The 5 Most Lethal Cyber Hacks of 2018


Enterprises are increasingly assessing their IT security architecture in the wake of progressively malicious and advanced attacks throughout multiple outlets. With the continuous development into expansive disruptive technologies such as the Internet of Things this now poses a whole new set of threats to security professionals across the globe from both the public and private sectors.

The Cyber Security Breaches Survey ran by the UK government in 2018 found that “Over four in ten businesses (43%) and two in ten charities (19%) experienced a cybersecurity breach or attack in the last 12 months” further research can be found here. In honour of the recent European Cyber Security Awareness Month, we take a deep dive into assessing five of the most high profile breaches of 2018 which shook the private sector.

Typeform

Typeform which provides a survey as a service platform which enables organisations to conduct online surveys was breached on the 27th June. Typeform explained that the breached data came from a partial backup of data from its systems dated 3rd May. Whilst Typeform has not disclosed the full incident and explained that a full review of their security systems has taken place, the impact has been widely felt by its affected clients who include Travel Lodge, The Liberal Democratic Party, Monzo Bank and Fortnum and Mason. More so the result of this breach exemplifies sometimes an over reliance and trust into third party suppliers by larger enterprises without performing effective due diligence on the outsourced software. The biggest effect of this breach is that consumers have been placed at greater risk of phishing or other scam emails.

Ticketmaster

On the 23 rd of June Ticketmaster discovered that malware on a customer support product hosted by Inbenta Technologies, an external third-party supplier, was exporting UK customers’ data to an unknown third-party and as a result around 40,000 customers were affected which equates to about five per cent of the Ticketmaster customer base. The breach had been suspected for several months and was initially flagged by startup bank Monzo in April after fraud complaints from their customers however Ticketmaster initially ignored these warnings. The breach was caused by Ticketmaster’s recycling of code which was applied to their payment page but only intended by the contractor to be used for the chat functionality on the Ticketmaster site. It was not secure enough to be used on the payments page and therefore enabled hackers to intercept incoming data.

“The JavaScript we created specifically for Ticketmaster was used on a payments page, which is not what we built it for. Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat,” the CEO of Inbenta said in a public statement.

Reddit

Reddit recently experienced a data breach which exposed internal data, including email addresses and passwords for all Reddit users who registered for their accounts prior to May 2007. While the breach did not have an overly severe impact, the hackers between June 14th -June 18th compromised several employee accounts and its cloud and source code providers; this was then detected by Reddit on June 19th

“Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS- based authentication is not nearly as secure as we would hope, the main attack was via SMS intercept” Reddit disclosed.

This incident was an example of the false sense of security that is given by using SMS for two-factor authentication which allowed the intruders to intercept the second-factor authentication. An offerable alternative for more secure 2FA would be a token-based authentication which can be used with several other types of authentication methods to create an improved user experience the server doesn’t need to keep a record of the session. Every action will be accompanied by a unique token that the server verifies one at a time.

British Airways

Recently, British Airways suffered a devastating hack, lasting fifteen days from 22:58 pm 21 st of August to 21:45 pm 5th September in which 380,000 of their passenger’s personal and financial information were critically breached including customers’ names, home addresses and credit card data. Most surprisingly, CVV codes from customer’s cards were also stolen, the storage of these are prohibited by PCI Security Standards Council. However, BA insists these had not been stored in their databases. It is still unknown exactly how the breach happened.

However, due to recent research conducted by RiskIQ, it is now believed that a malicious code was, in fact, injected into the airline’s payment page via a modified version of Modernizr JavaScript Library. It appears the hackers for this breach had seamlessly targeted specific scripts and added to the core scripts without intruding on the page’s functionality or raising any red flags, making sure that the hackers did not disturb the commercial flow. This script was specifically designed to capture personal and financial details which customers had entered through the website; this code was later replicated and added into the British Airways mobile application. It was later discovered that the attack could have been executed by the same group of hackers as the Ticketmaster breach, Magecart, a group of hackers who specialise in skimming credit cards.

TimeHop

On the 4th July 2018, TimeHop had a security breach which compromised the records of 21 million users including all personal information such as names, emails, and phone numbers with around 4.7 million has also had phone numbers attached to the accounts also breached. In addition to this “access tokens” provided to TimeHop by its social media providers were also stolen in the breach. It has now been revealed that it was an employee’s credentials were used by a third party to log into Time Hop’s cloud environment the account of which had not been protected by Multifactor Authentication.

However, this breach was planned months before dating back to December 2017 in which the intruder, created accounts with attendant Application Programming Interface access keys. The intruder returned several times undetected whilst gathering further information, however, it was on July 4th when the attacker began harvesting the database, it was over the course of 45 minutes the hacker was able to capture the information. Since this incident, TimeHop explains they have now instated multifactor authentication to secure access and authorisation controls on all accounts.

Conclusion

Whilst these five attacks are no doubt some of the biggest to come out of 2018, in particular highly sophisticated hacks such as Ticketmaster and British Airways, it is a harrowing reminder of the advanced threats that can target any organisation often without discrimination. Security professionals in organisations now face a constant uphill battle in which keeping ahead of this dangerous curve is paramount in particular in the wake of GDPR. It is also a priority of vendor organisations and third-party suppliers that they are constantly creating stronger and more secure
products to go to market. However there is a clear need for heightened cooperation between enterprises and third-party suppliers, certainly in the case of Typeform risk mitigation and sturdy procurement processes are key when onboarding outsourced products.

Want to learn more about avoiding security hacks?

Join us this November as we bring together hundreds of visitors, speakers and suppliers of Security Services and Risk Mitigation to the UK’s premier event dedicated to building world-class security for enterprise. Click through to learn more about our Enterprise Security and Risk Management conference which takes place on 28th November 2018.