AXEL.org

cybersecurity

Cybersecurity Strategies for Small Businesses and Firms

When it comes to ransomware and data breaches, we mostly hear about the attacks on massive corporations. After all, these cyber-assaults can affect millions, so it only makes sense that attacks on big businesses are the ones we hear about. However, this creates a false assumption that only big businesses are affected by cybercrime. Unfortunately, this couldn’t be further from the truth. In fact, small businesses and firms are often targeted by cybercriminals due to their valuable data and relative lack of cybersecurity protocols [1]. Many smaller companies still have not taken the threat of cybercrime seriously. In fact, 51% of small businesses have not dedicated any resources to cybersecurity [2]. In 2021, a year full of cybercrime and ransomware attacks, that’s a recipe for disaster.

Ransomware and data breaches can affect anyone from first-year law students to senior executives. Of course, large companies have sizable cybersecurity operations, so if cybercriminals strike, they’re prepared. For small businesses and firms, however, it’s up to individuals to protect themselves and their clients. Thankfully, there are easy, inexpensive ways for smaller companies to keep themselves safe from cybercrime.

Secure Passwords

Many of us are guilty of using the same password for multiple accounts. It’s perfectly logical to reuse passwords sometimes when we have hundreds of online accounts for various businesses, social media sites and software. However, using just one password for all your accounts can be disastrous, especially if your work passwords are reused. Think about it: If your Facebook password is leaked, and you have the same password for every account, in effect, all your accounts are leaked. While you don’t need unique, thirty-character-long passwords for every account, ensuring that your passwords are varied and strong keeps your most important data safe. Having one of your passwords leaked is bad, but manageable; having all of your passwords leaked is catastrophic.

Cyber Insurance

Cybercrime can still occur even when precautions have been taken. That’s why it may be smart to invest in a relatively new insurance offering, cyber insurance. Many large corporations utilize cyber insurance to minimize the financial risk of a data breach. In fact, after Target’s 2013 data breach, cyber insurance covered USD $90 million of the total damages [3]. For smaller businesses and law firms, one cyberattack could be financially devastating enough to shutter doors permanently. It is a significant investment, but cyber insurance could pay off in the long term.

Ethical Hackers

One of the quickest, easiest ways to determine if your small firm has a security hole is to hire a white hat, or ethical, hacker. The job of a white hat hacker is to breach a company’s computer system, but with permission. Once the hacker gains access to the system, they can snoop around, looking for vulnerabilities. If a vulnerability is found, they simply tell the company and potentially fix it. While the idea of letting a stranger into your computer systems may sound frightening, this process is one of the best ways to prepare for cybercrime. After all, if you find and patch the vulnerabilities, there isn’t much a cybercriminal can do to your business.

Of course, ethical hackers don’t come cheap, and the more experienced an ethical hacker is, the higher the cost. Big corporations have paid from USD $1,000 to USD $15,000 for white hat hackers to breach their computer systems and look for security vulnerabilities [4]. While hiring or contracting an ethical hacker can be a large investment, there’s no better way to determine if your firm is prepared for a cybercriminal attack.

Culture of Security

In addition to paid solutions, a free technique to protect you and your firm’s cybersecurity is to encourage a culture of security. This means updating your software often, using encryption, and being knowledgeable about modern technology and its risks. First, updating your software is one of the easiest ways to minimize the risk of cybercrime. In fact, the infamous Equifax data breach of 2017 occurred because Equifax simply forgot to update its security software when a vulnerability was detected [5]. Keeping software up-to-date is one of the simplest ways to keep yourself and your firm protected. Next, using encryption is an inexpensive, useful tool to keep your documents safe from data breaches. If your documents are unencrypted, cybercriminals have easy access to your most vital files. Encryption provides an extra layer of security that keeps your documents safe from data breaches and leaks.

Finally, cybersecurity education is the largest part of a culture of security. When everyone is aware of cybersecurity risks like phishing scams and the danger of public Wi-Fi, the risk of cybercrime is minimized. Simply informing your friends and coworkers about modern cybersecurity risks helps cultivate a culture of security that helps you (and your clients) stay safe from cybercrime. Simply put, staying informed on cybersecurity is a long-term, effective solution to minimize the risk of ransomware attacks and data breaches.

Backup Your Data

Whether you’re a thirty-year veteran at a firm or just starting your first job in the workforce, backing up your data offline could be the most important strategy on this list. Security vulnerabilities and cybercriminals pose a threat to cloud-based files. If you get locked out of this online data by cybercriminals, you’ll be forced to either pay a hefty ransom or lose all of your online files. The solution? Simply backup your documents offline. And don’t do it just once! At least monthly, copy your files to an offline hard drive. Backing up your documents offline ensures that you, or your firm, are able to continue working even if a cyberattack hits.

