Capital One, CafePress, Suprema data breaches and their root causes
Oct 15, 2019 • Ioana Rijnetu
In this article, we discuss some of the most recent data breaches, what are their root causes and how to better secure your most valuable personal information and other digital assets.
In a time when personal information is more and more valuable, we keep hearing about the sheer scale of data breaches and the impact they have on everyone. No company or home user is immune to data breaches. Everyone and everything seems to be on the radar of hackers seeking to get their hands on data.
To put things into context, we looked at the data breaches’ statistics and analyzed three recent data breaches to understand why they keep happening.
- Data breaches: key statistics and numbers
- Capital One, CafePress and Suprema root causes
- Essential security measures for companies and home users to apply
Data breaches represent the fourth biggest global risk, along with climate change and natural disasters, according to a report from the World Economic Forum. They don’t expose only home users’ sensitive information worldwide, but also companies suffer brand reputation damage and huge financial losses.
Data breaches’ impact is mostly reflected in numbers, so we reviewed some key statistics that might alarm us enough to take action and be more proactive:
The first six months of 2019 saw 3813 data breaches - The number increased by 54% compared to the same period of last year, which exposed over 4.1 billion records. (2019 RiskBased Security Data Breach Report)
Almost half of the data breaches (43%) impacted small businesses and 33% were linked to social engineering attacks (2019 Verizon’s Data Breach Investigations Report)
The cost of data breaches will increase up to $2.1 trillion globally by 2019 (Juniper Research)
More than one out of four (27%) organizations suffered a data breach caused by unpatched vulnerabilities (2019 Verizon’s Data Breach Investigations Report)
70% of US healthcare organizations have experienced a data breach at some point in the past. (2019 Thales Data Threat Report)
27% of data breaches are caused by human error. (2018 IBM Cost of a Data Breach Study)
If you want to read other interesting data breaches stats and numbers, and also tackle the real implications of these threats, we recommend checking out this list.
Looking at these staggering stats, 2019 is set to be a landmark year for data breaches that continue to skyrocket and leak users’ most valuable data. We are no longer in the position of asking when the next breach will happen, but how we can better prevent it.
Here’s a quick rundown of the most relevant security breaches that happened so far in 2019, and their root causes.
Capital One data breach
One of the largest US financial institutions suffered a massive data breach in July 2019 and is considered to be one of the biggest hacks in history.
Number of affected customers: Over 100 million users in the US and approximately 6 million in Canada have been impacted. According to the company’s official statement, about 140 million social security numbers belonging to credit card customers and 80.000 bank account numbers have been stolen in this breach. In addition to this, around 1 million social insurance numbers of Canadian customers were also compromised in this incident.
What happened: Page Thompson, formerly working as a security engineer for Amazon Web Services, which hosted the Capital One database, has been accused of stealing “multiple terabytes of data” from more than 30 companies, institutions, and other entities.
According to the FBI, Capital One learned about the breach from a tipster who sent an email in which he alerted the company that some of the bank’s data has been leaked and posted on a GitHub page.
The root cause of this large breach seems to be a misconfigured AWS S3 bucket that allowed the attacker to gain access to sensitive data through a firewall vulnerability.
The FBI stated in the court papers that Ms. Thompson performed three commands for this hack:
gain the security credentials (using AWS Web Application Firewall),
did a list of bucket contents, and then
sync the data
This type of vulnerability exploited by the hacker is a well-known method called SSRF (Server Side Request Forgery) attack, which seems to fit this particular breach. For more in-depth technical details, you can read two analysis here and here.
Lesson learned: While Capital One said that they “immediately fixed the configuration vulnerability”, there’s a primary key lesson that should be learned from this breach: perform periodic reviews and check that firewalls and WAFs are properly configured.
CafePress data breach
CafePress, a well-known T-shirt and merchandise website, was another victim of a data breach in February 2019, but reported in August 2019.
Number of affected customers: Hackers accessed the personal details of more than 23 million of their customers, and some records included names, physical addresses, and phone numbers. You can use the “Have I been pwned?” breach tracker site to verify if your email address has been compromised in this breach.
New breach: CafePress had 23M unique email addresses breached in February. Some records also contained names, physical addresses and phone numbers. 77% were already in @haveibeenpwned https://t.co/hv1u9SEsMR— Have I Been Pwned (@haveibeenpwned) August 5, 2019
What happened: Customers were informed about this breach through email notifications received from Have I Been Pwned (HIBP). Separately, We Leak Info also alerted them about it.
After news of the CafePress data breach started circulating, Troy Hunt, owner of HIBP contacted the security researcher Jim Scott - who had helped him before - to investigate this. Jim Scott commented that:
“Out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA1, which is a very weak encryption method to use especially in 2019 when better alternatives are available”.
