Data Breaches Big and Small: What Can We Learn?

If you own an online business or website, you need to actively take meaures to prevent a data breach. If you are considering selling your online business, you should make sure your across the best security practicesYou’ve probably heard that those who don’t learn the lessons from history will repeat its mistakes. In the world of cyber-security, failing to heed that advice could have devastating effects on your reputation and bottom line

That’s exactly what seems to have happened in 2018, which smashed all records set in 2017, itself a jaw-dropping year for data breaches. Not only was there major chaos in terms of financial loss and damaged reputations for corporate giants, about 60% of reported breaches targeted small businesses. Those are the ones that rarely make the news.

Only 10 percent of cybercrimes are even reported, so imagine how the actual numbers add up. 

Digging into Breaches

What kind of malfeasance are we talking about? More than half of the leaks exposed customer information, and a whopping 46% or more leaked credit card and other financial records, including account numbers. 

One of the most dangerous times for small companies is during a merger. With so many larger companies buying up smaller businesses and online properties changing hands like it was a poker game, all parties involved need to take care they don’t inadvertently release privileged data in the process

What can you learn from big and small data breaches in order to prevent future grief? 

Without further ado, and in no particular order, here are a few of our “favorite” breaches of 2018 and a handful of case studies to provide context and additional insight.

1. British Airways

From August 21 – September 5, hackers were able to access credit card payments of 380,000 travelers on both the airline website and mobile app. 

2. Orbitz

The travel aggregation portal experienced a database hack that exposed the credit card information of 880,000 travelers who booked through their website between January 1, 2016 and December 22, 2017. The hack wasn’t discovered until a year later.

3. SingHealth

Singapore’s health care information system was hacked in an attempt to gain information about the Prime Minister’s health. In the process, the hackers exposed the patient histories, names, and addresses of 1.5 million other citizens.

4. T-Mobile

On August 20, 2018, the telecommunications giant was hacked via an API interface. Encrypted passwords and billing information of two million customers was exposed. 

5. Saks/Lord and Taylor

On an undisclosed date (because no one is sure when) the credit card information of five million customers was accessed. The hacking group JokerStash claimed responsibility.

6. Timehop

From December 2017 to July 2018, names, addresses, and some phone numbers of 21 million Timehop members were left vulnerable due to insufficient authentication in their cloud computing environment.

7. Ticketfly

The online ticket seller was hacked by someone calling themselves “IsHaKdZ”. Personal information of 27 million customers was exposed. 

8. Facebook

It was a banner year for the social media giant. In addition to their problems with third-party data sales and congressional hearings, the accounts of 29 million users were exposed when hackers gained access tokens to their accounts. This occurred from July 2017 to September 2018.

9. Chegg

Personal information, shipping addresses, user names, and passwords of 40 million customers were accessed by an “unauthorized person” between April 29, 2018 and September 19, 2018. The eCommerce website is an online retailer selling such brands as EasyBib.

10. Google+

Personal information of 52.5 million account holders, including employers and job titles, was exposed due to a software glitch. This happened from March 2015 to 2018, and again from November 7 to November 13, 2018. Google has since shut down this platform for good.

One of the most dangerous times for small companies is during a merger. With so many larger companies buying up smaller businesses and online properties changing hands like it was a poker game, all parties involved need to take care they don’t inadvertently release privileged data in the process.

Data Breach Case Studies

Behind each data breach or leak lies a personal story of a company that didn’t pay attention to details. Taking a deeper dive into a few of them might more seriously demonstrate the gravity of what can happen when security isn’t emphasized.

Does your business have the resources to withstand a million-dollar leak? How about $100,000? Most companies don’t. In fact, most small companies will go out of business within six months of a data breach, even without the negative publicity. Almost as bad as the difficulty you’ll likely encounter trying to sell a website with a data breach history.

Case Study: Aadhaar

Customers affected: 1.1 billion

What Happened?

Aadhaar is the national database that contains all Indian government identification cards. The database not only holds names and ID numbers but also biometric information like iris scans and fingerprints. Although registration in this database isn’t mandatory, some 1.1 billion Indian residents are enrolled. 

The system is used for everything from registering a sim card to obtaining government benefits. It was accessed via a leak from the state-owned utility company, Indane, allowing anyone with access to their website to download customer ID numbers. It was due to a vulnerable endpoint, something that is easily patched. 

This isn’t the first time the Aadhaar system has had security issues. The company has suffered numerous breaches, and the government did nothing about this latest leak for weeks, calling it fake news when the public learned of the breach. 

Key takeaway: Digging deeper into the breach, we find that the problem can actually be traced to Indane, an Indian LPG gas company with vendor access to Aardhaar but which was leaking data through unsecured website endpoints. Whether Indane specialized in incompetence or simply tried to cut website hosting costs related to development is unclear, but the bottom line lesson remains that a government database is only as secure as the vendors allowed to access it.  