Try AXEL Go

If you’re ready to start creating your culture of security, try AXEL Go. AXEL Go is a cloud file-sharing software with an unwavering focus on privacy. AXEL Go lets employees and students share, store, and collect documents securely, all in a simple, easy-to-understand user interface. Offering military-grade encryption, blockchain technology, and decentralized servers, AXEL Go offers the perfect pairing of simplicity and stringent security. To try AXEL Go free for two weeks, click here.

[1] Shankar, AJ. “Council Post: Ransomware Attackers Take Aim at Law Firms.” Forbes. Forbes Magazine, March 11, 2021. https://www.forbes.com/sites/forbestechcouncil/2021/03/12/ransomware-attackers-take-aim-at-aw-firms/

[2] Knutson, Ted. “Small Businesses Bearing Brunt of Ransomware Attacks, Senate Told.” Forbes. Forbes Magazine, July 28, 2021. https://www.forbes.com/sites/tedknutson/2021/07/27/small-businesses-bearing-brunt-of-ransomware-attacks-senate-told/?sh=705864499556

[3] Newman, Craig. “Target’s Cyber Insurance: A $100 Million Policy vs. $300 Million (so Far) in Costs.” Patterson Belknap Webb & Tyler LLP, January 16, 2019. https://www.pbwt.com/data-security-law-blog/targets-cyber-insurance-a-100-million-policy-vs-300-million-so-far-in-costs/

[4] Fazzini, Kate. “Some Freelance Hackers Can Get Paid $500,000 a Year to Test Defenses of Companies like Tesla.” CNBC. CNBC, December 13, 2018. https://www.cnbc.com/2018/12/12/freelance-hackers-get-paid-to-test-the-defenses-of-firms-like-tesla.html

[5] Ng, Alfred. “How the Equifax Hack Happened, and What Still Needs to Be Done.” CNET. CNET, September 7, 2018. https://www.cnet.com/tech/services-and-software/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/

Devastating Data Breaches – Part 5: Facebook Dismisses Data Security

In the history of the Internet, no tech company may be more controversial than Facebook. Started in 2004 and initially limited to Harvard University students, Facebook quickly hit the mainstream as the premier social networking site. In just a few years, it overtook older sites like MySpace and Friendster, making it the go-to social network for hundreds of millions of people. However, this massive growth has not been without controversy.

Facebook has long been criticized for its record on privacy and security. From collecting mountains of information on individuals to its involvement in state-sponsored surveillance, Facebook’s record on privacy is shaky [1]. But even though billions are skeptical of Facebook and its security practices, it’s still the most popular social network in the world. Combined with its ownership of popular messaging app WhatsApp and photo-sharing app Instagram, Facebook has become one of the Silicon Valley giants where their main product isn’t a product or software, but users themselves. Because of this, it is in Facebook’s best interest to collect as much information as possible from its users. While this strategy certainly lines Facebook’s pockets with oodles of advertiser cash, it forces user privacy to take a backseat and puts user security at risk. Unfortunately, in 2019, this security risk became realized for hundreds of millions of people.

In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Check out our previous posts about Yahoo, Marriott, Equifax, and Target to learn about what went wrong, what could’ve been done, and how each company responded to devastating data breaches.

Before The Breach

In 2019, Facebook was already facing the aftermath of another massive privacy mishap, the Cambridge Analytica scandal. With Facebook’s knowledge, Cambridge Analytica, a political data analytics firm, harvested data from 87 million Facebook accounts. It then sold this information to multiple United States presidential campaigns in order to inundate potential supporters with political advertisements [2]

Following the revelations of this data thievery, Facebook CEO Mark Zuckerburg even testified in front of Congress, along with taking out full-page advertisements in major newspapers, vowing to “ensure this doesn’t happen again [2].” Following an investigation, the Federal Trade Commission fined Facebook USD $5 billion, the largest fine ever levied by the United States government [3].

Put simply, Facebook was not seen in a positive light by many people. Its track record regarding data privacy had always been shaky, but this new scandal not only drew the ire of government officials, but the general public as well. After this scandal, all eyes were on Facebook to see if it would actually make changes to protect user privacy. Unfortunately, Facebook did not keep its promises for long. 