According to the same security researcher these passwords are base64 encoded tokens, and not the user-chosen passwords.
A research conducted by BleepingComputer showed that a “dehashed CafePress database of approximately 493,000 accounts was being sold on hacker forums”. However, there’s no evidence of this being related to this breach.
Although CafePress was hacked in February 2019, there were no formal disclosures or notification emails that mention this security incident.
Initially customers were only informed about password policy updates and given instructions to reset their passwords. Almost two months later, the company admitted that “an unidentified third party accessed a CafePress database and customer data”.
Lesson learned: This is a reminder of how strong password hygiene can help both companies and home users to better secure their web applications and online accounts, respectively.
As a user, to strengthen password security, it’s always recommended to use strong and unique passwords and even consider using a password manager app that keeps them encrypted.
Suprema data breach
Suprema, a top-leading biometric and security technology provider company, saw its web-based biometric security smart lock platform, BioStar 2, breached by hackers in early August 2019.
Number of affected customers: According to vpnMentor’s security team, they had access to
over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, over 1 million fingerprint records, including facial recognition data (face photos of users) unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
The breach affected users and organizations worldwide, including the USA, UK, Germany, and other countries.
What happened: Two Israeli security researchers, Noam Rotem and Ran Locar, discovered this massive database while working on a project to scan ports looking for familiar IP blocks. These blocks were used to identify security holes in companies’ systems that could lead to data breaches.
The root cause of this breach was an unprotected database containing mostly unencrypted user data. Most of the accounts found had simple and easy to guess passwords, like “Password” or “abcd1234”, which could let malicious hackers launch account takeover attacks. Regarding the theft of facial recognition and fingerprint data, the damage is permanent once they are stolen.
Unlike passwords, this type of data can’t be updated to regain the security lost after a breach.The database stored users’ actual fingerprints, instead of saving a hashed version of them, which could not be copied and used for malicious activities.
Even for users who did create strong and complicated passwords, the researchers were able to access them across the BioStar 2 database, because they were kept in plain text files, instead of being securely hashed.
What is concerning about this data breach is its massive size and impact. The platform is popular and widely used, having over 1.5 million worldwide installations, which could potentially be exposed to this leak.
Lesson learned: Companies should implement proper access rules on their databases and secure the servers in the best way possible. Also, they should not save actual actual fingerprints of users, but a hash version of it, which can’t be used by hackers for malicious purposes.
While it is difficult to foresee when data breaches will happen, we can always take mitigation actions to prevent becoming the next victims.
To minimize the risks of breaches and strengthen data security, we recommend home users to go through this protection checklist:
Verify your banking account and other financial details, including credit information, frequently. If you notice any suspicious activity on your personal cards, contact your bank as soon as possible.
Use strong and unique passwords and add extra layers of security like two-factor authentication or password management tools to secure your online accounts.
Make sure you apply the latest patches available for your apps and software programs to cover security holes exploited by malicious actors
Foster a cybersecurity first mindset and educate yourself about the basic security measures.
Lessons learned during a breach (directly from a CISO that experienced a breach):— Jake Williams (@MalwareJake) June 27, 2019
1. Don't deploy technology without business context. Technology on a network with no business context will only indict you in a breach.
2. Drive your program from external industry experts 1/
Companies are advised to take some basic security precautions to avoid becoming an easy target:
Implement and prioritize cybersecurity training and education for their team members to avoid future breaches, be prepared and know what to do in case they occur.
Perform internal audit logging and constant review of system operations for a better security posture and to keep track of potential security breaches.
Have cyber hygiene processes in place that will better protect the customers affected by a breach.
Maintain clear and transparent internal communication within departments and inform customers about the data breach in a timely manner.
Use strong protection measures for your servers, networks, and other assets.
Always store the customers’ sensitive data in a strong encryption format.
Tomorrow we’ll probably read about another data breach exposing millions of personal information. And it will not be the last one. What we can do, as consumers and organizations alike, is to be proactive and implement basic security measures to better protect our valuable data.
- Capital One, CafePress, Suprema data breaches and their root causes
- Analysis of recent Exim mail server vulnerabilities
- How to Perform Internal Network Scanning with Pentest-Tools.com
- How to Exploit BlueKeep Vulnerability with Metasploit
- How to Perform Authenticated Website Scans with Pentest-Tools.com
- Pentest-Tools.com to participate at Black Hat Europe 2019
- BlueKeep, the Microsoft RDP vulnerability – What we know so far
- Exploiting Magento SQL Injection with Sqlmap
- How to do a Basic Website Vulnerability Assessment with Pentest-Tools.com
- Analysis of a WordPress Remote Code Execution Attack
- All posts ...