Security

Six data breaches – and how to stay protected

News about data leaks reaches us almost daily – with occasionally drastic consequences. The estimated number of unreported cases is large. The reason: companies fear a massive loss of trust and image if data leaks are made public.

28 Sep. 2017 Source: t3n Stefan Rojacher
Source: Kaspersky
(Graphic: Kaspersky)

Wikipedia lists more than 235 data breaches worldwide since 2004. These breaches have consequences not only for the affected organizations, but also for their customers and members. Some cases trigger an immediate alarm, while others have tangible consequences only in the medium term, in part because many hacks only come to light years later – take, for instance, the e-mail scandal surrounding Hillary Clinton.

In the following, t3n reveals six momentous events from the recent spate of data leaks, including cases that have affected German users.

Ashley Madison – a fatal affair

Millions of individuals were exposed as a result of a hack attack on the Canadian dating portal Ashley Madison in the summer of 2015. The hackers had an axe to grind, believing that the flirtation platform operated by Avid Life Media had intentionally motivated married couples to be unfaithful. The data of more than 30 million users was stolen.

These records included sensitive information like the names, addresses, telephone numbers and sexual proclivities of customers. With drastic consequences: The victims were publicly and massively pilloried. As a result, police authorities were forced to investigate violent crimes, suicides or attempted suicides and attempts to extort Ashley Madison users, including from outside parties exploiting the data leak.

Comdirect – direct access (to other people’s accounts)

Our data is in jeopardy not only due to hackers. An IT problem in July 2016 caused a huge data protection problem for the Comdirect online banking service, with Süddeutsche Zeitung calling it “the biggest mishap ever in German online banking”.

The big problem in this case: For hours, banking secrecy was practically lifted at Comdirect, because customers who logged in ended up for a short period of time in other people’s accounts. They were able to view data like the other person’s account balance or stock positions. To illustrate: An editor of Handelsblatt newspaper reconstructed the error and obtained access to an account with a balance of more than 50,000 euros.

Dropbox – secret downloads

The most unusual aspect of the data loss in the Dropbox cloud storage service was the long delay in making it public. It was not until August 2016 that the company revealed that 68 million passwords had been lost back in 2012. Although these were stored as hash values, about half of them were only encrypted using the SHA1 method, which in 2016 could no longer be regarded as secure. Many customers also did not receive any warnings from Dropbox .

Deutsche Post – "virtually" free addresses for cybercriminals

The service is certainly practical: Via a portal operated by Deutsche Post (umziehen.de), users who are moving can enter their new address. The service then automatically informs various service providers, such as banks or insurance companies, about the updated address. However, practical solutions – as is often the case in the cyber world – can also entail security problems.

Due to a simple error, the address data of about 200,000 customers were retrievable on the Internet this year. Other companies worldwide were affected, including Online Pharmacy Australia with 600,000 customer addresses, including their order history.

Changing credit cards in response to hack attacks

It was intended as a purely precautionary measure, but German bank customers were extremely unnerved. What had happened? Due to a data leak at a service provider, some banks were forced to exchange their customers’ credit cards at the beginning of 2016. Why? Because there were indications that criminals may have gotten unauthorized access to credit card data. Commerzbank in particular was affected.

Even though the 15,000 cards involved represented only a fraction of those issued by Commerzbank to its nearly 12 million private customers, one thing was clear: Credit card data is one of the most sensitive kinds of information. Online banking and shopping should therefore always be done only in highly secure environments, taking advantage of all the security precautions offered by the service provider.

The record "billions" hack at Yahoo

The number of users affected makes the Yahoo case one of the biggest attacks ever – a record, however, which could be toppled at any time. In the summer of 2016, Yahoo was forced to admit that half a billion user accounts had been stolen in 2014. Twelve months later, the company confessed to an even larger number: In 2013 and 2014, the data of 1.5 billion customers had been stolen, including their names, telephone numbers and security questions and answers.

This time, it wasn't just Yahoo customers who suffered. Yahoo was in the final stage of acquisition negotiations with Verizon. As the group had apparently not kept its user data secure and was stonewalling during the investigation, Verizon was able to push the purchase price substantially downward at the end of takeover negotiations.

What users can do

Users should always consider to whom they are entrusting their personal data. Here, less is clearly more. They should also be sure to accept the security measures offered by providers for online accounts – for example, two-factor authentication.

A hidden trap to keep in mind: If a customer shares sensitive data like account information via the Internet in security-critical environments such as a public Wi-Fi, he or she needs to ensure additional protection. This can be done via a VPN or specific tools commercially available for this purpose.

In addition, users should establish a simple password management system. It is important that passwords be long and contain special characters, as well as – above all – be unique. Users can organize this themselves using a few simple tricks or by resorting to password management software.

Security Data Analytics & BIDigitale Transformation CEBIT RSS Feed