The Leak

In 2019, through a vulnerability in Facebook’s code, the personal data of 533 million Facebook users was stolen [4]. Concerningly, the perpetrators of this attack did not acquire the data through hacking or phishing, but simply by finding a vulnerability that allowed users to record millions of phone numbers from Facebook’s servers. In August 2019, Facebook patched this vulnerability, but was unaware of the stolen data. However, in April 2021, phone numbers of the 533 million users were posted to a hacking forum. This data mainly consisted of names and phone numbers, but some email addresses and birth dates were compromised as well [4]. Even worse, the data was posted for free on a public forum, meaning that any scammer or spammer with basic computer knowledge could access this stolen data [4].

While no financial or government data, such as credit card numbers or Social Security numbers, were posted, the release of phone numbers and corresponding names was a goldmine for scammers. Primarily, these cybercriminals could use this information to send phishing scams to unsuspecting users. While the attack could have been much worse, the leak of over half a billion phone numbers directly after Facebook’s previous data scandal was not received well by the general public.

Facebook did little to satiate the outrage following the leak. After the leak was publicly revealed, Facebook stressed that the leaked data was outdated (albeit, by only two years) and that the security flaw had already been patched. Additionally, Facebook refused to notify the affected users, stating that there was nothing that users could do to mitigate the consequences [5]

The Aftermath

While a leak that puts 533 million phone numbers at risk may sound like a big deal, for Facebook, it’s just a drop in the bucket of criticism the company has received regarding user privacy. After all, the Cambridge Analytica scandal forced Zuckerberg to testify before Congress. For Facebook, this is a run-of-the-mill data breach. In fact, in a leaked email detailing the company’s response to the breach, a Facebook employee stated “We expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly [6].”

Unfortunately, it appears Facebook is not planning on making substantive changes regarding user privacy. This isn’t particularly surprising, as Facebook has become a giant because of its willingness to collect user information. However, just because Facebook is slow to change doesn’t mean you have to be a victim. You can protect your data by following simple cybersecurity tips, like not clicking unfamiliar links and double-checking email addresses. If Facebook isn’t going to protect your privacy, it’s up to you to do it yourself.

Protect Your Data with AXEL Go

Another way to protect your privacy is to use a secure file-sharing software. Offering industry-leading encryption and decentralized blockchain technology, AXEL Go is the best way to protect yourself or your business from unauthorized cybercriminals. Featuring a myriad of unique privacy features, AXEL Go is the best way to keep your data safe. If you’re ready to try the best protection, get two free weeks of AXEL Go here

[1] Greenwald, Glenn, and Ewen MacAskill. “NSA Prism Program Taps in to User Data of Apple, Google and Others.” The Guardian. June 07, 2013. https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data.

[2] Meredith, Sam. “Facebook-Cambridge Analytica: A Timeline of the Data Hijacking Scandal.” CNBC. April 10, 2018. https://www.cnbc.com/2018/04/10/facebook-cambridge-analytica-a-timeline-of-the-data-hijacking-scandal.html.

[3] Nuñez, Michael. “FTC Slaps Facebook With $5 Billion Fine, Forces New Privacy Controls.” Forbes. July 24, 2019. https://www.forbes.com/sites/mnunez/2019/07/24/ftcs-unprecedented-slap-fines-facebook-5-billion-forces-new-privacy-controls/.

[4] Holmes, Aaron. “533 Million Facebook Users’ Phone Numbers and Personal Data Have Been Leaked Online.” Business Insider. April 03, 2021. https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4.

[5] Farmer, Ryan. “Facebook’s April 2021 Data Breach Explained.” StrongVPN Blog. April 30, 2021. https://blog.strongvpn.com/facebook-data-breach-april-2021/.


[6] “Facebook Downplays Data Breach in Internal Email.” BBC News. April 20, 2021. https://www.bbc.com/news/technology-56815478.

Devastating Data Breaches – Part 4: How Target Changed Credit Cards

In 2013, data breaches were common, but didn’t particularly weigh heavily in the public consciousness. While major data breaches had certainly occurred by that point, these breaches tended to affect less personal businesses. After all, Americans weren’t going into Yahoo or Equifax every week for grocery shopping. Data breaches tended to affect corporations that most people only interacted with online. Therefore, when a data breach occurred, it didn’t feel as personal. Combined with the equally impersonal picture of shadowy hackers stealing data from continents away, data breaches weren’t seen as a massive issue to the general population, but as an online nuisance.

Unfortunately, that mindset soon changed. In late 2013, in the middle of the holiday shopping season, Target fell victim to a data breach, with over 70 million people’s financial information becoming compromised [1]. While 70 million may sound paltry compared to Yahoo’s 3 billion leaked accounts, the damage to those 70 million victims was much more severe. Ultimately, this hack put data breaches on the mind of everyday citizens. After all, these hackers didn’t target a shadowy Internet business that only a few hundred people have physically been to. This hack targeted a popular chain of stores where millions of people shop every week.

