Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

The 5 Most Cringe-Worthy Privileged Data Breaches of 2018

December 3, 2018

  • Blog
  • Archive

Sad-Cringe-Face-Data-Breaches.jpg

Privileged attack vectors and stolen personally identifiable information (PII) obtained have been a constantly paired news item throughout 2018. In 2019, expect privileged attack vectors to continue to reign as the number one root cause of breaches for both consumer and business data theft.

Below, I have compiled my list of the top-5 most noteworthy breaches for this year (so far). My ranking may be surprising to some of the readers, and some of the incidents are not even that high profile, but the size, duration, and type of business all contribute to the ranking.

While Gartner has acknowledged that Privileged Access Management is the top security priority for 2018, many organizations are still in denial of their privileged account risks. These inadequately controlled cyber risks frequently stem from poor identity and password management hygiene. Organizations must learn to programmatically discover and manage their privileged accounts because the attack vector is not going away anytime soon.

Notable Mention: Orbitz

One breach that occurred in early 2018 is not officially ranked, but is notable because it has the distinction of being a completely Internet-based business, with no brick and mortar presence for customer interaction. It is a dot-com company and should have understood, just like Yahoo, that strong cybersecurity is critical.

In March, Orbitz announced that 880,000 payment cards were hacked in a breach that spanned almost two years, and over multiple systems. Two years! While the number of credit cards hacked is fractional compared to other incidents, it is the duration of compromise for a web-based company that gains them notable mention.

Although the forensic information published on the breach remains vague, it is known that the incident involved data submitted to a legacy and partner websites. Orbitz claims there is no direct evidence that the information was actually stolen, but this security professional wonders if penetration and vulnerability assessment tests were actually being performed on these websites, and the results scheduled for remediation in a timely manner. I suspect not.

Orbitz, said "We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform". They also reported, "As part of our investigation and remediation work, we brought in a leading third-party forensic investigation firm and other cybersecurity experts, began working with law enforcement and took swift action to eliminate and prevent unauthorized access to the platform."

Orbitz’s words on this subject warrant some scrutiny. The monitoring and security initially in place were insufficient, and “unauthorized access” implies yet another identity and privileged access attack vector. For a 100% web-based company, the front door is the web and shipping, and loading doors are partner connectivity. All of this must be secured just as in a physical building – something Orbitz did not adequately do to protect against unauthorized access. That little padlock in your browser indicating a secure connection for your transaction just did not matter for their incident since it was the other doors (websites) that got them in trouble.

Now, let’s take a look at the breaches that made the top-five list for 2018:

#5 Adidas

Adidas announced in June that an "unauthorized party" gained access to customer data on Adidas' US website. While no details have thus far been publicly released regarding the attack and breach methodology, the company says that they believe only customers who purchased items from the US-hosted version of Adidas.com may have been affected by the incident.

While it is unknown if the attack vector involved a configuration flaw, vulnerability and exploit combination, or privileged attack, the threat actors did obtain contact information, usernames, and encrypted passwords. It is also unknown whether or not it was possible to decrypt the heisted passwords since the rest of the breach details do not fall under regional jurisdiction laws like GPDR, and were not publicly released.

So, as far as 2018 breaches goes, this lands squarely at the bottom of the top-5 list, but represents data that can be used for future phishing and privileged attacks. Leaked personally identifiable information (PII) forms the basis for future privileged attacks.

#4 Saks Fifth Avenue and Lord & Taylor

On April 1, 2018 (and not an April Fools joke), Lord & Taylor and Saks Fifth Avenue announced that their stores were the subject of a massive credit card data breach. This security incident is believed to have compromised 5 million customers’ credit card information.

While the size is significant, what is perhaps even more shocking is the extended duration in which the security compromise was ongoing. Clients who used a credit or debit card at any of the stores’ retail locations between May 2017 and April 2018 were most likely affected. However, the breach was not identified or disclosed for almost a year!

Similar to Adidas, few details were publicly released regarding the attack vector. However, The New York Times reported that the attack was likely initiated by an email phishing scam sent to Hudson’s Bay (Canadian-based owner of Saks and Lord & Taylor) employees. The threat actors reportedly targeted accounts with malicious software via a link, file, or other attack vector to infiltrate the environment.

