This year, some of the most popular companies faced massive security breaches, affecting millions of users and exposing private and financial information. This data was either acquired for malicious use by the hacker themselves or sold off to the highest bidding cyber-criminal organizations. For companies with the largest budgets for cybersecurity, they may suffer some backlash from their once trusting user and customer base, but nothing compared to what a small or mid-sized business would experience.
60 percent of small businesses fail within six months after an attack. On average, an email phishing attack costs a mid-sized company $1.6 million, a huge expense to businesses who do not put necessary cybersecurity practices and awareness training in place for employees. Get the lowdown on what big-name companies were breached, what was stolen, and how you can protect yourself and your business.
The Top Cyber Attacks of 2018
This e-commerce giant platform informed a large amount of their customer base that a “technical error” caused a massive data leak exposing names and email addresses associated with their user accounts. Amazon would not provide any details around the “technical error” and what caused the leak but notified customers with an email mid-November, just days before Black Friday. Most customers were left in the dark about how this data became exposed, how long their information was exposed and to whom, and if anyone could see orders linked to the email address they use for their Amazon account. Amazon wouldn’t comment on the incident but did ensure customers that their website and internal systems were safe and not breached.
Earlier this fall, 50 million Facebook users accounts and an additional 40 million were likely affected by their security breach. These accounts were reported to be exposed by a Facebook self-inflicted updated that left a security hole and wasn’t immediately spotted right away. Once it was identified, Facebook sent out notifications to the affected accounts and issued a statement describing it as a “serious security issue” that they had patched up as soon as they were aware. The information they know was accessed were account holders’ names, genders, and hometowns. They do not believe that private messages, posts, and credit card information have been exposed, however.
In October, Google released a statement that it would shut down Google Plus, which was essentially Google’s struggling social media competitor of Facebook. Google failed to tell users about the security issue when they identified that 500,000 users were exposed in March of 2018 when it was also fixed. Google shared that they didn’t believe anyone had gained access to user information and their “Privacy and Data protection office” stated they did not have to legally report the breach. This decision to not disclose the breach was considered peculiar to many cybersecurity officials, especially with the timing of the new rules in California and Europe around when a company must disclose any form of security breaches.
StarWood Hotels (Marriott)
Dating back to 2014 through September of 2018, the Starwood brand of hotels (Marriott, Westin, St. Regis, Sheraton and more) exposed their database of more than 500 million customer accounts. The information affected was personal information including names, phone numbers, birth dates, email addresses, physical addresses, credit card information, passport numbers and even travel information. It was also reported that 327 million out of the bunch likely had their information copied by hackers. This hack has been reported as one of the biggest of all time, just under the Yahoo breach that affected the upwards of 3 billion email customers.
From August to early December of 2018, 239 Caribou Coffee stores were breached through a compromise of their POS systems, exposing customers' financial purchasing information. Those that visited a Caribou Coffee store between late August and early December are considered at an increased risk for identity theft. This breach is considered severe to both individuals and small businesses.
Make a Wish Foundation
In November, this widely supported non-profit suffered a Crytpojacking attack through their website dating back to May of 2018 when the initial crytpo-miner appeared to start the activity. Individuals who visited the Make-A-Wish Foundation international site was lending CPU power to cybercriminals mining for the cryptocurrency. Fortunately, no individual user information was stolen, but your CPU power might have been if you were visiting on the site. This is a prime example showing that non-profits are not immune to being targeted by hackers, especially those that take donations through online platforms. Cryptojacking is a serious threat to businesses because this malware often goes unnoticed and can take over entire networks or website visitors.
Girl Scouts of America
Late September, a third-party vendor gained unauthorized access to an email account used by the organization causing more than 2,800 member accounts and their personal information to be exposed. The data that was potentially breached including the members’ names, addresses, emails, insurance policy numbers, and medical history.
British Airways and Ticketmaster
In September, British Airways announced it experienced a security breach and theft of their customer data, noting that over 380,000 accounts were likely affected between August 21st and September 5th, when the breach was identified. The information stolen was credited to Magecart, a group of malicious hackers that utilize physical and digital credit card skimmers to retrieve financial payment information of users. This breach included personal information including names, email addresses, physical addresses, and financial payment information. A similar attack to Ticketmaster by the same group was reported earlier in June of 2018, where the upwards of 17 Ticketmaster websites were affected by this hacker group.
This popular Q and A site reported a security breach that affected over 100 million users’ data earlier this month. The social platform admitted to their systems being compromised by a “malicious third party” that exposed private messages and account information. This breach is reported to likely not result in identity theft and likely not nearly as severe as earlier breaches mentioned in this article that included financial and identity information breaches such as social security or passport information.
HSBC Bank USA
In October, this large bank that maintains over 7,500 offices in 80 countries sent a letter to an undisclosed number of customers informing them that their personal information was exposed. The letter contained information that unauthorized users accessed customer accounts over a two week period in early October, gaining access to their name, address, email, phone number, and date of birth, as well as their banking details and information. The bank acted very quickly, advising and providing support to victims by helping them change their passwords and regain access to their accounts safely.
Children’s Mercy Hospital
Between December 2017 and January 2018, 2 employees were initially lured in by email phishing attempts that resulted in a total of 63,000 exposed patient accounts and personal health information. The hospital notified patients in the breach via a notice on their website and letters that went out in batches. As of July, some patients were reporting that they had just been notified of a breach on their account.
Action to take if you know your account was breached:
- Change Your Password. If you had accounts with any of these companies, to prevent further potential risk to yourself, we recommend to minimally change your password to one that is unique from any other site and considered complex. Store your passwords safely in a password storage application such as RoboForm, Zoho, LastPass, Dashlane, or KeePass.
- Add additional security. Consider adding two-factor authentication or a second method of security to gain access to your accounts.
- Update your privacy settings. Change the settings on what personal information is stored and shared publicly, and with whom or what third-party apps can access your information. You should also take into account what you share publicly on social media sites and what actions you can take to prevent information you share with good intent, to come back and be used against you later in a malicious email phishing attempt or attempt to gain access to other sites for evil intent.
- Remove Financial Information. If you had financial information stored in your accounts, remove the card or banking information. You could also cancel your stored payment methods and reapply new ones once you’ve re-secured your account.
- Close and reopen your account. You could even go as far as closing your current account and opening a new one under a different email address. If you had points applied to your account, call the company’s customer support line to see if they can transfer your points over to your new account due to their breach. They should be more than willing to cooperate with you if they exposed your information.
Prevent Your Information From Being Hacked
There is no perfect online security but there are strategies that can prevent breaches. Often, there is no way to tell exactly the extent of your risk with the little information provided from these companies regarding the breaches that occurred in 2018. If you are changing your password to a new and unique one every 60-90 days, and always when you know a breach has occurred, then you are taking a proactive approach to keep your data safe.
If you have any questions about actions to take to further protect yourself and your Kansas City or St. Louis area business, The Purple Guys are happy to consult. In addition to our Managed I.T. Support Services, we offer customers cybersecurity monitoring and awareness training for employees, that includes email phishing training, the most common cause for security breaches. Request a Free Dark Web Scan to find out if any of your or your company’s credentials have been leaked and exposed. You have nothing to lose, only your privacy and protection of yours, your employees’ and customers’ data to gain.