In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches.

The Breach

In September 2013, the cybercriminals responsible for the attack began their strike on the popular retail chain. However, the hackers’ plans did not involve attacking Target directly, at least not yet. The cybercriminals targeted Fazio Mechanical Services, a contractor that provided Target with heating and air conditioning [2]. From Fazio and its approved credentials, the hackers then accessed Target’s network and quickly found access to Target’s point-of-sale (POS) systems. From there, the attackers installed malware that recorded credit card data. Finally, the hackers encrypted the credit card data and exfiltrated it right under Target’s nose.

Target became aware of a potential breach on November 30, when a Target security operations center in India recorded potentially malicious activity [1]. That activity was shared with the Target corporate office in Minneapolis, but no action was taken. Again, on December 2, malicious activity was found and reported, but no action was taken by the corporate office. Finally, on December 12, the US Department of Justice contacted Target about a potential data breach, and an investigation began [1]. One week later, Target publicly revealed the data breach.

All in all, over 70 million customer records and 40 million payment card credentials were stolen in the hack [3]. This information was put up for sale on the dark web, where any variety of cybercriminals could pay for the stolen financial data. The data breach not only included debit and credit card numbers, but PIN numbers as well, putting affected customers at a large financial risk. Overall, while 70 million victims may pale in comparison to other data breaches, the breach’s effect on those victims was enormous. 

The Fallout

In the years following the data breach, Target paid over USD $200 million in costs related to the hack [4]. Target could have paid much more, but the company had a cybersecurity insurance policy that covered about USD $90 million of the total cost [1]. Additionally, Target agreed to a settlement of USD $18.5 million to 47 state governments for further compensation to victims [4]. As part of the settlement, Target agreed to tighten its security measures, along with promising to separate its cardholder data from the rest of its computer network. Additionally, Target’s CEO, Gregg Steinhafel, resigned in May 2014, in the aftermath of the attack [4]. Although the breach certainly did not put Target out of business, it had a profound effect on the company’s financial security, along with consumer trust in the company.

To this day, just one person has been charged in connection to the attack. In 2018, a Latvian computer programmer named Ruslan Bondars was sentenced to 14 years in prison for creating a program that helped cybercriminals, including the perpetrators behind the Target attack, improve malware [5]. However, Bondars was not immediately connected to the attack. Cybersecurity experts hypothesize that Andrey Hodirevsky, a Ukrainian programmer who specializes in selling stolen financial information, was the mastermind behind the attack [5]. However, Hodirevsky has never been charged with the crime.

Finally, the Target data breach affected not only the victims, but spearheaded a massive change in credit card usage as well. Following the breach, Target was one of the first companies to offer credit cards with embedded microchips, which provides better security than the traditional magnetic swipe [3]. So while the Target attack affected millions of victims, it also helped encourage the necessary transition from magnetic swipes to chip cards.

Overall, the Target data breach highlights the importance of communications, especially when it comes to cybersecurity incidents. Had Target taken action earlier, the effects of the data breach could have been mitigated or even eliminated. Unfortunately, in the time it took for Target to realize something was wrong, the damage had already been done. Thankfully, Target quickly identified and eliminated the malware, and also ushered in the era of microchipped cards. 

Keep Your Data Secure with AXEL Go

AXEL Go is a secure file-sharing and storage software that puts you back in control of your data. From military-grade encryption to blockchain technology, AXEL offers the most stringent security for your most important files. If you’re ready to take back control of your data, try two weeks of AXEL Go for free here. To read more about AXEL Go, click here.

[1] Plachkinova, Miloslava, and Chris Maurer. “Teaching Case Security Breach at Target.” Journal of Information Systems Education 29, no. 1 (March 21, 2018). https://jise.org/Volume29/n1/JISEv29n1p11.pdf.

[2] Shu, Xiaokui, Ke Tian, Andrew Ciambrone, and Danfeng Yao. “Breaking the Target: An Analysis of Target Data Breach and Lessons Learned.” January 18, 2017. https://arxiv.org/pdf/1701.04940.pdf.

[3] Myers, Lysa. “Target Targeted: Five Years on from a Breach That Shook the Cybersecurity Industry.” WeLiveSecurity. December 13, 2018. https://www.welivesecurity.com/2018/12/18/target-targeted-five-years-breach-shook-cybersecurity/.

[4] Abrams, Rachel. “Target to Pay $18.5 Million to 47 States in Security Breach Settlement.” The New York Times. May 23, 2017. https://www.nytimes.com/2017/05/23/business/target-security-breach-settlement.html.

