DataVisor Threat Blog:
Deconstructing Recent Data Breaches
Massive data breaches are becoming increasingly common. In many cases, a data breach impacts hundreds of millions of consumers.
These data breaches are taking new shape and form in the new digital era. Deconstructing recent breaches provides much insight into how these attacks are evolving and how fraudsters are leveraging vulnerabilities within an organization to gain access and entry.
When we looked into these three data breaches outlined below, it’s interesting to note that the fraudsters have uncovered a variety of different attack vectors – some traditional and some not.
In its most traditional form, the breaches at Equifax and Marriott were made at a system level. These are typically protected by firewalls and anti-virus software. However, attackers can easily gain access in spite of these defenses through phishing attacks, system misconfigurations, watering holes, etc. But the more interesting attacks that we are seeing are emerging at the application level, like in the case of Facebook.
This blog post highlights several recent data breaches explaining how each breach happened and the number of consumers impacted.
On September 7, 2017, Equifax announced that hackers had gained unauthorized access to certain files on its system. The hackers gained access through a U.S. website application vulnerability, specifically Apache Struts CVE-2017-5638. Apache Struts is an open source MVC framework for building Java web applications. Many companies including Equifax had been alerted about the Apache Struts vulnerability in March 2017. The unpatched vulnerability is what allowed hackers to gain unauthorized access to the Equifax website app from mid-May through July 2017. Had the company patched the vulnerability immediately after receiving the alert thScreenshot of Information is Beautiful Data Breaches Visualizatione breach would not have occurred.
A total of 145.5 million consumers in the U.S. were potentially impacted by the Equifax data breach. The hackers accessed a wide range of personal consumer information including social security numbers, birth dates, and addresses. In some cases, the hackers accessed partial driver license numbers and credit card numbers.
On September 28, 2018, Facebook announced that its engineering team discovered a security issue involving the “View As” feature (now disabled) and multiple issues in Facebook’s code. Hackers exploited a vulnerability which was the result of three disparate bugs. These bugs involved the “View As” privacy feature, a new version of Facebook’s video uploader, and an incorrectly generated access token. The vulnerability exposed the user account access token in HTML when a specific component of the “View As” feature was rendered. Hackers used this vulnerability to steal Facebook access tokens and take over user accounts.
Facebook reset the access tokens for a total of 90 million people. The company said that 50 million accounts were impacted by the security breach and 40 million accounts were reset as a precaution. On October 12, 2018, Facebook said that approximately 30 million people had their tokens stolen because of the security breach. Facebook also said that some personal information was obtained by the hackers including name and contact details. For approximately 14 million people, the hackers accessed a variety of personal information such as birth date, username, hometown, and current city.
On November 30, 2018, Marriott announced a data security incident where hackers copied and encrypted information stored on the Starwood guest reservation database. Marriott acquired Starwood Hotels and Resorts Worldwide in 2016. Marriott said unauthorized access to the Starwood network began in 2014. Marriott is still investigating the security incident and decrypting the duplicated information found on the Starwood system. The company has not disclosed the types of fraud prevention solutions implemented on all its systems including those of its subsidiaries. However, an unsupervised learning-based fraud prevention solution would have detected the unusual activity on the Starwood network quickly.
Marriott estimates that the duplicate information in the Starwood database contains information for approximately 500 million Starwood property guests. The company stated that for approximately 327 million guests the duplicated information includes (but not limited to) passport numbers, email addresses, phone numbers, and dates of birth. In some cases, encrypted (AES-128) payment card numbers and card expiration dates were taken.
Google+ – A recent target
A buggy API at Google+ exposed the personal information for over 50 million users. Even when there is no third party compromising the system, API loopholes like these provide an interface for developers/scripts access to sensitive information that can be exploited by fraudsters.
Preparing for protection at an application level – Thinking beyond the firewall
The digital era offers organizations an opportunity to directly interact with consumers using different channels like mobile phones and tablets. All these channels use APIs or tokens, to make it easier to authenticate consumers and prove them access to their information. This creates a whole new gambit of vulnerabilities when APIs get outdated or access tokens are not validated properly..
It’s not just about protecting user data from data breaches. Companies must also prevent fraudsters from using stolen information for other malicious activities. Compromised accounts are sold or exchanged for a variety of downstream attacks impacting retailers, financial services, ecommerce platforms, and other consumer-facing services. This makes it necessary for organizations to not only implement system-level protection but also create a protective layer at the application level.