It is important to note, the vast majority of malware can be stopped with simply the removal of administrative rights from an end user’s workstation. That is basic privilege management. Hopefully, we all can learn from this example to identify phishing attacks and remove end user administrative rights. And, implement threat analytics to identifiable these types of incidents sooner!

#3 Under Armour

Scarcely a month after the Saks Fifth Avenue and Lord & Taylor breach, Under Armour learned that someone had gained unauthorized access to MyFitnessPal, a platform that hosts IoT device data for tracking a users’ diet, exercise, and health. Upwards of 150 million MyFitnessPal users are believed to have had their information compromised.

CNBC reported at the time of disclosure that threat actors claimed responsibility for breaching individuals’ usernames, email addresses, and hashed passwords. While the incident did not expose users’ credit card information (unlike Saks and Lord & Taylor) due to architectural designs in data, process segmentation, and payment storage, it lay bare the cyber risks inherent of storing IoT data in the cloud.

Based on reports from Forbes and CNBC, the incident arose due to “unauthorized access” to user data. That alone reflects inadequate privileged access management and underscores this attack as another reason mature identity and privilege management capabilities and processes are critical for organizations to embrace.

#2 T-Mobile

Fast forward a few months to August and land on our second worst breach of 2018. T-Mobile announced that threat actors stole the personal data of approximately 2 million of its customers (3% of its clients). The leaked data was typical: usernames, billing zip codes, phone numbers, email addresses, and account numbers, as well as information on whether customers prepaid or postpaid their accounts.

T-Mobile’s cybersecurity team reportedly “discovered and shut down an unauthorized capture of some information” after the breach. Those words are key. Was it a man in the middle attack (MITM), was data stolen from a database or log files, or did someone have inappropriate privileged access? The public may never know the full details, but the word “unauthorized” implies the threat actor did not have authorization to collect the privileged data in the first place. This brings us full circle back to yet another privileged attack based on poor identity and privilege management hygiene.

And, making things a little more grey, T-Mobile indicated that no passwords were compromised, but recommended, “it’s always a good idea to regularly change account passwords.” That statement should make customers wary, since, in 2015, Experian, which processes credit applications for T-Mobile, was itself breached. That incident impacted 15 million customers! Compromised customer data in 2015 included social security numbers, drivers’ licenses, and passports for T-Mobile customers. In retrospect, it appears T-Mobile did not learn its lesson three years ago.

#1 Starwood

In 2016, Marriott acquired the Starwood hotel chain, including leading brands like St. Regis, Westin, Sheraton, and W Hotels. Two years before the acquisition, an incident began that was only identified last week. So, for four years, “unauthorized access” occurred within the Starwood reservation system that ultimately involved the leaking of names, phone numbers, email addresses, passport numbers, birthdates, and reservation information (arrival, departure, and points) for an estimated 500 million customers. Additionally, a subset of those customers numbering in the millions may have also had their credit card numbers and expiration dates disclosed. The size, severity, duration, and breach lasting over a major acquisition puts the Starwood breach atop all others in 2018.

In an official statement from the company, “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.” And, “Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.”

As the statement reveals, the threat actors had “unauthorized access” which implies inappropriate identity and privileged access to key systems that, strictly by the nature of the data, should have been segmented. For example, in line with PCI DSS standards, credit card access should never allow reassembly, even if encrypted, to allow association with the data owner.

The threat actor must have gained lateral access across zones and systems in order to perform the many types of operations needed to exfiltrate the data. Outside of poor incident monitoring technology, log monitoring, privilege management, and network and data segmentation, Starwood failed in an epic fashion to identify and contain the incident.

Considering the recency of the Starwood breach announcement, I expect there to be more revelations regarding the incident over the coming months.

Since the breach falls under the European GDPR regulations for some of its 1,200 properties, Starwood may incur significant financial penalties of up to four percent of its global annual revenue if found to be liable for breach rules. That is significant for any business and should be a strong message for every executive, employee, stock holder, and board member.

Final Word

Will 2019 bode any better with regard to improved security and data protection? Only if we really start to heed the security lessons of 2018 and years past.

And, if you want to hear my (and BeyondTrust colleague, Brian Chappell’s) thoughts on some of the key emerging cyber threats and challenges that may rear their heads in the year ahead, check out BeyondTrust’s 2019 Security Predictions.

Photograph of Morey J. Haber

Morey J. Haber, Chief Security Officer, BeyondTrust

Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.