened to be an insider threat.
CenturyLink Involved in a Data Breach Exposing 2.8 Million Customer Records
A Fortune 500 company known as CenturyLink, left 2.8 million records containing the sensitive information of hundreds of thousands of customers open for anyone with internet access to view or obtain. The company provides residential and business customers with telecommunications and other services, including internet, phone, cable and cloud solutions.
A security company discovered the MongoDB database, which contained API logs from a third-party notification platform used by the company. While the security company identified the vulnerability on September 15, the database was already left exposed on the web for months. By September 17, the MongoDB database was closed off.
CenturyLink conducted an internal investigation and consulted with the FCC before alerting the public. According to a company statement, “The data involved appears to be primarily contact information and we do not have reason to believe that any financial or other sensitive information was compromised. CenturyLink is in the process of communicating with the affected customers.”
Mercedes Benz Glitch Exposes Customer Information
In October, an app vulnerability placed customer information in the hands of other app holders. The application was extracting information, including names, activity and phone numbers, and giving visibility to other account holders who should have been restricted from accessing the information. There was a total of 100,000 consumers who installed the app and were compromised. Mercedes Bens took the app offsite once it discovered the glitch. Customers were instructed to delete the app until they made bug fixes and addressed the vulnerability. There was a total of 100,000 consumers who installed the app and were compromised.
TechCrunch reported on the glitch and recounted details provided by a Mercedes Benz customer who witnessed his app pull in cached data from several accounts. Those involved in the data breach could see the car’s previous locations (not current location). However the lock-unlock and start-stop features did not work.
Philadelphia Department of Public Health Compromises Patient Health Data
While it impacted 23,000 people (and not a large amount of data such as with the others mentioned elsewhere in this article), the recent data breach involving Philadelphia’s Department of Public Health demonstrates the collateral damage that can occur when a person’s health-related information is compromised. The agency left the Individual health records containing names, addresses, Social Security numbers and other intimate, sensitive data accessible on its website in October.
The data included hepatitis diagnoses from 2013 to the end of 2018. After an Inquirer reporter found the data, the affected department removed the data. It is not clear how long the data was exposed. Legal experts say that, since this is a government agency – and not a medical or insurance agency – it is not clear if the data breach will fall under federal law regulating medical record privacy such as the Portability and Accountability Act (HIPAA).
With Cybercrime Escalating, Introduce Threat Modeling to Your Security Program?
Threat modeling is a great way to visualize your attack surface and map out the various threats and attack vectors that it may contain. Threat modeling traditionally uses process flow diagrams to lay out the different components, user behaviors and communication flows. Threat modeling used to be a manual process and take many hours to complete.
ThreatModeler is a leader in the threat model creation space and has automated key tasks to save organizations up to 80% on time-cost. ThreatModeler comes out-of-the-box integrated with trusted threat libraries and security guidelines as outlined by AWS and Azure, among others. ThreatModeler lends itself to IT project management with its Jira integration, enabling DevSecOps teams to assign tasks, and keep track and communicate on progress as needed.