After 2017 proved to be the year of the data breach, cybersecurity experts experienced a sort of cognitive dissonance. 2018 couldn’t possibly suffer the same way, they reasoned. They have to recognize the threat they’re under and defend themselves. However all the while they knew unless enterprises took real steps to secure their networks and databases, 2018 could be even worse for digital security.
Yet here we are, offering our list of candidates for the Worst Breach of 2018. Make no mistake, there are plenty of candidates for the title of Worst Breach of 2018; so many possibilities, in fact, we decided to limit our nominees to the security incidents we directly covered over the year at Solutions Review. Even then, we had to limit ourselves to just the breaches we consider the most impactful on governmental policies, enterprise behavior, and hacking tactics.
If you are to take anything away from this exercise in schadenfreude, we hope it is this: don’t let your enterprise end up on a list like this next year. Invest in deploying a next-generation endpoint security solution to fortify your perimeter. Make sure you have strong EDR capabilities to find penetrative threats on your network. Keep your IT security team and employees trained on endpoint protection best practices.
Without further ado, here are our 5 nominees for “Worst Breach of 2018.”
Currently, all of the nominees for Worst Breach of 2018 continue to operate. Most work to rebuild their reputations, both online and in the analog world. Google+, Google’s long-suffering social media platform, proved far more unlucky. In early October Google revealed they suffered a breach affected 500,000 users. Sealing its face, just a few weeks ago Google announced another bug which exposed the data of over 50 million Google+ users.
Between the two breaches, Google decided to shutter the consumer-side of Google+. Originally this was scheduled for August 2019. The second breach prompted Google to accelerate those plans; it will now close in April 2019.
Adding to their woes, the initial reports of the Google+ breach also revealed details of a cover-up to hide the issue from regulators. Google’s troubles represent a year where many of the largest digital enterprises received flak for their misaligned security and privacy policies. This pattern may yet repeat in 2019.
The Octoly breach tends to get lost in the shuffle of other more prominent cybersecurity stories. After all, only about 12,000 users were exposed in this breach, making it the smallest breach on this list. However, Octoly cybersecurity negligence and faulty data protection policies place it firmly in contention for Worst Breach of 2018.
Octoly, a French brand marketing company, left an AWS bucket containing the personal identifying information of 12,000 of its social media influencers open and exposed. Upguard researcher Chris Vickery discovered the breach and alerted Octoly. However, the firm continued to leave information unsecured until almost a month later.
Few can summarize the situation as succinctly as Vickery in his blog post on the matter:
“Octoly’s incident response, from the highest corporate levels, did not properly account for the significance of the exposed data. The corporation’s deletion of one backup file, while failing to secure the S3 bucket or remove any of the large amount of other damaging data still exposed, left a large amount of personally identifiable information exposed weeks after Octoly assured the UpGuard Cyber Risk Team that the breach had been closed.”
An important lesson from this incident: the data breach is only one part of the PR nightmare. The other is how your enterprise responds to its discovery.
Of all the nominees for Worst Breach of 2018, Quora’s revealed itself as the most straightforward (for lack of a better word) of the five. The breach resulted from an access management issue. Quora publicly disclosed the breach only a few days after its discovery. Quora’s administrators automatically logged out victims and alerted law enforcement. All in all, Quora handled their data breach in a professional and admirable manner.
The only reason Quora made this list? The number of consumers affected. At 100 million, it is easily one of the largest of the year.
Oh, how endlessly we wavered on whether Facebook or the choice for Number 1 should get the top spot as Worst Breach of 2018. At first, we asked which one would end up being the most influential and notorious, but that debate went nowhere given the candidates.
In the end, we decided while Facebook definitely deserved the press they received throughout the year—we did a full-length editorial on their disastrous 2018 and its repercussions here—their data breaches were a result of their own internal policies rather than cybersecurity negligence. We believe the Worst Breach of 2018 should be because the enterprise missed the warning signs of a threat rather than because the enterprise needs privacy regulation.
Still, Facebook ends up on this list for choosing profits over the safety of their consumers’ data.
In the end, no other candidate truly deserved the Worst Breach of 2018. The Marriott Breach is the second largest in history; it affected 500 million individuals worldwide and exposed personal information as private as passports and credit card numbers.
What makes the Marriott Breach worse: how long the attackers dwelled on the network before discovery. Evidence suggests the breach began in 2014, originally affecting Starwoods Properties before Marriott acquired them in 2016.
This breach should have been identified during the merger and acquisitions assessment. Yet Marriott’s alerting technologies did not affect the newly acquired assets. The breach promises to transform how we talk about non-regulatory cybersecurity standards and potential governmental intervention in digital security for years to come.
What do you think of our choices for the Worst Breach of 2018?