In the cloud, Amazon may 20, was discovered open access to data about 49 million users Instagram. They were mostly accounts of famous people, bloggers and brands. The database contained phone numbers and email addresses.
Usernames, passwords, addresses and phone numbers, shopping lists or diagnoses — all of this you can find on the DarkNet forums. The only question is, can you tell us, the experts name of the company, made a diversion and if we find ourselves in these lists.
Purpose — personal data
The average user may to reassure himself that he personally is not interesting to anyone. But hackers don’t break your computer, and the state services and information systems of large companies. Contrary to the expectations of people far from information security, their main purpose is not corporate or military secrets, and personal data. For example, in January last year, was discovered hacking into the system of regional health administration of southern and Eastern Norway (Helse Sør-Øst RHF). The attackers gained access to personal data and medical records of nearly 3 million Norwegians — more than half of all people in the country. Stolen medical data contained information about employees of the government, secret service, military, politicians and other public persons.
In March 2018 the hacking popular apps for fitness and food records, owned by Under Armor, was the cause of the data breach. The company raised about 150 million users. Criminals are known user names, email addresses and hashed passwords.
Why is this happening? The first reason is that secrets are hard to sell, and personal information though, and are cheap but are sold in large volumes and will always find a buyer. They can be used for fraud, phishing (including telephone), as well as the sale to spammers.
For example, in June 2019 for selling concert tickets Ticketfly, owned by Eventbrite, announced the hacker attack on its database. The client base of the service was stolen by a hacker IsHaKdZ, which demanded for its non-proliferation $7502 in bitcoins. The database contained the names, addresses, telephone numbers and e-mail addresses of customers of Ticketfly, and even some of the staff of the service is just more than 27 million records. It is difficult to estimate how much could cost data from 92 million accounts (usernames, hashed passwords) from the Israeli genealogy service MyHeritage, which has flowed in June 2018. The service stores the DNA information users, and building their family trees.
Data loss without cyber attacks
Data is lost not necessarily as a result of the break-ins, that is, targeted attacks. Sometimes breaches happen. So in July of 2018 was publicly available personal information (names, email addresses, postal addresses, etc.) of the 2 million accounts of American mobile operator T-Mobile. The data breach was caused by a mistake in the code of interaction between the online Apple store and server T-Mobile responsible for the verification of user accounts.
Data flow from everywhere, as often they are in the public domain or in the archives on network shares are in the public databases, transmitted between information systems without any encryption or authorization. Cyber criminals do not have to bother cracking the system: they simply scan the Internet for the “open door” and collect “discarded” data. And examples of high-profile leaks no less than break-ins.
In March 2018 free was discovered in a public Amazon S3 (AWS), containing a backup of the database with personal information of 1.3 million people living in the United States and Canada. The database was owned by MBM Company Inc is a jewelry company based in Chicago, and contained names, addresses, postcodes, phone numbers, email addresses, passwords, billing information and more. In this case, talking about “compromise” of the data: it is possible, malefactors and have not found them, but you cannot be sure of this.
Perhaps the record of the 2018 marketing company Exactis from Florida (USA), which were kept in a public access database Elasticsearch with a size of about 2 terabytes, containing more than 340 million records. Our database was found about 230 million personal data of individuals (almost all adult US residents!) and about 110 million contacts various organizations.
Corporations under attack
Unintentional mistakes do not make them less expensive. Under attack not only individuals, but entire companies.
Error in configuring the backup software and file synchronization led to the leak of 157 gigabytes of confidential information of such car manufacturers as Toyota, Tesla, GM, Ford, VW and many others. Data left in open access, the canadian company-manufacturer of robots for Level One Robotics and Controls. Leaked schematic Assembly lines, plans and layout plants, configuration of robots, the shapes of the access request for the staff of non-disclosure agreement, personal data and documents (driving licences, passports) some employees of the company, as well as the invoices, contracts and Bank information.
What to do?
Retreating from the problem. Even if you don’t buy on the Internet and generally do not use it, your data can still leak. Digitalization of business leads to the fact that even if you just show your passport at a travel Agency or pay by card in store, then these data can leak from the third company which performed for such companies, any work outsourced.
Studies have shown that in 2019 half of 2000 servers tested with databases MongoDB and Elasticsearch gave the opportunity for unauthorized access. While 10% of them contain personal information or commercial information. Examples are database systems for travel agencies and tourists sletat.ru (passport, tickets, map data) or service on the sale of electronic tickets “, Radio” (name, phone and e-mail addresses of customers).
The user who gave the data service, already can not resist the leaks. Should be ready for them: for example, do not trust the “Bank employees”, even if they have your passport details.
Today it is simply impossible to choose a company that relates to personal data better than the others. Audit systems, no evaluation criteria, no, and most importantly, the modern IT is an opaque conglomeration of independent services, each of you may lose your data.
Business, of course, is to do information security, at least to some approximation, checking through automated audits sticks out if another copy of the database with client data. The motivation here is simple: in addition to the data losses that can severely hurt your company, the loss or discovery of open data will likely become public. I’ll write about it social networks and the media, and the impact on the company’s reputation is delicate.
The main hope in our country, as always, on state. It is necessary to toughen responsibility for leak of personal data, and no matter stole their hackers or just forgot “recovery record” owners. In the EU the first step is already made — GDPR provides for companies prevent leakage, a fine of up to €20 million, or 4% of global annual income. In Russia, the situation is different: some laws as if specially created to ensure that data was easier to trade. And while the gaps have not been eliminated completely to protect yourself from leaks, apparently impossible.
Read more •••