Web Wednesdays: Website Security Disasters

So, you’ve just launched a brand new website to help grow your business which you’ve meticulously planned and prepared to ensure it triumphs. But in spite of that, have you accidentally omitted one significant element? Website security is increasingly a vital responsibility, particularly when GDPR is considered. Unauthorised attacks can harm your reputation and discourage new and existing customers from using your services. Favourably for businesses it’s possible to conveniently invest in appropriate protection and security precautions to decrease the number of probable attacks. This involves generating strong passwords, investing in secure website hosting and storing data in safe and protected locations.

In today’s Web Wednesdays we present a list of significant online data breaches which catastrophically affected millions of people worldwide.

Recent Website Security Disasters

There have been numerous instances of website security disasters which have led to personal data being stolen because of improper security systems. We have provided some of the most notable disasters which have occurred in recent years below. You can also conveniently view a list in Wikipedia of disastrous data breaches.

1. Yahoo in 2013 / 14 (3 billion accounts)
2. First American Corporation in 2019 (885 million customers)
3. Marriott from 2014 to 2018 (500 million customers)
4. eBay in 2014 (145 million accounts)

1) Yahoo

• Method: Hacked
• Impact: 3 billion accounts
• Year: 2013 / 14
• Further Info: https://en.wikipedia.org/wiki/Yahoo!_data_breaches

Acknowledging that Yahoo is a major online company with billions of users, you would expect them to formulate a security system which is reasonably invincible. However, between 2013 and 2014, Yahoo was the victim of 2 separate data breaches, in fact, the most significant data breaches in history. It comprised the names, email address, dates of birth and phone numbers of billions of users. This transpired in 2014, but it wasn’t until after this happened had they then exposed a separate attack which occurred in 2013 by a separate group of hackers. This attack also endangered the security questions and answers for many users, including the names, email address, dates of birth and phone numbers as well. In 2017, Yahoo later reported (after previously downplaying the total amount) that 3 billion user accounts had been compromised.

Yahoo stated that the breach was identified while reviewing data provided by law enforcement. They recognised an issue which allowed hackers to manufacture fake cookies which could enter user accounts. The attacks were reported to be state-sponsored attacks by Russia, and Yahoo later admitted they are still clueless about how the intrusion occurred which led to the theft of data. Following the attacks, Yahoo released enhanced security features to ensure this wouldn’t occur again.

2) First American Corporation

• Method: Poor Security
• Impact: 885 million customers
• Year: 2019
• Further Info: https://krebsonsecurity.com/2019/08/sec-investigating-data-leak-at-first-american-financial-corp/

This data breach at First American Corporation leaked more than 885 million personal and financial records involving mortgage deals over the past 16 years. The data breach included bank account numbers, statements, tax records, social security numbers and much more. First American Corporation issued statements downplaying the severity of the breach, which was found to be the result of improper security measures and design defects in their website.

Regardless of what security flaw caused this failure, it’s essential to keep your website protected by regularly updating the software, such as WordPress, and formulating strong passwords while investing in an SSL certificate.

3) Marriott

• Method: Hacked
• Impact: 500 million customers
• Year: 2014 to 2018
• Further Info: https://www.bbc.co.uk/news/technology-46401890

Marriott announced that its guest reservation database had been compromised by an unauthorised party between 2014 to 2018. It’s understood that the names, addresses, phone numbers and additional personal details of millions of customers had been compromised as a result of the attack. They revealed that they were initially alerted of the attack by a helpful security tool, which after an investigation determined that the database had been comprised. It was also revealed that the hackers had unauthorised access since 2014, making this a shocking illustration of why it’s so vital to keep your website and database secure.

It’s considered the main reason why this attack occurred was a failure to undertake adequate measures to ensure their IT systems were suitably protected. As per GDPR, which all businesses should be aware of, it’s essential businesses take appropriate measures to comply with this regulation, Marriott is expected to receive a £99 million GDPR penalty.

4) eBay

• Method: Hacked
• Impact: 145 million accounts
• Year: 2014
• Further Info: https://www.washingtonpost.com/news/the-switch/wp/2014/05/21/ebay-asks-145-million-users-to-change-passwords-after-data-breach/?noredirect=on

In 2014, eBay announced that a cyberattack had transpired in 2014 which endangered the names, addresses and encrypted passwords of 145 million users. The incident allegedly occurred after hackers used the login credentials of three Facebook employees, giving the attackers access to eBay’s corporate network. Frightfully, they had access for approximately 8 months where they were able to reach their user database. Following the attack, they asked users to renew their passwords, although afterwards Facebook was later criticised for the handling of the situation due to the communication. They proceeded to work closely with law enforcement and leading security specialists to actively review and enhance their security.

Concluding from this event, it’s essential to ensure your login credentials are strong and stored in secure locations. It’s also necessary to produce unique passwords for each account to prevent attackers from obtaining access to multiple systems using a single password.

Conclusion

While these events may have affected millions of people worldwide and your local business might not be on the same scale, it’s ultimately crucial for any business to take significant measures to hinder any possibility of attackers obtaining access to your website and personal data. This is especially relevant to GDPR, which demands personal data is processed securely. You can read more further about GDPR and how it affects your business in a past article.

In the upcoming weeks we will be considering additional website security topics and how it’s essential for your business. We trust you enjoyed our article, if you have any queries or opinions please feel free to get in touch with Success Local.