CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.
Recently, there have been a large number of incidents involving the theft and unauthorised access of personal and financial information, with the phrases data breaches and data leaks often used, sometimes interchangeably, to describe them. While the consequences are similar for both, understanding the distinction between them helps one appreciate the causal factors behind incidents involving active threats, and those in which data was made public unintentionally.
can be defined as the inadvertent loss of sensitive data through vectors such as unsecured websites and servers, inherent weaknesses and vulnerabilities within Internet services, or third party suppliers, mostly involving human error and negligence. In these cases, millions of customer records - including names, addresses and other personal information – can be exposed to the public online through unsecured databases or applications. On the other hand, unlike leaks, a breach
involves an active actor stealing data through malicious means.
What can Internet users do to protect themselves? As a proactive measure, users should be conscious of how and where they share their personal and sensitive information, and the various protective measures against digital identity theft. Regardless, while it could become increasingly difficult to prevent data leaks or breaches, understanding these incidents may provide some guidance for responding to such cyber threats.
Data leaks can be caused by system misconfiguration
Human errors continue to pose a major challenge to cybersecurity. Misconfigured databases could allow sensitive information to be easily found using search engines. For example, in June 2018, Exactis, a large US-based marketing firm, accidentally leaked its database containing close to 340 million individual records on a publicly accessible server. A security researcher used Shodan, an online search tool for users to find specific types of IT systems connected to the Internet, to search for publicly accessible servers hosting ElasticSearch databases, and hence chanced upon Exactis’ openly-available customer database. Furthermore, Exactis’ database was not even protected by a firewall.
Another notable example was that of Panera Bread. In mid-2018, KrebsonSecurity reported that Panera Bread, a US-based bakery-café chain, had at least 37 million customer records leaked on its website. Panera took no action for eight whole months, even though a security professional had reported to them back in August 2017 that its website contained erroneous links to customer records. The information was finally taken down in April 2018. Exactis and Panera Bread are but two examples of how human error and negligence have resulted in dire consequences for their clients.
Read on by clicking on the story below:
Data leaks are sometimes the result of how services are designed
One of the biggest data scandals in 2018 involved Facebook and political consulting firm, Cambridge Analytica, which affected up to 87 million users. Inconsistencies in Facebook developer policies allowed Cambridge Analytica to harvest data not just from the several hundred thousand users that had agreed to participate in a survey, but from the millions within the users’ social circles as well. Facebook came under severe criticism for the way it tried to play down the incident, with much criticism focusing on how several Facebook executives took to social media to explain how it was not a breach per se (given that no passwords or information were hacked/stolen), and that it was not Facebook’s responsibility if users chose to share their information with third-party apps. These social media posts were later removed. The scandal precipitated hearings and legal action against Facebook in multiple countries, and sent the price of its stock tumbling
There have also been incidents where sensitive information was exposed unintentionally through the functionality of various apps and services. Polar Fitness, a Finnish fitness company, suspended its online global activity map Explore after Dutch media demonstrated that flaws in the map’s privacy settings provided access to users’ personal and geolocation data. One report allegedly found the names and addresses of thousands of personnel working at Finnish military bases and intelligence services. This was the second time a fitness app had exposed such information, following reports on another fitness tracking app, Strava.
Read on by clicking on the story below:
What can Internet users do?
There are a number of preventive measures that users can adopt to reduce the risk of becoming a victim of data leaks/ breaches:
- Users can reduce risk of having data leaked by being selective about services that they subscribe to, especially social networks that use real names or real-time location data. Users are encouraged to review what data apps are asking for, without blindly granting permission. Furthermore, by limiting the amount of information shared online, users can also minimise the impact of any future leaks.
- With more data breaches and data leak incidents being disclosed and reported, users need to be proactive in protecting themselves from digital identity theft. Users can invest in identity theft protection, which monitors the Internet – including the dark web - for unauthorised usage of their personal information. A survey published in January 2018 by cybersecurity company McAfee found that fewer than one in four persons used an identity theft solution. With more data and information being shared and stored online, protection against digital identity theft can only become increasingly important.
Wired, Krebs on Security, Forbes, Zdnet, The Guardian, Today and The Straits Times.