2019 Data Breach Predictions and Findings
Prediction: Large-scale social media attacks leading to massive personal data losses.
Findings: We saw a number of social media sites leaking data. A lot of that was personal in nature, things like usernames and passwords. And Facebook didn’t let us down with this prediction. In 2019, 267 million Facebook users had their identifying information–including phone numbers–exposed. In a separate breach earlier in the year, 540 million Facebook accounts were exposed, and the month prior to that one, 600 million Facebook accounts were exposed.
It’s important to note that the number of victims in each reported breach is not cumulative, these are each individual incidences, bringing the total between these three breaches to upwards of 1.4 billion victims.
Prediction: Biometric data will be compromised
Findings: Fingerprints, eye scans, and facial recognition are some examples of the biometric data that organizations may collect from customers and employees. One organization lost a number of facial photos used for authentication, as well as fingerprints from 5,700 organizations in 83 different countries. Overall, they lost the data of more than 1 million people.
If you lose a username or password, you can simply go and change that. However, if you lose your employee’s fingerprints, they get a little grumpy if you tell them they need to blowtorch their fingerprints off.
Prediction: Cloud provider will be seriously breached
Findings: All of the the emphasis on Amazon’s Simple Storage Service (S3) buckets drew attention from attackers as well. if you remember, some S3 buckets’ access settings were defaulted to “public.” Many are still dealing with the blowback from Amazon’s misconfiguration today. We still see large breaches that started with public access on the S3 buckets.
Capital One Bank also suffered a massive cloud-related breach that included account data from over 100 million customers. A former employee of Amazon Web Services was aware of the methodology needed to steal account data without triggering safety protocols within the organization. This could be considered an insider attack, although the employee was no longer with Amazon. Capital One made the mandated notifications and then remediated the issue.
There are merchants and individuals that may feel storing data in the cloud removes the need to worry about it, but you still need to be on top of security. There will always be flaws and vulnerabilities with any service. It’s important to know which party is responsible for which data security activities.
Prediction: Foreign nation-states will increase recruitment of corporate insiders to steal industry secrets.
Findings: While our government contacts can neither confirm nor deny the increase of such attacks, they did imply that state-sponsored hacking activities are still going on, and they typically only become public when they need to make a high-profile arrest.
Prediction: Passwords may not be the security you’re looking for.
Findings: Passwords continue to have issues. With the release of massive databases containing billions of passwords, these issues are complicated even further. In our forensic research here at SecurityMetrics, our ability to test and crack passwords in the last year has skyrocketed. We maintain our own databases with billions of passwords. Global password-cracking technology is accelerating and spreading at a rate that diminishes their security significantly. Some technologies are to the point where they can crack any password up to a full 20 characters in a matter of a day or two.
Computing that currently takes days will eventually turn into hours, then seconds, milliseconds, and nanoseconds. When you combine that fact with a huge public cache of passwords stored in a text file, cracking passwords becomes easy work.
One of the issues that has sprung out of this is a scam where hackers send emails saying “We have your password, and we caught you doing something bad. So send us this amount of money to avoid us releasing your compromising data.” The hackers then show you they have your legitimate password (obtained from a password cache). If you do see this scam come through your email, make sure to change your password immediately.
More attacks targeted against cloud-based products, services, and platforms
Spike in registration of look-alike domain names for evil purposes
We will see many bad actors using look-alike domain names to target customers of legitimate business. To avoid these attacks, merchants should register domain names that are similar to their own.
Artificial Intelligence vs. Artificial Intelligence
We predict an increase in attackers embedding malware in AI while it’s still in its learning phase so it will recognize the malware as an allowable element in its environment. This will be done in the hopes that the AI program will continue to allow malware into the environment in the future.
David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience.