Privileged attack vectors and stolen personally identifiable information (PII) obtained have been a constantly paired news item throughout 2018. In 2019, expect privileged attack vectors to continue to reign as the number one root cause of breaches for both consumer and business data theft.
Below, I have compiled my list of the top-5 most noteworthy breaches for this year (so far). My ranking may be surprising to some of the readers, and some of the incidents are not even that high profile, but the size, duration, and type of business all contribute to the ranking.
While Gartner has acknowledged that Privileged Access Management is the top security priority for 2018, many organizations are still in denial of their privileged account risks. These inadequately controlled cyber risks frequently stem from poor identity and password management hygiene. Organizations must learn to programmatically discover and manage their privileged accounts because the attack vector is not going away anytime soon.
Notable Mention: Orbitz
One breach that occurred in early 2018 is not officially ranked, but is notable because it has the distinction of being a completely Internet-based business, with no brick and mortar presence for customer interaction. It is a dot-com company and should have understood, just like Yahoo, that strong cybersecurity is critical.
In March, Orbitz announced that 880,000 payment cards were hacked in a breach that spanned almost two years, and over multiple systems. Two years! While the number of credit cards hacked is fractional compared to other incidents, it is the duration of compromise for a web-based company that gains them notable mention.
Although the forensic information published on the breach remains vague, it is known that the incident involved data submitted to a legacy and partner websites. Orbitz claims there is no direct evidence that the information was actually stolen, but this security professional wonders if penetration and vulnerability assessment tests were actually being performed on these websites, and the results scheduled for remediation in a timely manner. I suspect not.
Orbitz, said "We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform". They also reported, "As part of our investigation and remediation work, we brought in a leading third-party forensic investigation firm and other cybersecurity experts, began working with law enforcement and took swift action to eliminate and prevent unauthorized access to the platform."
Orbitz’s words on this subject warrant some scrutiny. The monitoring and security initially in place were insufficient, and “unauthorized access” implies yet another identity and privileged access attack vector. For a 100% web-based company, the front door is the web and shipping, and loading doors are partner connectivity. All of this must be secured just as in a physical building – something Orbitz did not adequately do to protect against unauthorized access. That little padlock in your browser indicating a secure connection for your transaction just did not matter for their incident since it was the other doors (websites) that got them in trouble.
Now, let’s take a look at the breaches that made the top-five list for 2018:
Adidas announced in June that an "unauthorized party" gained access to customer data on Adidas' US website. While no details have thus far been publicly released regarding the attack and breach methodology, the company says that they believe only customers who purchased items from the US-hosted version of Adidas.com may have been affected by the incident.
While it is unknown if the attack vector involved a configuration flaw, vulnerability and exploit combination, or privileged attack, the threat actors did obtain contact information, usernames, and encrypted passwords. It is also unknown whether or not it was possible to decrypt the heisted passwords since the rest of the breach details do not fall under regional jurisdiction laws like GPDR, and were not publicly released.
So, as far as 2018 breaches goes, this lands squarely at the bottom of the top-5 list, but represents data that can be used for future phishing and privileged attacks. Leaked personally identifiable information (PII) forms the basis for future privileged attacks.
#4 Saks Fifth Avenue and Lord & Taylor
On April 1, 2018 (and not an April Fools joke), Lord & Taylor and Saks Fifth Avenue announced that their stores were the subject of a massive credit card data breach. This security incident is believed to have compromised 5 million customers’ credit card information.
While the size is significant, what is perhaps even more shocking is the extended duration in which the security compromise was ongoing. Clients who used a credit or debit card at any of the stores’ retail locations between May 2017 and April 2018 were most likely affected. However, the breach was not identified or disclosed for almost a year!
Similar to Adidas, few details were publicly released regarding the attack vector. However, The New York Times reported that the attack was likely initiated by an email phishing scam sent to Hudson’s Bay (Canadian-based owner of Saks and Lord & Taylor) employees. The threat actors reportedly targeted accounts with malicious software via a link, file, or other attack vector to infiltrate the environment.
