What do Facebook, Tesla, and Chipotle have in common? If you’re scratching your head, you haven’t been paying enough attention to big business cybercrime. Over the course of the last year and a half, each of these organizations fell victim to a security breach that potentially affected tens of thousands of customers.
You may think these high-profile companies and their cybersecurity woes have nothing to do with you—but think again. Cyberthieves don’t discriminate. The same types of attacks that came for them could come for you if you don’t focus your IT security strategy on preventing hackers and implement strong endpoint security solutions to lock down every entry point of your IT environment.
The good news is you can learn from these high-profile attacks to improve your cybersecurity framework. Read on to learn more about these attacks, how they could have been prevented, and what you can take away from them.
1. Facebook’s privacy woes
The global social network admitted its search tools were used by malicious actors to discover the identities of and collect information on most of its two billion users. This is terrible timing, considering the scrutiny Facebook came under after the world found out a political consultancy tied to the Trump campaign was snooping on user data.
This particular breach was much broader and went on for much longer than the Cambridge Analytica fiasco, though. It started when hackers harvested emails and phone numbers from the dark web. They then fed that information into Facebook’s search function to gather more information on their victims. These hackers also used the account recovery feature—designed to help users who had forgotten their login credentials—to break into accounts.
Zuckerberg explained that basic protections were in place for preventing hackers from using mass searches in their attacks, but the hackers got around these protections by cycling hundreds of different IPs. Users had the option to change their settings so they couldn’t be searched for in this way, but most social media users don’t look that carefully at their privacy settings when signing up for accounts.
The takeaway for IT pros is to watch for the shadow IT in their networks. Multiple players exist in your environment with access to data on your company or employees, such as social media tools, video conferencing providers, and chat features. While you can’t always control these programs’ cybersecurity practices, you can control your own. Read the fine print and ensure your employees don’t just use default privacy settings.
2. Tesla’s cloudy cybersecurity
Tesla may be shooting for Mars, but it needs to get through its troubles in the cloud first. Specifically, the security firm RedLock reported that hackers were able to access Tesla’s Amazon cloud environment and pilfer computer resources to mine for cryptocurrency. A Tesla spokesperson told Gizmodo there is “no indication” any customer data was stolen, nor was the security of its vehicles compromised. It appears like the hackers just wanted the computing power of its cloud environment to get some cryptocurrency. However, it’s pretty nerve-wracking that such an innovative company could still be so vulnerable.
The experts at RedLock said the hackers accessed one of Tesla’s hundreds of online, open-source systems without a password. That vulnerability, coupled with the rise of cryptocurrency, made the situation ideal for cyberthieves, who used a mining protocol to run their scam. They stayed undetected by hiding the IP address of the mining pool server behind CloudFlare and keeping CPU usage low, among other tactics.
RedLock CTO Gaurav Kumar told Gizmodo that public cloud hosts, such as Amazon or Google, are rarely to blame in these breaches. Instead, businesses need to do their part in preventing hackers from breaching their public cloud environment—and they often don’t. RedLock’s findings indicate that 73 percent of organizations “allow the root user account to be used to perform activities—behavior that goes against security best practices.”
“Organizations need to proactively monitor their public cloud environments for risky resource configurations, signs of account compromise, and suspicious network traffic just as they do for their on-premise environments,” Kumar said. Otherwise, your public cloud servers are also vulnerable to cryptojacking—or something even worse.
3. Chipotle’s unappetizing POS security
Hackers leveraged malware to steal customer payment data from 2,250 Chipotle restaurants over a span of three weeks in early 2017, affecting untold thousands of customers. This malware wasn’t in Chipotle’s servers or on its network—rather, it infiltrated the restaurant chain’s point of sale (POS) terminals. These terminals, as commonplace IoT devices, are especially vulnerable to attack but often go unsecured.
As Curtis Franklin, Security Editor at Security Now, wrote when analyzing the breach:
Most IoT devices, including virtually all POS terminals, are assumed to have software and firmware that never changes or changes only when the vendor pushes a specific update. That assumption means that most of these terminals aren’t covered by the same sort of change-management regimen enforced on other, more general-purpose endpoints, allowing hacks to take place and go unnoticed.
POS terminals join common office hardware, like printers and copiers, in the category of devices that can be hacked because they’re often overlooked. You can easily prevent attacks like the one that occurred at Chipotle by using basic endpoint security solutions, enforcing change management on IoT devices, and changing default passwords. It also helps to invest in machines that come with security features embedded in the hardware, like run-time intrusion detection, automated monitoring, and built-in software validation.
It’s easy to sit back and read about hacks happening to other businesses with a sense of detachment, but the truth is there isn’t much separating these companies from yours. All businesses and IT teams need to be aware of what hackers are up to and how to defend against them. Take these incidents as cautionary tales, and you won’t end up being the next big hack.