[5] Weiner, Rachel. “Hacker Linked to Target Data Breach Gets 14 Years in Prison.” The Washington Post. September 21, 2018. https://www.washingtonpost.com/local/public-safety/hacker-linked-to-target-data-breach-gets-14-years-in-prison/2018/09/21/839fd6b0-bd17-11e8-b7d2-0773aa1e33da_story.html.

Devastating Data Breaches – Part 3: The Negligence of Equifax

Data breaches, in the traditional sense, have existed for centuries. Although we think of data breaches as a relatively new phenomenon due to the sheer prevalence of attacks we see today, data breaches have been causing headaches to businesses and consumers for a long, long time. Of course, before computers, a data breach meant the exposing of physical papers with confidential information on them. Before the Internet, the amount of damage that could be done was limited by the physical amount of data you could steal. After all, there’s only a finite amount of confidential papers a criminal can sneakily fit in a briefcase. Because of this, the amount of damage done by data breaches was limited.

However, once Internet usage became widespread, the potential damage of a data breach skyrocketed. Millions of consumer records could be stored digitally, ripe for the picking for any cybercriminal with enough knowledge and skill. Ultimately, the Internet ushered in the great data breach boom. And no case is more symbolic of this new trend than the Equifax data breach of 2017.

In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches.

Equifax’s Lax Security

Equifax, one of the three major credit bureaus in the United States, has held mountains of information on millions of Americans for decades. Of course, recording and analyzing this personal information is what a credit bureau does, and their existence is necessary in today’s world. However, because of the sheer amount of information that credit bureaus have, they also hold more responsibilities than most other businesses. Specifically, these businesses have increased responsibility for protecting data and preventing cybercrime. Unfortunately, Equifax reneged on this responsibility in 2017.

On March 7, 2017, Apache Struts, a software program that Equifax and thousands of other companies used, announced a security vulnerability in the software, and immediately sent an update to Equifax to patch the security hole [1]. For reasons unknown, the software was never updated by Equifax, creating a massive security vulnerability. Just a week later, Equifax ran a scan for unpatched systems, but the Apache Struts security hole was not flagged [1]. Ultimately, these two errors put Equifax’s data at massive risk, as the software’s security flaw was publicly known. Just a few days after Equifax’s initial error, the risk became realized.

The Breach

On March 10, 2017, the perpetrators first gained access to Equifax’s servers. However, the cybercriminals did not do much for the next few months, likely to evade detection by Equifax IT. However, by May, the hackers began their attack [2]. For the next two months, the hackers gained access to multiple Equifax databases, They then encrypted this data, and extracted it right under Equifax’s nose. Not long after, the perpetrators were in control of millions of Social Security numbers, birth dates, names, driver’s license numbers, and credit card numbers. After months of investigations, it was determined that the cybercriminals made away with the vital personal information of over 140 million people [3].

To make matters worse, Equifax could’ve had one last line of defense when the hackers were extracting the encrypted data. Most companies receive notifications when a large amount of encrypted data is exfiltrated. However, in another cybersecurity blunder by Equifax, the company failed to renew a vital security service that inspects encrypted data traffic [1]. Because of this, the hackers made away with the data with no detection.

The Response

In August 2017, Equifax became aware of the cybersecurity incident, but did not reveal the attack to the public until September [1]. While Equifax attempted to provide resources to those affected, even the company’s response to the attack was widely panned. For example, Equifax’s social media team directed affected consumers to incorrect web pages on multiple occasions [1]. Even worse, it was revealed that multiple Equifax executives sold USD $1.8 million in Equifax stock following the company’s discovery of the attack, but before it was publicly announced [4]. One executive, Equifax’s Chief Information Officer, was eventually convicted of insider trading related to the attack [5]. Simply put, Equifax’s response to the crisis was woefully inept, and the affected consumers were furious. Eventually, this frustration resulted in litigation.

In the following years, a class-action lawsuit was filed on behalf of the affected consumers, and Equifax’s penalty was steep. In July 2019, Equifax agreed to settle the case, paying USD $1.38 billion to resolve consumer complaints, and USD $380.5 million to those who were harmed by the breach [6]. While those numbers are large, the large number of victims meant that the maximum payout was only USD $125 [1]. Additionally, Equifax was required to provide free credit monitoring to all those affected by the breach.

