Pierluigi Paganini
December 01, 2022
Data breaches can be devastating for organizations and even entire countries. Eliminating the risk of a data breach is nearly impossible, but some things can be done to reduce it significantly.
Here are three of the worst data breaches that could have been avoided:
Yahoo
In 2013, Yahoo suffered one of the worst data breaches in history, exposing over 3 billion user accounts. The breach was unveiled three years later, during the process where Verizon was acquiring Yahoo.
Yahoo initially reported that 1 billion users had been affected, but the number turned out to be much higher. The attack and lack of transparency from Yahoo reduced the price Verizon had to pay for the acquisition. While no plaintext passwords or financial data was stolen, the hack did expose answers to security questions. This allowed hackers to breach many user accounts.
Experts believe Yahoo was using outdated, easy-to-crack encryption, which led to the attack. The attack is a good reminder of how critical strong encryption is in protecting your website users. This attack could’ve easily been avoided if Yahoo had invested more in the security infrastructure.
SolarWinds attack on U.S. government agencies
In February 2021, several U.S. government agencies and large organizations were hit by cyberattacks due to a vulnerability in their IT infrastructure provider – SolarWinds.
Many government agencies and Fortune 500 companies use SolarWinds, which contributed to the severity of the attack. Because of SolarWinds’ deep integration with other software solutions, organizations were forced to continue working with it despite knowing that a breach had occurred.
SolarWinds employees claim that the attack resulted from a weak password that an intern had used – “solarwinds123”. The attack affected thousands of SolarWinds’ clients, causing billions in damages.
All of that could’ve been avoided had SolarWinds implemented a strong password policy. Weak passwords are the easiest way hackers can hack into a system. Organizations must have a robust password policy. One way to help enforce such a policy is by providing employees with a password manager for easy password generation and storage.
Target
Near the holiday season of 2013, hackers exposed the credit and debit card information of over 110 million Target customers. Because it was impossible to recover the data, Target had to pay tens of millions in damages to affected customers. The attack happened around Black Friday, which was particularly bad for business due to the bad publicity.
The hackers used social engineering techniques, sending phishing emails to several of Target’s vendors, and successfully breached Target’s network. They then installed malware, which helped them obtain customers’ credit/debit card information.
Organizations are now very interconnected and depend on the services of vendors, suppliers, and other entities. Focusing on your own cybersecurity practices isn’t enough. You must also worry about that of your third parties. Before engaging in business with a third party, ensure that they meet your cybersecurity standards. You can do so by sending questionnaires or through security ratings.
Final thoughts
Organizations are constantly under threat of data breaches. Attackers are relentless and regularly discover new ways to harm. While eliminating the risk completely is impossible, there are a few things organizations can do to improve their cybersecurity posture. Here are some of them:
About the Author: Anas Baig
With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, data breaches)
[adrotate banner=”5″]
[adrotate banner=”13″]
