The series of recent cyber incidents have been concerning. It has also elucidated that, any organisation can fall victim to cyberattacks – regardless of its size. Be it the largest vendor in the world or an Australian Telco or an Online food ordering company. Namely, Uber, DoorDash, MyDeals (Woolworths), Medibank, Optus, and Microsoft are all stars from the past months.
In this article, our security experts shed light on how millions of customers were caught up in these data leaks. The crux of these cyber incidents is the collective failure of organisations to safeguard customers’ privacy. These inadvertent mistakes leave personally identifiable information (PII) being leaked. And ultimately, the loss of market confidence.
How safe is the data in the hands of the vendor / service supplier?
These data breaches had one thing in common. The attackers were able to gain access to PII of the clients/customers of these companies. This brings us to the question “How safe is the customer/client data in the hands of the vendor?”. The answer is, not safe enough. This is evident as DoorDash allowed compromised third-party vendors to access its network; Optus left API endpoints unsecured; and Microsoft’s internet-facing system misconfigured. These instances of data mismanagement led to stakeholders’ data falling into the wrong hands.
Price of a data breach lies with the customers
While these cyber incidents had identical results, they were all attacked via different techniques. Specifically, DoorDash and Uber were breached via a successful phishing attempt. A phishing attack is a low-level social engineering attack, yet it is also one of the most common methods to trick the victim via a disguised email, text message or phone call.
Whereas Optus coined their attack as a ‘sophisticated attack’ initially, as they thought it was carried out by a gang of advance threat actors. The attack was later reduced to being a human error where its endpoint Application Programming Interface (API) was left exposed and unprotected. Little did anyone know that one vulnerability can impact 40% of Australians.
On the other hand, Microsoft explained that the customer data was exposed accidentally due to a misconfigured Azure Blob Storage.
Also under distressing developments, is Medibank’s cyber breach. The stolen credentials of a high-level access individual at the firm have resulted in a 200GB data leak. This remains in the spotlight as customers’ medical data – including information on diagnosis, procedures and location of medical services were also leaked.
Either way, the customers are paying the price.
Can customers trust you to handle their data?
Customers trust brands to handle their data with care. Especially when an organisation is sizeable and powerful, one confides and presumes that organisations have abundant cyber defenses to protect them. Yet as businesses fail to secure the data of their valued customers, they also lose the market’s confidence and reputation. The only way for businesses to recover from the financial damages from a cyber incident is to handle it well.
In fact, individuals whose data was exposed must remain vigilant and act to protect their own data. Exposed details are often utilised in consequent attack attempts – such as phishing, identity theft and brute-force attack.
- Phishing is a type of scam involving communication, disguised as being a trusted sender to steal confidential information.
- Identity Theft is when someone uses another person’s personal identifying information such as their name, ID, or credit card number without their permission, or knowledge.
- Brute-force attack is a method of hacking where an attacker will submit many passwords or passphrases with the hope of eventually guessing correctly.
What can your organisation do to improve data privacy?
Lastly, it all boils down to what these organizations could have done to prevent such breaches. Taking the Uber incident for example, providing staff training on cybersecurity awareness social engineering attacks would have been great preventative measures to avoid providing unauthorised access to malicious actors.
In the case of Optus and Microsoft, the prerequisite is to harden the operating environment with multiple levels of security. This must be accompanied by a proactive attitude to scrutinize each security control and data management policy.
CTRL recommend performing regular vulnerability scans, and/or penetration testing to highlight the unknown, exposed weaknesses to the security team, before they are exploited. Book a consultation today with our security experts.
Written by CTRL’s Security Analysts