For months, investigators waited for the stolen data to appear on the dark web to be sold to spammers and scammers. However, the stolen personal information never appeared. Ultimately, this led to the belief that state-sponsored actors were behind the attack. This meant the purpose of the attack was not to make money, but for espionage. For years, it was unknown who was behind the breach. However, in 2020, the United States Department of Justice abruptly charged four Chinese military members with the attack [1]. While the four potential perpetrators are unlikely to ever be extradited to stand trial, these charges at least provide a theory of who was behind this massive data breach.

Protect Your Data with AXEL Go

AXEL is committed to protecting your data from scammers, spammers, and cybercriminals. And the best way to fight against cyberattacks is to be prepared. That’s why AXEL Go, AXEL’s secure file-storage application, uses military-grade encryption and blockchain technology to safeguard your data. To try out AXEL Go’s unparalleled data security, sign up for a two-week free trial here

[1] Fruhlinger, Josh. “Equifax Data Breach FAQ: What Happened, Who Was Affected, What Was the Impact?” CSO Online. February 12, 2020. https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html.

[2] Riley, Michael, Jordan Robertson, and Anita Sharpe. “The Equifax Hack Has the Hallmarks of State-Sponsored Pros.” Bloomberg.com. September 29, 2017. https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros.

[3] Leonhardt, Megan. “Equifax to Pay $700 Million for Massive Data Breach. Here’s What You Need to Know about Getting a Cut.” CNBC. July 23, 2019. https://www.cnbc.com/2019/07/22/what-you-need-to-know-equifax-data-breach-700-million-settlement.html.

[4] Hudson, Phil. “Equifax Gets Blasted for Cybersecurity Hack on Social Media.” Bizjournals.com. September 8, 2017. https://www.bizjournals.com/atlanta/news/2017/09/08/equifax-gets-blasted-for-cybersecurity-hack-on.html.

[5] Liptak, Andrew. “Former Equifax Executive Sentenced to Prison for Insider Trading Prior to Data Breach.” The Verge. June 29, 2019. https://www.theverge.com/2019/6/29/20056655/jun-ying-equifax-breach-jail-time-insider-trading-department-of-justice.

[6] Brumfield, Cynthia. “Equifax’s Data Breach Disaster: Will It Change Executive Attitudes toward Security?” CSO Online. July 24, 2019.  https://www.csoonline.com/article/3411139/equifax-s-billion-dollar-data-breach-disaster-will-it-change-executive-attitudes-toward-security.html.

Devastating Data Breaches – Part 2: Marriott’s Merger Misfire

In the relatively short history of data breaches, most have followed a similar pattern. Generally, some bad actor gains access to classified data, and then leaks names, phone numbers, birthdates, and other semi-private pieces of information. While breaches like this can certainly have a negative impact on a business, the consequences aren’t as severe for the consumer when only semi-private information leaks. After all, bad actors can only do so much with a name and corresponding phone number. However, the consequences become much more serious when private data is lost. If information like credit card numbers, passwords, and social security numbers are leaked, it can have devastating financial consequences for those affected. Unfortunately, that is exactly what occurred in the case of the Marriott data breach in 2018.

In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches. 

The Background

In November 2015, Marriott made a massive purchase, announcing its bid to buy Starwood Hotels and Resorts. Following a bidding war, Marriott eventually acquired the hotel chain for USD $13.6 billion [1]. Hotels previously under the Starwood brand include Westin, Sheraton, and other luxury hotels popular with business travelers. This merger ultimately made Marriott the world’s largest hotel chain, with over 5,700 properties worldwide following the acquisition [2]. Unfortunately, Marriott’s acquisition of Starwood did not only include Starwood’s hotel properties, but its outdated cybersecurity infrastructure as well.

In 2014, a bad actor gained access to Starwood’s network and began to extract customer data from the company’s reservation system. Starwood’s network was already seen as particularly susceptible in 2014, and cybercriminals seized on that opportunity [3]. However, this attack went unnoticed for years, even as Starwood was being acquired by Marriott. In fact, most of Starwood’s information technology and security staff were laid off following the merger [3]. Ultimately, this created the perfect storm for the hackers; an outdated, compromised reservation system with little security to watch over them. Even after the merger, Marriott still used Starwood’s reservation system for its former properties, continuing to put customer data at risk. And in 2018, that risk became realized.

The Breach

In September 2018, Marriott’s cybersecurity team found a suspicious attempt to gain access to Starwood’s guest reservation database. After investigating, Marriott found that bad actors had gained access, encrypted the guest reservation data, and extracted that data over four years [3]. Ultimately, Marriott estimated that 500 million guest records had been leaked. Even worse, the records contained highly personal information, including credit card numbers and passport numbers.

