In another incident, Tumblr had 65 million records compromised in May. The data is being sold on a Tor dark market website called TheRealDeal by a user named peace_of_mind who also sold 167 million user records stolen from LinkedIn.
In June, peer-to-peer service iMesh had 51 million records compromised. The breach is said to date back to September 2013. The records were later found for sale on the dark web.
The Commission on Elections in the Phillippines had 54.3 million records compromised in April. It was reported that millions of fingerprint records were taken from the site and reposted. A local hacker was eventually apprehended in Manila a few days later; he was thought to be the leader of a hacking network.
In June, VerticalScope had 45 million records tainted. A hacker stole member information in message forums. According to Network World’s Howard Wen: “This haul contained usernames, passwords and IP addresses -- the passwords had weak encryption. And many of these forums were running an old version of software with known security vulnerabilities that hackers can easily breach by using attack tools.”
Key lessons learned
Combat brute force with smarts. Credentials were the second most compromised data type and third most common attack vector reported by North American and European security pros who suffered a breach in 2016. Here are some tips from Forrester:
Establish login limits and provide customers with the option of two-factor authentication to prevent credential theft and the resulting fraud. Also, request that customers change their passwords regularly. The business may balk at requiring customers to reset their passwords, but a notification suggesting that they do so will demonstrate your firm’s diligence in protecting them.
Classify credentials and act accordingly. Customer activity levels should inform a firm’s approach to securing credentials. First, determine the frequency of activity that constitutes active versus inactive customers to your firm. That threshold will depend upon both business and regulatory requirements. Next, abstract active customers’ credentials via encryption, tokenization, masking, or other obfuscation techniques to make them less valuable to cybercriminals. Lastly, destroy inactive customers’ information. Their passwords and security questions have zero business value, so purge that data — you can request new security information from those customers when they return.
Protect your brand, not just your network. A secure network does not ensure immunity from external security threats. Risk professionals need to consider the brand implications of all security events, not just breaches. A resilient brand depends on customer trust in a particular experience and product and on systems integrity, and risk pros should evaluate their brand’s oversight, processes, technology, and people with that in mind.
Sign up for CIO Asia eNewsletters.