When cyber-attacks go undiscovered

Delays in responding to cyber breaches can cost financially and reputationally; we explore what happens when compromises are only discovered months or even a decade after an attack.

 

When cyber-attacks go undiscovered

By their very nature, cyber attacks are typically designed by their instigators to avoid detection, but a concerning number of large-scale and serious compromises are remaining unnoticed for months and even years.  This poses fundamental questions regarding how many large organisations are open to vulnerabilities they have already been prey to, and remain so, but are completely unaware of?  It also raises the question of the effectiveness of approaches being taken to prevent, detect, and mitigate intrusions.  If the cyber criminals are always one-step ahead, how can businesses start to get the upper hand?  And if the reputational damage of an initial cyber breach is bad enough, what is the impact if it went undetected for months or years?

Ticketmaster cyber breach response – too little too late?

Consumers quite rightly expect their online transactions to be fully secure; they don’t necessarily want to know how, they just want to know their details are safe.  And at the very least, should an online business fall foul of a cyber breach, they want to know it will be found and any resolution implemented immediately.  This is precisely what did not happen when Ticketmaster, the global event ticket sales and distribution company, suffered a major data breach impacting 40,000 customers.  Personal data was breached between September 2017 and June 2018 – but the first some customers knew there was a possibility their data was in the hands of unknown cyber criminals was when they received replacement payment cards from the NatWest and RBS banks around nine months later.  Even more concerning was that it was a new bank, Monzo, that alerted Ticketmaster their systems had been compromised, when they detected an unusual pattern of behaviour as part of its fraud detection process.

According to reports, the breach was carried out by using ‘digital skimming’ methods developed by ‘Magecart’; a hacking group[1] whose speciality is skimming credit card details from unsecured payment forms on websites using malware.  In this case it is believed the offending script code was ‘seeded’ into software from third-party developer Inbenta Technologies[2].  It is important to understand that Ticketmaster may not have been directly hit by cyber criminals; they and their clients were impacted because Inbenta Technologies themselves had been compromised.  It is believed hackers replaced or modified JavaScript code used by the third-party software.  Inbenta in defence stated Ticketmaster themselves had failed to implement their third-party software correctly.  Regardless of who was to blame, this is not of concern to users of the Ticketmaster website; the lack of a timely response has left tens of thousands of customers personal data exposed.

Collection #1 – the price of delayed action?

Some of the impacts of cyber breaches, such as those to Morrisons, BA, and Ticketmaster may not manifest for some time.  It is believed stolen card details from the major hack of BA were found for sale on the ‘dark web’ weeks after the attack[3].  And in the past week, the largest ever repository of stolen personal data has come to light.  Known as ‘Collection #1’, the data consists of 770m email addresses and passwords, that were posted to a popular hacking forum in December 2018[4].  The 87gb data dump was discovered by security research, Troy Hunt, who believes the stolen data is most likely “made up of many different individual data breaches from literally thousands of different sources”.

This raises the question of how much illegally gathered data came from sources whereby businesses have failed to respond to cyber hacks, leaving the door open for more data theft.  As in the case of Ticketmaster, it makes sense that the longer a vulnerability is exposed the more client data can be stolen and ultimately resold.  The nature of the Ticketmaster attack means hackers were not stealing data already existing within a database, but rather taking the data at the point of payment transaction – meaning the rogue code needed to remain in place to gather large amounts of personal information.  This highlights how important it is for organisations to implement technologies to detect and avert breaches in real-time.

Yale University data breach only realised ten years later

The prize for a delayed response to a cyber data breach may yet be awarded to Yale University.  In 2008 and 2009, a university database was hacked with the loss of thousands of names, social security numbers and — in some cases — dates of birth, email and physical addresses.  It wasn’t until 2018 during a security review of the university’s IT hardware that the breach was uncovered.  While those affected were informed, a class-action exceeding £5m has been filed by 100 of those individuals, on the basis that the university had failed to comply with privacy regulations[5].  The impact of the breach was all the greater because the university had retained data from individuals who had applied for courses ten or more years prior, long past the date in which the data was required.  In the EU, the GDPR has specific provisions to avoid this type of occurrence –  Art.5(1)(e) states personal data held by organisations must be stored “no longer than is necessary for the purposes for which the personal data are processed”.

In conclusion

Too many large-scale cyber breaches are not being detected and actioned in a timely manner, risking crippling reputational damage to the affected organisation.  As cyber-attacks become increasingly prevalent and harmful, businesses will be forced to compete with others who are investing in cyber security technology to detect real-time hacks and mitigate them.  Solutions which provide real-time detection using artificial intelligence to detect unusual activity, login attacks, cheating, DDOS’s, or any other type of cyber-attack modality are now becoming widely accessible.  The sheer volume of technology now available to guard against, detect, and mitigate cyber threats can be overwhelming.  Engaging the services of cyber security specialists ensures those in positions of corporate responsibility are able to focus on the operation of their business, with the knowledge their data, and that of their clients are protected from cyber criminals, and should an attack happen, it is detected and actioned immediately.

Lineal is a global leader in providing eDiscovery, Cyber Security and Digital Forensic expertise and support.  To find out how Lineal can help your organisation with Cyber Security, please call us on +44 (0)20 7940 4799 or email info@lineal.com.

[1] https://www.computerworlduk.com/security/magecart-who-what-is-behind-british-airways-attack-3683768/

[2] https://www.infosecurity-magazine.com/news/uk-banks-new-cards-after

[3] https://www.theweek.co.uk/96327/british-airways-data-breach-how-to-check-if-you-re-affected

[4] https://www.theguardian.com/technology/2019/jan/17/breached-data-largest-collection-ever-seen-email-password-hacking

[5] https://yaledailynews.com/blog/2018/08/31/yale-faces-lawsuit-for-data-breach/