Worst of all, however, the breach was entirely preventable. While Starwood did encrypt credit card numbers on its server, it kept the encryption keys on the same server, making it painfully easy for the cybercriminals to extract the data [3]. Additionally, the majority of passport numbers were not encrypted at all. Combined with Starwood and Marriott failing to recognize or change its poor cybersecurity, this was a cyberattack that simply would not have happened if not for the negligence of the companies involved.

Eventually, investigators determined that the perpetrators of the cyberattack were Chinese state actors [4]. While most cyberattacks are committed by criminals who wish to sell the leaked data and make a quick buck, this attack had a very different purpose. Investigators hypothesize that China wished to track the movement and gain information on American businesspeople, military personnel, and diplomats. Ultimately, Chinese officials wished to gain this information to find potential candidates to approach to become spies for China [4]. This made the leaked passport numbers, a rarity in most data breaches, particularly valuable for the perpetrators of the cyberattack.

Lessons From the Attack

Following the breach, Marriott faced criticism from individuals and governments alike. While class action lawsuits originated in the United States mostly failed to gain traction in court, Marriott faced a myriad of fines overseas. In fact, Marriott was fined GBP £18.4 million, or approximately USD $25 million, for violating the General Data Protection Regulation, the EU’s overarching privacy law [5]. However, many of the expenses related to the attack were covered by Marriott’s cybersecurity insurance, a growing industry due to the sheer prevalence of cyberattacks in modern times [3].

While cybersecurity insurance incurred many of the costs, irreparable harm was done to Marriott’s image due to its mistakes. First and foremost, the company’s decision to continue using an outdated, vulnerable reservation system even after the merger proved to be catastrophic. While business mergers are undoubtedly a time of great turmoil, the negligence of Marriott’s cybersecurity is unforgivable, as it put millions at risk. Additionally, Marriott’s poor encryption made the data easy to find and extract. While some businesses are simply unlucky when it comes to cyberattacks, Marriott did not suffer because of bad luck, but its own negligence.

Protect Your Data with AXEL Go

Using a secure file storage system is the key to protecting your data from breaches and ransomware attacks. That’s where AXEL Go comes in. Offering military-grade encryption and decentralized blockchain technology, AXEL Go is the best way to protect yourself and your business from unauthorized cybercriminals. With devastating cyberattacks not going away any time soon, secure file-sharing is a necessity for businesses and individuals. If you’re ready to get the best protection, try two free weeks of AXEL Go here.

[1] Smith, Aaron. “Marriott Starwood Merger Creates World’s Biggest Hotel Company.” CNNMoney. November 16, 2015. https://money.cnn.com/2015/11/16/investing/marriott-starwood-hotel/index.html.

[2] “Meet the Biggest Hotel Chains in the World.” Hospitality News & Business Insights by EHL. https://hospitalityinsights.ehl.edu/biggest-hotel-chains.

[3] Fruhlinger, Josh. “Marriott Data Breach FAQ: How Did It Happen and What Was the Impact?” CSO Online. February 12, 2020. https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html.

[4] Nakashima, Ellen, and Craig Timberg. “U.S. Investigators Point to China in Marriott Hack Affecting 500 Million Guests.” The Washington Post. December 12, 2018. https://www.washingtonpost.com/technology/2018/12/12/us-investigators-point-china-marriott-hack-affecting-million-travelers/.

[5] “ICO Fines Marriott International Inc £18.4million for failing to Keep Customers’ Personal Data Secure.” ICO. October 30, 2020. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184million-for-failing-to-keep-customers-personal-data-secure/.

Devastating Data Breaches – Part 1: The Hard Fall of Yahoo

Data breaches can affect any business. It’s an unfortunate fact, but in today’s digital world, there are so many technologically savvy criminals who seek to make money and wreak havoc upon millions. Cyberattacks can affect anyone, from the smallest neighborhood shop to the largest multinational corporations. However, while small businesses are affected constantly, the data breaches that affect large corporations are the ones that receive the most news coverage. And while the number of cyberattacks has risen in recent years, no incident comes close to the number of victims as the back-to-back data breaches Yahoo faced in 2013 and 2014.

In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches. 

The History of Yahoo

From the late 1990s until the late 2000s, Yahoo was among the giants of Silicon Valley. Although the company never dabbled in hardware, it focused on one utility: Web services. And in the early years of the Internet, no one did web services better than Yahoo. Following in the footsteps of AOL, Yahoo’s first business model was organizing new web pages into categories in the early 1990s. When this proved successful, Yahoo quickly expanded into other web services, including email, instant messaging, news, and games [1]. With these services, Yahoo truly hit the mainstream. Throughout the 2000s, Yahoo remained popular, but began to lag behind tech newcomers like Google, Facebook, and their suites of web services. Following years of underperformance, Yahoo was struggling in the early 2010s. Unfortunately, Yahoo’s problems were only just beginning.

