Recent Data Breaches & Key Lessons to Learn
Every company, regardless of size, can become the victim of a data breach. Cybercriminals, who often sell stolen data on the dark web, continue to find innovative new ways to obtain sensitive data. To deal with evolving threats, companies need to remain one step ahead of the criminals at all times.
To understand the scope and extent of data breaches, it’s helpful to review a number of security incidents that have affected well-known corporations in recent years. This article will cover:
Recent data breaches
Amex (American Express)
When did the data breach happen?
March 2024
Details on the data breach:
In early 2024, American Express notified its customers that credit cards had been exposed in a breach involving a third party service provider. Information including account numbers, names, and expiration dates may have been accessed during the attack. American Express stressed that internal systems were not compromised during this breach.
Response to the data breach:
Customers were encouraged to review their account statements for any fraudulent activity, which would be removed once reported. Additionally, if not yet in place, customers were encouraged to implement MFA (Multi-Factor Authentication).
AT&T
When did the data breach happen?
March 2024
Details on the data breach:
In March 2024, AT&T had millions of current and former customers’ information stolen and shared on the dark web. The information that was taken included Social Security Numbers, encrypted passcodes, names, emails, mailing addresses, and phone numbers.
Response to the data breach:
Anyone impacted by this breach received an email or letter directly from AT&T, who reset passcodes of current users. AT&T also stated that it would pay for credit-monitoring services where applicable. The silver lining here is that the passcodes were encrypted, which limited the potential damage.
23andMe
When did the data breach happen?
October 2023
Details on the data breach:
In October of 2023, 23andMe, a genetic testing company, reported that hackers gained access to 14,000 users’ data. Despite the presence of encryption protocols and access controls, unauthorized users accessed and shared important customer DNA results that should have remained confidential. This breach was done through credential stuffing.
Response to the data breach:
23andMe urged users to reset their passwords and is enforcing a previously optional multi-factor authentication for new and existing users. Now, 23andme requires two-factor authentication by default. However, this data breach had a huge impact on the company. In 2021, when 23andme first went public, it was worth $3.5 billion; however, after the slow burning scandal, its net worth decreased by as much as 95% to $150 million.
Bank of America
When did the data breach happen?
November 2023
Details on the data breach:
The Bank of America data breach underlines the significant risk posed by vulnerabilities in third-party vendors, highlighting the potential for cybersecurity compromise through the supply chain. InfoSys McCamish Systems (IMS), a consultant and service provider for the bank, suffered a breach, resulting in the exposure of personally identifiable information (PII) of over 57,000 Bank of America customers. The information included Social Security numbers, names, addresses, and other sensitive data.
Response to the data breach:
Bank of America sent letters to customers with deferred compensation plans notifying them of a possible compromise, and issued customers new cards. Bank of America said it was not aware of any exposed data being misused; nonetheless, the company offered a free two-year membership to Experian IdentityWorks, an identity theft protection program that provides daily credit report monitoring.
Microsoft
When did the data breach occur?
July & November 2023
Details on the data breach:
In July 2023, Microsoft’s Azure platform was breached. The cybercriminals compromised hundreds of executive accounts by embedding documents with malicious links that lead to phishing websites. Microsoft disclosed that a bug allowed unauthorized users to gain remote access.
In November of the same year, Microsoft discovered that Russian state-affiliated hackers breached their email system including the accounts of senior executives. The hackers utilized a method called password spraying and targeted Microsoft’s corporate email system. Microsoft disclosed that hackers had compromised credentials on a legacy test account with an outdated code to gain access to senior leadership accounts.
Response of the data breach:
The attacks on Microsoft serve as a reminder that even industry giants are not immune to cyber threats. Microsoft stated that they are applying its current security standards to all of its legacy systems as a response to the attack.
ChatGPT/Open AI
When did the data breach occur?
March 2023
Details on the data breach:
AI has been a hot topic since it first gained popularity in 2023, so it shouldn’t be a shock to note that a leading brand of AI, ChatGPT, also fell to a data breach. OpenAI confirmed a data breach that was caused by a vulnerability in the code’s open-source library. The bug occurred in a specific time frame where the system got confused if you canceled a request and delivered information to you of the next user who made a similar request. This bug in the AI generator released some customers’ first and last names, email addresses, payment addresses, credit card type, the last 4 digits of credit card numbers and expiration date. Others saw their first message of newly created conversations.
Response of the data breach:
ChatGPT by OpenAI stated that there were very few users affected by the bug. ChatGPT was quick to test and roll-out a bug fix and reset the cache to ensure that generated answers were only related to the specific users’ requests.
Duolingo
When did the data breach occur?
January – November 2023
Details on the data breach:
Duolingo experienced a data scraping incident where user data was unlawfully removed without user or company authorization. The leaked information, including email addresses, names, spoken languages, and usernames, was sold on a hacker forum for $1,500.
