Applications are quickly becoming a top target for digital adversaries, as more businesses rely on them to drive their revenue and success. And the proof is in the headlines.
Today, we’ll look back on the top breaches of 2019 caused by application-based attacks, coding bugs and errors, then explore the steps organizations can take to protect their applications and their code in 2020.
1. Facebook: Over 540 million records exposed
Back in April, news broke that a data breach had exposed over 540 million Facebook records, including user IDs, likes, reactions and comments. The information had been collected by two third-party companies and was stored on unsecured Amazon servers for months until it was removed when the problem was exposed.
2. Evite: Hacked customer data for sale on dark web
User data owned by Evite, a social planning website, was hacked and put up for sale on the dark web. Over 100 million accounts were compromised in the attack, news of which came to light in June, despite the incident taking place over three months before in February. The company said that no financial information was stolen, although usernames, email addresses and passwords were exposed.
3. Sprint: Customer data exposed
Sprint, the fourth largest wireless operator in the US, saw a couple of high-profile security incidents this year. In March, TechCrunch revealed that some Sprint customers had contacted them when they began seeing the account information of other customers as well as their own. Variously described as a ‘glitch’ and a ‘technical issue,’ the problem highlighted the risks faced by consumers when corporate IT systems have problems.
And in June, the company had to reset customer PIN numbers when accounts were breached via a Samsung web page. Names, phone numbers and billing addresses were among the details accessed by hackers.
4. Online dating sites: Sharing too much information
2019 has not been a good security year for a number of online dating services. Among those experiencing issues was Coffee Meets Bagel, which suffered the irony of revealing a data breach on Valentine’s Day. And in the same week in August, Grindr, Romeo and Recon were called out when researchers found it was possible to collate exposed GPS coordinates and precisely track users. This was in addition to a similar problem for another dating app called 3Fun, adding up to a total of 10 million users.
5. European Central Bank: Hackers inject malware
In an attack reported in August that forced it to shut down its website, the European Central Bank revealed that hackers had injected malware that led to a potential loss of data. The site had been hosted by an external provider, and while the bank said no internal data or market-sensitive information had been accessed, it served as a reminder that major organizations of all kinds are targets for malicious activity.
6. Dealer Leads: 198 million records exposed
Dealer Leads, a marketing firm that works with car dealers, stored nearly 200 million customer records in an unsecured database. The exposed data included, names, addresses, phone numbers, email and IP addresses in a 413 GB database that wasn’t password protected.
When the incident was revealed in September, it was described as a “wake-up call” to improve security and implement best practices such as network segmentation and giving users the least amount of data access they need.
7. DoorDash: Breach allows access to info on nearly 5 million users
Also, in September, DoorDash, an on-demand food delivery service, revealed it was the victim of a hack in which the data of 4.9 million customers, delivery workers and merchants was stolen. News reporting at the time revealed that DoorDash had been unaware of the breach – which included a variety of customer details and partial payment card numbers – for five months.
Looking Ahead: Avoiding Similar Problems in 2020
What do we take from all this if, collectively, we’re going to see the situation improve in 2020? In particular, security and development teams need to be up to date on the latest vulnerabilities and exploits. Continuously monitoring code is the best way to find problems and enterprises should be asking themselves if anything has changed in the threat landscape that may require new preventative measures.
For application security, the cause of vulnerabilities can often be traced back to the development process. It’s in the nature of application development that hard deadlines can mean coding errors are not always addressed before deployment. As a result, it’s important to patch vulnerabilities as soon as they are found and by using the right application security tool, software teams can not only build their applications at the right speed but do so securely.
In the case of data leaks, not only do they damage a brand’s reputation, but they also hurt the privacy of their users. The biggest lesson that can be taken away from the events of this year is that all personal information should be treated with the highest levels of concern. There should not be any circumstance where private information storage is exposed publicly, because there is not any margin for error – once a leak happens there is no going back.
Following best practices such as practicing the ‘least privilege’ model, consistently patching applications when available, and making security part of developer’s processes, are just a few examples on how to help prevent these kinds of leaks from occurring.
For instance, by providing users with the least amount of necessary privileges to access data, this lessens the probability of a data leak. Surprisingly, these heavily recommended practices are not followed commonly. A simple search on shodan.io, for example, will show a plethora of S3 buckets, and Database API Endpoints that are publicly accessible without any security restraints.
The problems seen throughout 2019 should serve as a reminder for organizations to practice reducing risk by securing DevOps to secure application delivery.
Interested in learning more best practices for the path to DevSecOps? Read our whitepaper