The Breach(es)

In August 2013, an unknown third party gained access to Yahoo data, making away with names, birth dates, phone numbers, and poorly encrypted passwords [2]. For three years following the breach, Yahoo was unaware of this unauthorized digital theft. However, in August 2016, Yahoo accounts were seen for sale on the dark web. Later, three separate buyers bought this stolen data for USD $300,000. To this day, Yahoo and federal investigators do not know the culprit of the 2013 hack [2].

In addition to the 2013 breach, Yahoo faced another cybersecurity crisis just a year later. In December 2014, Yahoo fell victim to another data breach, losing usernames, phone numbers, passwords, and security question answers to at least 500 million Yahoo accounts [3]. It was later revealed that the hack was the responsibility of four men hired by Russia, who sought the personal information of American intelligence officers [3]

In contrast to the 2013 breach, however, Yahoo executives were made aware of the hack soon after it occurred. Even when Yahoo was set to be acquired by Verizon in 2016, the company stated that it was aware of only four minor breaches [4]. Even in June 2016, Yahoo’s security team was aware that hundreds of millions of accounts were compromised, yet the company failed to inform Verizon or the public until September 2016.

The Fallout

Finally, in September 2016, Yahoo announced to Verizon and the public its knowledge of the 2014 breach. At the time, Yahoo estimated that 500 million accounts were compromised in the attack. In December 2016, Yahoo became aware of the 2013 attack and announced that an estimated one billion accounts were affected by the incident. While an estimated 1.5 billion compromised accounts is a nightmare for any business, the hacks and fallout occurred during a time of turmoil and transition for Yahoo. In fact, after the announcement of the 2014 hack, Yahoo lowered its purchase price to Verizon by $350 million [4]. Unfortunately, the news soon got worse for Yahoo. The company’s initial estimate of affected accounts was far from the true scale of the breaches.

In October 2017, Yahoo announced that all of its accounts were compromised in the two hacks. Over 3 billion accounts were ultimately affected by the breaches. Following the public reveal of the 2013 hack, Yahoo forced all of its users to change their passwords [5]. While this was a smart, necessary step, much of the damage had already been done. Usernames, phone numbers and birthdates were, unfortunately, already vulnerable.

Following the revelations of the breaches, Yahoo faced serious scrutiny from consumers and investigators alike. Following investigations, Yahoo was fined USD $35 million by the Securities and Exchange Commission (SEC) not for the breaches themselves, but for failing to disclose its knowledge of the 2014 breach until two years later [4]. In fact, this was the first time the SEC ever fined a public company for failure to disclose knowledge of data breaches. Additionally, Yahoo settled a class-action lawsuit for USD $80 million. Ultimately, Yahoo was punished for the cover-up, rather than the actual breaches. Unfortunately, the steep punishment simply did not outweigh the damage done to Yahoo and its customers.

Protecting Your Data

Although October is designated as Cybersecurity Awareness Month, true protection from data breaches and cyberattacks requires a year-long commitment. That’s where AXEL Go comes in. AXEL Go is a secure file-sharing and storage software that prioritizes data protection. Offering military-grade encryption and decentralized blockchain technology, AXEL Go is the best way to protect yourself or your business from cybercriminals. Put simply, your vital information deserves the best protection. If you’re ready to try the best protection, get two free weeks of AXEL Go here

[1] Greenberg, Julia. “Once Upon a Time, Yahoo Was the Most Important Internet Company. Now It’s Struggling.” Wired. November 23, 2015. https://www.wired.com/2015/11/once-upon-a-time-yahoo-was-the-most-important-internet-company/.

[2] Perlroth, Nicole. “All 3 Billion Yahoo Accounts Were Affected by 2013 Attack.” The New York Times. October 03, 2017. https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html.

[3] Goel, Vindu, and Eric Lichtblau. “Russian Agents Were Behind Yahoo Hack, U.S. Says.” The New York Times. March 15, 2017. https://www.nytimes.com/2017/03/15/technology/yahoo-hack-indictment.html?_r=0.

[4] “The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far).” The National Law Review. May 11, 2018. https://www.natlawreview.com/article/hacked-hacker-hire-lessons-yahoo-data-breaches-so-far.


[5] Goel, Vindu, and Nicole Perlroth. “Yahoo Says 1 Billion User Accounts Were Hacked.” The New York Times. December 14, 2016. https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html.