Five Christmas-NY Data Breaches that Prove Hackers Don't Take a Holiday
With all your attention focussed the bright, glittery Christmas tree in your living room, you’re likely unaware of the hacker making their way down your chimney. This holiday season has proven very fruitful for hackers; read on to find out.
Welcome to 2019, ladies and gentlemen. With 2018 a mere reflection in the rear-view mirror, we hope you enjoyed some much-needed respite over the Christmas-through-New Year break.
Let’s kick off the year with a look at some individuals, businesses - even politicians - that will surely be putting ‘better data protection methods’ atop their list of new year’s resolutions.
Third-parties with nefarious intentions are often looking to exploit a time like the Christmas-New Year break, where our collective attention is paid toward family and friends, rather than keeping our data safe. We saw some high-level data breaches in the space of just a week, so let’s jump into our list – in no particular order – of some of the high-level data breaches that transpired world-wide while you were on holidays.
We’ll kick it off with one of the largest data breaches in history that you may well have missed.
Last month we covered news that broke regarding one of the largest-scale data breaches in recent history that hit hotel chain Marriott and its subsidiaries. It was first reported that private information of up to 500-million of its guests could have been compromised, however, that number has now been revised to 383-million.
Perhaps more significantly however, is the revelation that as many as 5.25-million passports may have been compromised.
According to reports, 20.3-million encrypted passport numbers, as well as 5.25-million unencrypted passports were accessed by a third-party. That 20-million or so passports protected by encryption are likely unaffected, at the very least, less so than those without encryption protection that will have almost certainly been compromised.
Executives at The Marriott have previously issued statements that the company will foot the bill for replacement passports, although the degree to which the company can be held accountable is debatable, considering the Marriott has pledged to replace passports that it “determine[s] that fraud has taken place.” As Robert Hackett writes, “what this caveat conveniently excludes is that Marriott’s hack likely had little to do with fraud and everything to do with espionage. In other words, if you’re a victim, don’t expect remuneration.”
At this stage, the FBI is leading an investigation, which, is said to have the Chinese Ministry of State Security as a top suspect in the hack.
You’d be forgiven for assuming that government systems and infrastructure would be some of the most sophisticated. However, as the most recent data breach stemming from an Australian government agency illuminates, seemingly no system is safe in 2019. Details of 30,000 Victorian public servants were compromised after a successful attack.
The Premier’s Department issued a statement to its employees via email, published by The ABC: “An unauthorised third party accessed and downloaded a partial copy of the Victorian government employee directory, which identified approximately 30,000 public service staff and contractors. It appears the third party accessed the list after compromising an employee’s email account.”
Further reporting on this has been limited, however a spokesperson for the Department of Premier and Cabinet (DPC) said that they take “any breach of data security extremely seriously.”
“As is appropriate, this matter has been referred to Victoria Police, the Australian Cyber Security Centre and the Office of the Victorian Information Commissioner,”
“The Government will ensure any learnings from the investigation are put in place to better protect against breaches like this in the future.” They concluded.
Al Jazeera reported just a few days ago that the personal information of high-level German politicians - including its head of state, Chancellor Angela Merkel – have been published online. The German government convened an emergency meeting of its cyber-defence body, which has, according to reports, asked the US National Security Agency (NSA) for assistance with the subsequent investigations. German media has detailed that hackers posted credit card details, mobile phone numbers and other personal data of politicians of all major parties, except the far-right Alternative for Germany (AfD) party.
Justice Minister Katarina Barley has issued a statement saying “whoever is behind this wants to damage faith in our democracy and its institutions.” Government spokeswoman Martina Fietz downplayed the severity of the events, telling reporters that from their initial review, no sensitive or damaging information had been published, “and this includes [information pertaining to] the chancellor.”
According to reports, however, Chancellor Merkel’s email address, fax number and copies of letters to and from the chancellor were amongst the compromised and published data.
The Nova radio network disclosed details of a data breach that managed to capture personal details of more than a quarter of a million of its listeners, according to the Sydney Morning Herald.
Lachlan Murdoch’s Nova Entertainment collected the data of its listener demographic between 2009-2011, which included birth dates, and more personal information like birth dates; in some cases, the information accessed included usernames and passwords of the 261,948 in total impacted, according to the SMH. Nova CEO Cathy O’Connor has since issued public statements assuring Nova’s stakeholders that the data that was collected and ultimately compromised consisted of a “legacy dataset” that is no longer being used, but failed to be protected adequately from third-parties.
Singapore Airlines was hit by a relatively small data breach, but it remains far from ideal as the brand struggles to repair its reputation for housing personal data with sophisticated and robust security measures. The airline went public with the news just days ago, saying a “software bug” caused a data breach that hit up to 284 of its members, possibly making the travel and passport details of those members public.
“We have established that this was a one-off software bug and was not the result of an external party’s breach of our systems or members’ accounts. The period during which the incident occurred was between 2am-12:15pm, Singapore time, on 4 January 2019, at which point the issue was resolved.” A Singapore Airlines spokesperson said.
Thankfully for Singapore airlines, the damage of this was limited in its scope, and the company’s response to an irregularity was quick enough to avoid a disastrous PR cycle for the company, likely the result of high-level systems in place to deal with these problems as they arise.