Case Study: Starwood Hotels

Customers affected: 500 million records

What happened?

As we can see from numerous cases, hotels are a prime target for hackers and breaches. They hold credit card information for reservations and the dates that people will be away from their homes. This is an open invitation to various means of theft.

In the case of Starwood, parent company of the Marriott chain, the guest database experienced “unauthorized access” that was only discovered on September 10, 2018, but the leaks may have been ongoing as far back as 2014. The database contained not only guest names, addresses, and phone numbers, but credit card information, reservation dates, and passport numbers. What a treasure trove for thieves!

Key takeaway: Starwood failed to implement even basic security strategies. Though the company has been short on details, it seems hackers were basically living on their servers. One method of entry was infiltration of a POS system. For a nominal fee, the best VPNs available today would have encrypted their POS network, ensuring that any leaked customer data stayed private. Nota bene: avoid using free VPNs at all costs as they are fraught with security holes.

Additionally, in the case of Starwood, the guest database was not protected until November 2018, two months after the breach was discovered. Security suite software and a robust firewall might have prevented THIS unauthorized ingress. Since the company has hotels all over Europe, it’s also left itself open to potential fines of up to 4% of gross revenues under the new GDPR regulations

Case Study: PATCO Construction 

Customers affected: The company

What happened?

A Trojan Horse virus was slipped into the company’s system, allowing thieves to access their corporate account and drain it to the tune of just over half a million dollars in less than a week. The company was able to recoup just under $200,000 of the money, though they initially failed in a lawsuit against the bank that handles ACH transfers, which they believe didn’t use reasonable security during wire transfers. They won on appeal, but still had to pay interest on hundreds of thousands in overdraft fees.

Key takeaway: Before you conduct any business electronically, make sure that the bank and any third-parties involved in conducting transfers and other financial business use adequate security. You should also ask how they handle data breaches in the case that any occur.

How to Protect Yourself and Customers

What happened to Volunteer Voyages demonstrates that small business owners don’t have much recourse after the fact. If the banks won’t reimburse you and police have trouble catching cyber criminals, what’s left?

We’ve touched on the idea that a data breach can make it hard to sell an online business. At the very least, expect it to drive down the valuation to the point that your profit potential is downright depressing. Consider the following steps to boost site security for a reasonable expense. The money spent will likely be far less than the financial hit you’ll take in the event of a data leak or breach. 

The most important thing you can do is learn about data protection, and make sure that all of your employees and subcontractors understand the process and necessity. The second step is to perform a thorough assessment of where your network stands on cybersecurity. If you don’t have qualified personnel on-staff, outsource an audit to a reputable security consulting firm. However, the knowledge you gain is meaningless unless you use it, which is step three. 

The most relevant data security measures you can employ are:

  • Install a firewall
  • Buy security tools like an anti-virus software that are made especially for small businesses.
  • Evaluate and redesign security protocols to meet today’s threats.
  • Use a VPN with high-grade encryption and privacy protection on every network and connected device used by you, your employees, and vendors.
  • Educate staff about passwords. 

With a full 81% of breaches traced to weak or repetitive passwords, simply tending to this one area could greatly reduce your exposure to hacker mischief. Today’s acceptable passwords should be long and convoluted to evade ever-stronger cracking techniques.

Rather than try to manage passwords with faulty human brainpower, organizations should use password management software and two-factor authentication (2FA). This puts your computer to work creating and managing company passwords and forces a two-step login process that requires a second key generated to a different device (like your smartphone) in addition to the one you’re trying to log into.   

Final Thoughts

With a full 81% of breaches traced to weak or repetitive passwords, simply tending to this one area could greatly reduce your exposure to hacker mischief. Today’s acceptable passwords should be long and convoluted to evade ever-stronger cracking techniques. 

 

Don’t allow your company to become another statistic. You can avoid being the next hard-luck tech story by taking the offensive when it comes to data protection. 

Effective, enterprise-wide employee training, comprehensive security solutions, and automation are all best practices to incorporate without breaking your budget. Start today because tomorrow might be the day you get hacked.

    Dan is the founder and CEO of Next Ventures, a boutique investment firm using a mix of private equity, debt, and venture capital to help founders structure their perfect exit. Dan has more than 10 years of technical and customer-facing experience across a broad range of markets. He is a proven product management and technology leader with a history of building successful teams, platforms, products, and solutions across multiple industries, including media, marketing technology, fintech, and cybersecurity. His website is danfries.net

    Recommended for you

    Get a free valuation with Flippa
    Get a free valuation with Flippa

    Discover more from Flippa

    Subscribe to our Blog

    Get the latest blog posts, insight reports and news directly to your inbox every week.