1

7 Stupid mistakes that led to a data breach

Even the best of us are guilty of making stupid mistakes. However, when it comes to IT, the smallest blunder could lead to a major data breach with dire consequences.

Data breaches are on the rise. Hackers continue to attack enterprises and government agencies relentlessly, and it’s only going to get worse. So there’s (absolutely) no room for any stupid mistakes.

According to the FBI, reports related to cybercrime have quadrupled during the COVID-19 pandemic. As more companies fall victim to security breaches, they risk significant regulatory fines and damage to brand reputation.

One of the primary causes of such security events is human error. In the UK, for example, 90% of data breaches were caused by people last year. In the US, Verizon’s 2019 Data Breach Investigations Report found human error to be the reason behind 21% of security breaches. 

While it's human nature to goof-up from time to time, there's no excuse for foolish mistakes that could have been avoided. So companies and security teams need to pay attention to these examples and take extra steps to avoid repeating these "stupid mistakes."

 

1. Misconfiguration

 

Hackers always search for servers that haven’t been set up correctly. This was the reason behind the now-infamous Capital One data breach that exposed the sensitive personal data of more than 100 million applicants and customers. 

In this scenario, a flawed firewall implementation enabled access to the server. As the company didn’t properly encrypt the sensitive data stored on the server, the hacker was able to read it. 

This seems to be a common theme as just 4% of data breaches tracked by Gemalto’s Breach Level Index were (what we call) secure breaches where stolen data was encrypted and rendered useless to threat actors.

 

2. Failed to update

 

The Equifax data breach, which still hogs the headlines today, occurred because the IT team wasn’t proactive. Even after the company was alerted to the threat in the Spring of 2017, the consumer credit agency still failed to identify the vulnerability. 

In this scenario, encrypted traffic was exposed because of a digital certificate that expired ten months before the incident. This oversight allowed a hacker to breach the system and access sensitive information from mid-May until the end of July.

This stupid mistake led to the theft of personal data of more than 145 million US citizens and over 10 million British citizens. The incident still hogs the headlines as the company continues to pay hefty fines to settle numerous lawsuits.

 

3. Chose speed over security

 

Transportstyrelsen or the Swedish Transport Agency, outsourced its vehicle and license register to a third-party contractor to save money. In any other case, this would be standard practice for companies and government agencies looking to access top tech talent cost-effectively. 

But here’s where Transportstyrelsen dropped the ball. 

To accelerate the whole process, the Director General decided to overlook standard security procedures and best practices. Most notably, enabling seamless access to sensitive data that demanded security clearance. 

This security incident exposed the details of people with criminal records, military and police transport personnel, intelligence agents, and those in witness protection programs.

Fortunately, there’s no evidence that anyone but the subcontractors viewed this information. Neither the intelligence agents or those in witness protection came to any harm. 

But it could have been very different!

The political fallout from this security event evidenced the Swedish government’s ignorance about technology and data security. The positive outcome was the fact that it ushered in a sea change across government departments to ensure that it doesn’t happen again.

 

4. Weak passwords

 

In the current threat landscape, you would think it's nearly impossible not to hear about a data breach almost every day. Yet, Western Australian government officials continued to use ridiculously weak passwords.

For example, the most common weak password, used by as many as 1,464 employees, was “Password123.” 

Furthermore, research showed that 26% of accounts across agencies used similar weak passwords (like abc123), significantly increasing their exposure to risk. Even worse, total access to every government system was possible with the password “Sumer123.”

But it wasn’t just the Australians, their counterparts in the United States were also found to make the same stupid mistake. 

According to a study conducted by WatchGuard, almost 50% of over 355,000 government and military email accounts had weak passwords that could be cracked within two days. 

In this scenario, the most commonly used weak passwords by government and military staff were as follows:

  • 123456
  • 12345678
  • linkedin
  • password
  • sunshine

Civilian passwords were found to be weak 52% of the time and were matched to passwords leaked in the LinkedIn data breach that occurred as far back as 2012.

5. Ease-of-use over security

 

The infamous data breach at Uber occurred because of weak access control to an extensive collection of data. In this scenario, threat actors were able to find credentials for an Amazon Web Services account containing user data (or 57 million records with personally identifiable information) in a private GitHub coding site.

If that wasn't bad enough, Uber often allowed developers access to live production data without deploying proper protocols to monitor and secure this sensitive information.

As all the developers had unlimited access to user data, all the attackers had to do was compromise one individual to breach the whole system.

As developers had complete access to GitHub repositories and so much customer data was available, we can conclude that Uber made the stupid mistake of choosing "ease-of-use over security."

Even worse, the company tried to cover it up by paying the hackers $100,000 to delete the stolen user data and keep the incident under wraps.

 

6. Unsecured database

 

French fitness tech firm, Kinomap, recently suffered a massive data breach that exposed the personally identifiable information of 42 million users (spread across 80 countries). 

Discovered by researchers at vpnMentor, the open database that was left unsecured for at least a month, revealing the following information:

  • Full names
  • Usernames
  • Email addresses
  • Home country
  • Gender
  • Timestamps for exercises
  • Kinomap account details
  • The date they joined Kinomap

All this sensitive user data wasn’t encrypted, making it easily accessible to threat actors. What makes this security incident even worse is the fact that although vpnMentor informed the French firm on March 28th, 2020, they didn’t fix the security issue for over two weeks (until April 12th, 2020).

 

7. Poor protection against insider threats

 

Marriott Hotels suffered a second major data breach within two years when two employees accessed the information of more than five million guests. 

Although this incident wasn’t as severe as the security event in 2018, it’s concerning that the hotel chain didn’t take security seriously even after the first incident. 

While this data breach is a bit complicated to be called a “stupid mistake,” it could have been avoided. If real-time monitoring and zero trust protocols were deployed, security teams would have been alerted immediately when unusual patterns in user behavior were identified.

 

Lessons learned:

  • Always encrypt sensitive data
  • Deploy the latest patches and updates immediately
  • Engage in regular security training
  • Engage in penetration testing to identify potential vulnerabilities
  • Never compromise on cybersecurity best practices 
  • Always use unique credentials for each user and system
  • Use strong passwords 
  • Use two-factor authentication
  • Have a data breach plan ready 
  • Respond to data breaches immediately

To learn more about military-grade encryption and enterprise security best practices, request a call back now.



nach oben