Your personal information has had a tough start to 2019, with data breaches reported at Facebook, Toyota, Georgia Institute of Technology, and Earls Enterprises, parent company of Planet Hollywood.
In what is quickly becoming a familiar tale, personal information of millions of users — or over half a billion, in the latest Facebook security gaffe — is taken from companies, businesses that people trust.
The latest round of bad news began in late-March, when Toyota announced through its Japanese newsroom that hackers gained "unauthorized access to the network," which led to customer data belonging to eight subsidiaries across Japan being stolen. The subsidiaries include Lexus, the luxury car making division of Toyota.
Toyota says up to 3.1 million "items of customer information may have been leaked outside the company," but said this does not include credit card information.
What's especially interesting is that this is far from an isolated incident for Toyota. A day later, the car maker's Vietnam and Thailand subsidiaries made separate statement to say they too had been victim of suspected cyber attacks. These all come after Toyota Australia said in February it too had been the victim of an attempted cyber attack, although in this case no data was successfully stolen.
Despite the scale and apparent seriousness of such hacking attempts, consumers generally do not feel threatened by such cyber attacks, even on companies they deal with and which hold their personal and financial information. After all, it is widely understood that victims of cyberattacks who are unfortunate enough to lose money via their credit card details being stolen, can report the crime and in most cases have their funds quickly returned.
This disinterested is echoed by a stock market which mostly understands that companies quickly recover from cyber attacks, security gaffes, and the negative PR they create — just look at Facebook's share price, which hit heavy turbulence in the wake of the Cambridge Analytica scandal in early-2018, but has now almost recovered to its pre-scandal level. It even spiked to a record-high in the summer, before tumbling some more, then bouncing back again in early 2019.
When it comes to the damage caused by cyber crime and the irresponsible use of customer data, Wall Street has a short memory and is quick to forgive.
This is reflected by a research paper, Cyber Attacks and Stock Market Activity, published in June 2018 by Daniele Bianchi of the University of Warwick, UK, and Onur Kemal Tosun, of Cardiff Business School, UK. Studying how financial markets react to unexpected corporate security breaches in the short- and long-term, the pair wrote: "Interestingly...for target firms both CEO total pay and incentive pay tend to increase several years after a security breach compared to control firms."
The paper also discovered that, because a victim of cyber attack invests to prevent future breaches, there is no evidence of an uptick in staff being fired after an attack, and "there is no significant effect of hacking on firms' operating performance in the long-term."
The next victim to come clean about being the victim of a cyber attack was Earl Enterprises, parent company of the Planet Hollywood, Buca di Beppo and Earl of Sandwich restaurant chains. In this case, point-of-sale malware was used to take credit card details as customers paid for their meal.
The data included customer names, plus credit card names and expiry dates, and while the company did not say how many people were affected, KrebsOnSecurity puts the figure at more than two million. This data was offered for sale online in February, and had been collected by the malware between May 2018 and March 2019 — a 10-month cyber security breach. Earl Enterprises admitted what had happened on March 29.
How to protect yourself
Again, while this sounds serious — and the security breach remained live for a worrying amount of time — there is little the consumer need worry about, and little they could have done to protect themselves from malware installed on Earl's payment system.
As cyber security Brian Krebs wrote in his reporting of the incident, it is important to keep a close eye on your credit card bills. "Cardholders are not responsible for fraudulent charges, but your bank isn't always going to detect card fraud. That's why it's important to regularly review your monthly statements and quickly report any unauthorized charges."
Of course, you could always pay with cash to avoid using the card reader entirely.
Also a bringer of bad news this month was Georgia Tech, which announced on April 2 it had discovered the personal information of up to 1.3 million people — including current and former faculty, students, staff, and student applicants - had been unlawfully accessed. The university admitted the stolen data may include names, addresses, social security numbers and birth dates.
How to protect yourself
Victims will be offered access to a credit monitoring service, the university said, to help mitigate against potential damage — such as fraud via social engineering — caused by those who accessed the personal data.
As with most data breaches of this nature, victims are left to wait and see what damage, if any, will occur. Unlike the theft of a username and password for a social network, which can be quickly changed by the victim, stolen databases of names, addresses and social security numbers can be traded on the black market (often sold anonymously for bitcoin) then used to commit further crimes at a later date.
It is therefore tricky to to protect yourself from such a breach, other than to follow basic best-practice tips like never repeating passwords, and taking steps to protect yourself — ie, keep a close eye on your online accounts and finances.
Finally, but by no means least, Facebook was once again creating headlines over irresponsible data practices. It was reported on April 3 that over 540 million Facebook records were left exposed on a publicly-accessible server.
The data was discovered on public Amazon cloud servers by researchers from IT firm UpGuard. The data included comments, likes, reactions, account names, Facebook IDs and more. A second dataset, linked to a Facebook-integrated and now defunct app called At The Pool, included Facebook user IDs, plus the users' likes, friends, photo, events, interests and plaintext password — that is, a password for At The Pool, rather than Facebook itself.
But this is not specifically the fault of Facebook alone. As cyber security expert Graham Cluley explains on his blog: "[The data] was put there by third-party apps, whose apps integrated with Facebook. In short, Facebook allowed them to have access to the data, but then the third-parties were careless with it."
Cluley added: "There are a myriad of third-parties out there grabbing information via Facebook-integrated apps, and you have no way of knowing how well they are securing your data or — in many cases — what they might have taken at all."
As UpGuard pointed out in a blog post, the public availability of that password "would put users at risk who have reused the same password across accounts."
In its criticism of Facebook's data security practises, the firm added: "The Facebook platform facilitated the collection of data about individuals and its transfer to third parties [Amazon], who became responsible for its security."
How to protect yourself
In this case, users are once again reminded to never use the same password twice, thus limiting their exposure to risk should one of their passwords be made public. You can use a password manager like LastPass or 1Password to create a unique password for everything you log into online. Managers also store them, saving you the need to remember anything apart from your one master password.
You should also consider locking down your Facebook account and restricting what apps, if any, can access your data through the social network. We wrote about this during the Cambridge Analytica scandal in 2018, but here's a reminder of what to do to stay safe:
- It's time to think seriously about your Facebook privacy settings
- How to change your Facebook password - again
- Why you should protect yourself online with a 1FA app, and how
- You need to start using a password manager - Here's how to get started
Or, as Cluley suggests, you could take the nuclear option. "If you value your privacy, the only sensible step is to quit Facebook before worse things happen."