Monthly Breach Report: October 2018 Edition on Oct 5, 2018
Hackers reportedly targeted software bugs in a globally recognized brand which could prompt against the brand the biggest GDPR fine to date, while another reportedly attacked global brand avoids the expensive fines of new data privacy laws despite paying millions in their own breach settlement – these are just some of the latest data breach news hitting headlines this last month.
September 28, 2018 – Social media giant, Facebook, reported an attack on their computer network had exposed the personal information of nearly 50 million users. The attackers, who are as yet unidentified, reportedly exploited three software flaws in Facebook’s code, allowing them to access users’ profiles, including top executive Mark Zuckerberg. Two of the exploited bugs came from Facebook’s ‘View As’ feature, which, ironically, was introduced to improve the privacy of users allowing you to view your page as a friend of yours or as common public so you can adjust your privacy settings. The third bug sprung from a July 2017 introduced feature contained in the video uploading tool. Facebook confirms they have fixed the vulnerabilities. However, it’s believed that the attack on the Facebook network exposed personal identification of 50 million users.
Nearly a week after the company realized on September 25, 2018 that personal information was compromised, and three days after the media reported widely on the attack, Facebook forced more than 90 million users to log out October 1, 2018. Facebook is also working closely with authorities to investigate the issue. Nonetheless, results of that investigation may lead to hefty fines under the General Data Protection Regulation (GDPR). Those fines, if imposed, could total up to $1.63 billion for Facebook, making it the most notable under the strict new EU data privacy law.
Source: The New York Times
2. British Airways
September 7, 2018 – British Airways is investigating a data breach to their website and app from August 21 to September 5, 2018. The airline is reporting information from around 380,000 payment cards was stolen during the breach. Although travel or passport information was not stolen in the breach, personal and financial details of customers booking trips on ba.com and using the airline’s mobile app over the two-weeks were compromised. British Airways has urged affected customers to contact their banks or credit providers in response to the incident. The airline and the group that owns it, IAG, have denied the breach is connected to their decision to outsource IT operations.
A spokesperson from the Information Commissioner’s Office (ICO) said it would be looking into the data breach. Under new rules set forth by the General Data Protection Regulation (GDPR), the airline could face a maximum fine of 4% of global revenues, up to £500m in British Airways case, should inquiries from the ICO discover negligence by the airlines led to the breach.
Source: The Guardian
September 27, 2018 – Popular rideshare company, Uber, has agreed to pay $148 million in a settlement with 50 US states and the District of Columbia in response to a prior data breach. In November 2016, a hacker gained access to the personal data of 57 million users and 600,000 drivers. Rather than disclosing the breach when it had occurred, Uber paid the hacker $100,000 through its bug bounty program, leading the eventual settlement with state attorneys general across the United States. In addition to the monetary settlement, Uber has agreed to strengthen its security practices.
Since the data breach occurred before May 2018, Uber was not subject to strict new fines introduced by the General Data Protection Regulation (GDPR) nor the upcoming California Consumer Privacy Act (CCPA). Specifically, under the upcoming CCPA, Uber’s 2016 data breach would have allowed civil class action lawsuits up to $750 per Californian resident affected had the law been in effect, as well as civil action brought by the California Attorney General’s Office to pay penalties of up to $7,500 per international violation, which could have totaled up to $20.25 billion when considering only the 2.7 million UK affected users.
Source: The Telegraph
August 24, 2018 – T-Mobile reported a breach of data compromised the personal information of customers nationwide. The mobile carrier revealed the breach was caused by an unauthorized source’s access to information on August 20, which on discovery their cybersecurity team promptly shut down. T-Mobile has ensured no financial data or social security numbers were compromised, but personal data such as account numbers, email addresses, billing addresses and phone numbers may have been exposed. Although T-Mobile has not disclosed the number of customers impacted by the breach, reports indicate that roughly 3% of the mobile carrier’s 77 million customers, approximately 2.3 million, were affected.
T-Mobile has released an official statement on their website with information for customers seeking answers about the incident and their accounts.
Source: USA Today
Dataguise understands the importance of data privacy and how frustrating data breaches can be for consumers and the businesses entrusted with their data. Although anyone can be a target, Dataguise DgSecure provides enterprise solutions for businesses small and large to combat these threats while ensuring all sensitive data across an organization is accounted for, protected, and compliant with industry and global data privacy laws. To learn more about Dataguise DgSecure, contact us for additional information.