It is important to note, the vast majority of malware can be stopped with simply the removal of administrative rights from an end user’s workstation. That is basic privilege management. Hopefully, we all can learn from this example to identify phishing attacks and remove end user administrative rights. And, implement threat analytics to identifiable these types of incidents sooner!
#3 Under Armour
Scarcely a month after the Saks Fifth Avenue and Lord & Taylor breach, Under Armour learned that someone had gained unauthorized access to MyFitnessPal, a platform that hosts IoT device data for tracking a users’ diet, exercise, and health. Upwards of 150 million MyFitnessPal users are believed to have had their information compromised.
CNBC reported at the time of disclosure that threat actors claimed responsibility for breaching individuals’ usernames, email addresses, and hashed passwords. While the incident did not expose users’ credit card information (unlike Saks and Lord & Taylor) due to architectural designs in data, process segmentation, and payment storage, it lay bare the cyber risks inherent of storing IoT data in the cloud.
Based on reports from Forbes and CNBC, the incident arose due to “unauthorized access” to user data. That alone reflects inadequate privileged access management and underscores this attack as another reason mature identity and privilege management capabilities and processes are critical for organizations to embrace.
Fast forward a few months to August and land on our second worst breach of 2018. T-Mobile announced that threat actors stole the personal data of approximately 2 million of its customers (3% of its clients). The leaked data was typical: usernames, billing zip codes, phone numbers, email addresses, and account numbers, as well as information on whether customers prepaid or postpaid their accounts.
T-Mobile’s cybersecurity team reportedly “discovered and shut down an unauthorized capture of some information” after the breach. Those words are key. Was it a man in the middle attack (MITM), was data stolen from a database or log files, or did someone have inappropriate privileged access? The public may never know the full details, but the word “unauthorized” implies the threat actor did not have authorization to collect the privileged data in the first place. This brings us full circle back to yet another privileged attack based on poor identity and privilege management hygiene.
And, making things a little more grey, T-Mobile indicated that no passwords were compromised, but recommended, “it’s always a good idea to regularly change account passwords.” That statement should make customers wary, since, in 2015, Experian, which processes credit applications for T-Mobile, was itself breached. That incident impacted 15 million customers! Compromised customer data in 2015 included social security numbers, drivers’ licenses, and passports for T-Mobile customers. In retrospect, it appears T-Mobile did not learn its lesson three years ago.
In 2016, Marriott acquired the Starwood hotel chain, including leading brands like St. Regis, Westin, Sheraton, and W Hotels. Two years before the acquisition, an incident began that was only identified last week. So, for four years, “unauthorized access” occurred within the Starwood reservation system that ultimately involved the leaking of names, phone numbers, email addresses, passport numbers, birthdates, and reservation information (arrival, departure, and points) for an estimated 500 million customers. Additionally, a subset of those customers numbering in the millions may have also had their credit card numbers and expiration dates disclosed. The size, severity, duration, and breach lasting over a major acquisition puts the Starwood breach atop all others in 2018.
In an official statement from the company, “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.” And, “Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.”
As the statement reveals, the threat actors had “unauthorized access” which implies inappropriate identity and privileged access to key systems that, strictly by the nature of the data, should have been segmented. For example, in line with PCI DSS standards, credit card access should never allow reassembly, even if encrypted, to allow association with the data owner.
The threat actor must have gained lateral access across zones and systems in order to perform the many types of operations needed to exfiltrate the data. Outside of poor incident monitoring technology, log monitoring, privilege management, and network and data segmentation, Starwood failed in an epic fashion to identify and contain the incident.
Considering the recency of the Starwood breach announcement, I expect there to be more revelations regarding the incident over the coming months.
Since the breach falls under the European GDPR regulations for some of its 1,200 properties, Starwood may incur significant financial penalties of up to four percent of its global annual revenue if found to be liable for breach rules. That is significant for any business and should be a strong message for every executive, employee, stock holder, and board member.
Will 2019 bode any better with regard to improved security and data protection? Only if we really start to heed the security lessons of 2018 and years past.
And, if you want to hear my (and BeyondTrust colleague, Brian Chappell’s) thoughts on some of the key emerging cyber threats and challenges that may rear their heads in the year ahead, check out BeyondTrust’s 2019 Security Predictions.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.