We recently posted our first “breaches of the week” story, noting that we’d publish these occasionally as a reminder that data breaches, cyberattacks, and data protection issues are not simply isolated incidents, but an ongoing threat that should be continuously monitored. So, it should come as no surprise that in the weeks since the inaugural post, there have been several high-profile incidents making the news.
4 Recently Reported Data Breaches
It was announced today, November 30, that Marriott’s guest reservation system was hacked, and the personal information of 500 million guests has possibly been exposed. According to the hotel giant, this more specifically affects the Starwood database which includes the Sheraton, St. Regis, W, and Westin hotels.
According to Marriott: “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” The company goes on to say that the payment card information stored within their site was encrypted, and they are unsure as of now if the decryption information was stolen as well.
What is most unsettling about this is that Marriott made this discovery in September 2018, but then learned during the investigation that the unauthorized access to the Starwood database started in 2014.
Affected guests should receive notification from Marriott over the coming weeks. This massive breach will now become one of the largest corporate data breaches to date.
Government: U.S. Postal Service
On November 26, it was revealed that a security flaw in the USPS app, Informed Visibility, which allows customers to see their mail before it arrives, exposed the data of more than 60 million users. The app’s vulnerability left users’ account details, including usernames, IDs, and email and home addresses, available to anyone with basic knowledge of the data elements processed by a regular web browser. Though it has been confirmed that user passwords were not accessible, hackers could potentially use the other readily available information to deploy mass or targeted phishing emails to obtain even more sensitive information from victims.
While the USPS has since patched the vulnerability, what has many people outraged is that an anonymous security researcher reported the vulnerability to the USPS over a year ago, but it wasn’t until cybersecurity journalist Brian Krebs exposed it that they finally took action.
Social Media: LinkedIn
Facebook recently skirted a $1.6 billion General Data Protection Regulation (GDPR) fine for the Cambridge Analytica scandal by virtue of the breach happening prior to the European Union’s GDPR implementation. Now, LinkedIn—the “social network of the working world”—has done the same. In a November 23 report released by Ireland’s Data Protection Commissioner, it was revealed that LinkedIn had violated the GDPR, which affects many US-based international companies.
According to the report, LinkedIn used the email addresses of 18 million non-subscribers to place targeted ads on Facebook, in a bid to acquire new users (the report does not explain how LinkedIn acquired the addresses). Just as in the Facebook case, however, the social media giant was engaging in the practice prior to the GDPR implementation, so fines could not be imposed. However, LinkedIn was forced to delete all personal data associated with the incident prior to GDPR implementation, and the company’s head of privacy issued a formal apology.
On November 28, Dell revealed that in an effort to protect their customer’s personal data, they had no choice but to reset all customer account passwords. This announcement came after Dell learned that there was “unauthorized activity on its network” on November 9, when hackers attempted to gain access to names, email addresses, and passwords from the Dell.com electronics store.
"Upon detection of the attempted extraction, Dell immediately implemented countermeasures and initiated an investigation," the company stated in a press release. "Dell also retained a digital forensics firm to conduct an independent investigation and has engaged law enforcement.”
While it’s unclear how many accounts were affected, this once again reveals that hackers are trying to obtain personal information from wherever they can, including computing giants like Dell. If you are a Dell.com customer and you use your old Dell.com password for other accounts, the company recommends you change those passwords immediately.
Keeping Your Business and Your Data Protected
Data breaches and cyber-attacks can happen to any organization at any time. For organizations unprepared to defend themselves, a third-party provider can help evaluate current systems of security and manage security concerns. DSM, Florida’s predictable cloud provider, can help keep data protected through continuous monitoring and data protection services. Contact one of our IT experts today to learn more.