Response of the data breach:
Duolingo took steps to enhance its security measures. Additionally, Duolingo promised its users that they would be better about communicating if anything happens within user accounts in a timely manner while also ensuring that any found vulnerabilities were mitigated.
Marriott Hotels
When did the data breach happen?
June 2022
Details on the data breach:
Marriott Hotels has been a victim of multiple cyberattacks, including one in 2020, another in 2022 and going back as far as 2014. The 2020 breach affected 5.2 million guests. In 2022 hackers stole 20 gigabytes (GB) of sensitive data. Each of these breaches included personal and credit card information, loyalty program details and travel inclinations. In 2022, a Marriott employee fell for a social engineering hack where the hacker convinced the employee that it was appropriate to provide access to internal systems. The breach exposed credit card numbers, flight information and in-house business documents.
Response to the data breach:
Given the vast amount of data breaches that Marriott has suffered over the years, the expectations for this chain are not too high. Marriott immediately acknowledged the breach; however, their public statement didn’t suggest how they discovered the breach nor the steps they took in response.
Common causes of data breaches
Given the vast number of data breaches that occur on a yearly basis, it’s important to consider the common causes of data breaches to keep an eye out for.
Old Vulnerabilities
Hackers often find a way to infiltrate a company’s system, particularly after a successful initial breach. It’s crucial to promptly patch vulnerabilities as this not only closes the door to further exploitation but also fortifies the system’s defenses against potential subsequent attacks, helping to safeguard sensitive data and maintain operational integrity.
Human error
Weak passwords, clicking on malicious links, visiting phishing sites, or falling victim to social engineering attacks—all these are pathways that can expose a company’s system to potential breaches. Human error stands out as a primary catalyst for successful data breaches. It’s imperative to invest in ongoing cybersecurity training for employees, ensuring they remain informed, vigilant, and diligent as threats evolve. Additionally, enforcing good password practices and implementing multi-factor authentication can significantly reduce the risk of stolen credentials being used to compromise business data.
Access Permission Mismanagement
Businesses should enforce a policy of “least privilege” when it comes to sensitive information. This policy provides the lowest possible privilege to users initially and then permissions for wider access are added incrementally as needed. This approach guarantees that only essential employees have access to confidential data. However, maintaining its effectiveness demands ongoing attention, especially as personnel changes occur within the company. Updating permissions and privileges is a constant system administration task.
Lessons to learn from recent cyber attacks
Several lessons can be learned from the recent attacks for businesses of all sizes.
Train employees on cyber security
Establishing ongoing education and training programs in cybersecurity is paramount in reducing unauthorized access risks, particularly as data breaches grow increasingly complex. These initiatives empower employees to recognize evolving phishing tactics, navigate sophisticated malicious attacks, and consistently protect their credentials. In a landscape where threats continually evolve, such ongoing education ensures that employees remain resilient against emerging cybersecurity challenges.
Mitigating Risks from Outdated/Legacy Systems
Outdated hardware and software present significant risks for organizations, potentially exposing their entire network. Systems lacking updates or patches become prime targets for cyber attackers seeking vulnerabilities. Implementing alerts for suspicious activity can provide immediate notifications of unauthorized entry, preventing undetected breaches and averting further complications for your company. If you have legacy systems that are difficult to update or upgrade, consider using encryption tools to protect the data stored on them.
Understand potential threats to third-party entities
It’s crucial to bear in mind that third-party entities may lack comparable resources or a well-established cybersecurity culture with trained staff, potentially leaving them vulnerable. Consequently, cybercriminals frequently target these third parties, particularly those sharing data with other institutions, as they search for exploitable vulnerabilities and risks to infiltrate. When possible, encrypt data stored in third party systems if they run within your technical environment.
Encrypt your sensitive data
Ensuring that your sensitive data is encrypted will provide an extra layer of security and protection even if a data breach is successful. Hackers will not be able to utilize the data even if they access it if it is encrypted.
NetLib Security Encryptionizer can assist with transparently encrypting your sensitive data without any programming changes and virtually no impact on performance. Encryptionizer can be used to protect data in legacy systems, as well as third-party products.
About NetLib Security
NetLib Security has spent the past 20+ years developing a powerful, patented solution that starts by setting up a formidable offense for every environment where your data resides: physical, virtual and cloud. Our platform simplifies the process while ensuring high levels of security.
Simplify your data security needs. Encryptionizer is easy to deploy. It is a cost-effective way to proactively and transparently protect your sensitive data that allows you to quickly and confidently meet your security requirements. With budget considerations in mind, we have designed an affordable data security platform that protects, manages, and defends your data, while responding to the ever changing compliance requirements.
Data breaches are expensive. Security does not have to be.
NetLib Security works with government agencies, healthcare organizations, small to large enterprises, financial services, credit card processors, distributors, and resellers to provide a flexible data security solution that meets their evolving needs. To learn more or request a free evaluation visit us at www.netlibsecurity.com.