Data breach attack surfaces to expand in 2019


When it comes to gauging the newsworthiness of a story, there’s an old adage in journalism that reporters should ask themselves whether or not the story is of the “dog bites man” or “man bites dog” variety. The premise is a relatively simple one: a minor dog bite is a fairly common occurrence that doesn’t warrant a lot of coverage while someone biting a dog is an out of the ordinary event that should garner media attention.

It’s unfortunate to say, but we’ve almost reached “dog bites man” status with data breaches given how pervasive they’ve become in our increasingly connected world with only the most prolific garnering headlines. Over the past several weeks alone, there have been large-scale breaches reported by Atrium Health (over two million patient records), Marriott (information on 500 million customers) and Quora (100 million users affected). While there has been the typical hue and cry from consumer advocates, lawmakers and others about the need for better data privacy controls to mitigate the damage of these incidents, they will most likely be forgotten in a matter of weeks and little will change.

But as bad as these and other recent breaches have been, things are likely to get worse before they get better. In fact, according to Experian’s 2019 Data Breach Industry Forecast, cyber criminals are expected to double-down on their efforts to compromise sensitive information and will likely use several different threat vectors to do so. Among

Experian’s 2019 data breach predictions include:
1. Attackers will zero in on biometric hacking and expose vulnerabilities in touch ID sensors, facial recognition and passcodes.
2. Next generation skimming will be used to carry out an enterprise-wide attack on the national network of a major financial institution.
3. A major wireless carrier will be attacked with a simultaneous effect on both iPhones and Android, stealing personal information from millions of consumers and possibly disabling all wireless communications in the United States.
4. A top cloud vendor will suffer a breach, compromising the sensitive information of hundreds of Fortune 1000 companies.
5. The online gaming community will be an emerging hacker surface, with cyber criminals posing as gamers and gaining access to the computers and personal data of trusting players.

Although each of these different scenarios would be a potential game-changer for cybersecurity moving forward, Michael Bruemmer, VP of Experian Data Breach Resolution, believes one of the predictions that is most likely to come true over the next year is a large-scale skimming attack given that it has already occurred in several instances, including the recent British Airways and Ticketmaster breaches.

“Because there are so many credit cards out there in the system, let alone ATMs – there are about 400,000 ATMs and about 624 million credit cards in the U.S. – combined with about 30 million people per day using pay at the pump transactions there are bound to be, with that much activity and that much at stake, a real likelihood that it is going to continue and expand,” Bruemmer says.

The other prediction that Bruemmer believes has a real likelihood of occurring is the breach of a top cloud vendor. In fact, Bruemmer says the breaches suffered by Uber, Time Warner and Accenture were all attributed to misconfigurations of cloud database settings.
“Given the amount of data in the cloud – it’s estimated to be about 1,450 exabytes – cloud vendors are the Fort Knox of data and I believe they are going to continue to be a focus of hackers well beyond simple misconfigurations,” he says.

Biometrics Not Foolproof
As bad as these two scenarios above are, Bruemmer says what would keep him awake at night as a cybersecurity professional is the potential of hackers to compromise biometrics given their pervasiveness. “With biometrics embedded in so many things – from airports, your place of employment with time and attendance recording, law enforcement with fingerprints, access to your phone and computer, and your banking account with voice – it’s all over and it only takes a little bit of spoofing or lack of a secondary authentication to get around biometrics and you have access to whole bunch of things,” he says.

Inadequate Employee Training/Knowledge Sharing
While most organizations list cybersecurity as a top priority, Bruemmer says many companies still have a ways to go when it comes to bolstering their cybersecurity posture. One of the basic but often overlooked aspects of cybersecurity, according to Bruemmer, is training. In speaking with a vendor that provides cybersecurity training focused on mitigating the impact of email phishing, Bruemmer said they found that about 20 percent of employees who took part in an anti-phishing training class in the morning still opened a malicious link embedded in a phishing email or inappropriately opened a bogus email later that same afternoon.

Bruemmer also believes that there aren’t enough post-breach learnings shared among organizations that suffer cyberattacks. “When a major corporation has a breach, we always encourage our clients when we’re finished responding or helping them respond to a security event, we want to sit down and say, ‘What went well? What didn’t go well? And what did we learn from the experience?’ While a lot of companies will do that with us individually, they don’t share those best practices with other companies because they either think there are competitors out there, there are trade secrets and they don’t want to give an advantage to someone or they don’t want the embarrassment of telling people what really happened in a breach,” Bruemmer says.