ICFE eNEWS #19-09 - March 4th 2019
The 5 Most Cringe-Worthy Privileged Data Breaches of 2018
By Morey J. Haber, Chief Technology Officer, Beyond Trust
Originally published on
Privileged attack vectors and stolen personally identifiable
information (PII) obtained have been a constantly paired news
item throughout 2018. In 2019, expect privileged attack vectors
to continue to reign as the number one root cause of breaches
for both consumer and business data theft.
Below, I have compiled my list of the top-5 most noteworthy
breaches for this year (so far). My ranking may be surprising to
some of the readers, and some of the incidents are not even that
high profile, but the size, duration, and type of business all
contribute to the ranking.
has acknowledged that Privileged Access Management is the top
security priority for 2018,
many organizations are still in denial of their privileged
account risks. These inadequately controlled cyber risks
frequently stem from poor identity and password management
hygiene. Organizations must learn to programmatically discover
and manage their privileged accounts because the attack vector
is not going away anytime soon.
Notable Mention: Orbitz
One breach that occurred in early 2018 is not officially ranked,
but is notable because it has the distinction of being a
completely Internet-based business, with no brick and mortar
presence for customer interaction. It is a dot-com company and
should have understood, just
that strong cybersecurity is
In March, Orbitz
announced that 880,000 payment cards were hacked in
a breach that spanned almost two years, and over multiple
systems. Two years! While the number of credit cards hacked is
fractional compared to other incidents, it is the duration of
compromise for a web-based company that gains them notable
Although the forensic information published on the breach
remains vague, it is known that the incident involved data
submitted to a legacy and partner websites. Orbitz claims there
is no direct evidence that the information was actually stolen,
but this security professional wonders if penetration and vulnerability
were actually being performed on these websites, and the results
scheduled for remediation in a timely manner. I suspect not.
Orbitz, said "We took immediate steps to investigate the
incident and enhance security and monitoring of the affected
platform". They also reported, "As part of our investigation and
remediation work, we brought in a leading third-party forensic
investigation firm and other cybersecurity experts, began
working with law enforcement and took swift action to eliminate
and prevent unauthorized access to the platform."
Orbitz's words on this subject warrant some scrutiny. The
monitoring and security initially in place were insufficient,
and "unauthorized access" implies yet another identity and
privileged access attack vector. For a 100% web-based company,
the front door is the web and shipping, and loading doors are
partner connectivity. All of this must be secured just as in a
physical building – something Orbitz did not adequately do to
protect against unauthorized access. That little padlock in your
browser indicating a secure connection for your transaction just
did not matter for their incident since it was the other doors
(websites) that got them in trouble.
Now, let's take a look at the breaches that made the top-five
list for 2018
in June that
an "unauthorized party" gained access to customer data on
Adidas' US website. While no details have thus far been publicly
released regarding the attack and breach methodology, the
company says that they believe only customers who purchased
items from the US-hosted version of Adidas.com may have been
affected by the incident.
While it is unknown if the attack vector involved a
configuration flaw, vulnerability and exploit combination, or
privileged attack, the threat actors did obtain contact
information, usernames, and encrypted passwords. It is also
unknown whether or not it was possible to decrypt the heisted
passwords since the rest of the breach details do not fall under
regional jurisdiction laws like GPDR, and were not publicly
So, as far as 2018 breaches goes, this lands squarely at the
bottom of the top-5 list, but represents data that can be used
for future phishing and privileged attacks. Leaked personally
identifiable information (PII) forms the basis for future
#4 Saks Fifth Avenue and Lord & Taylor
On April 1, 2018 (and not an April fool's joke), Lord
& Taylor and Saks Fifth Avenue announced that
their stores were the subject of a massive credit card data
breach. This security incident is believed to have compromised 5
million customers' credit card information.
While the size is significant, what is perhaps even more
shocking is the extended duration in which the security
compromise was ongoing. Clients who used a credit or debit card
at any of the stores' retail locations between May 2017 and
April 2018 were most likely affected. However, the breach was
not identified or disclosed for almost a year!
Similar to Adidas, few details were publicly released regarding
the attack vector. However, The
New York Times reported that
the attack was likely initiated by an email phishing scam sent
to Hudson's Bay (Canadian-based owner of Saks and Lord & Taylor)
employees. The threat actors reportedly targeted accounts with
malicious software via a link, file, or other attack vector to
infiltrate the environment.
It is important to note, the vast majority of malware can be
stopped with simply the removal of administrative rights from an
end user's workstation. That is basic
Hopefully, we all can learn from this example to identify
phishing attacks andremove
end user administrative rights.
And, implement threat
identifiable these types of incidents sooner!
#3 Under Armour
Scarcely a month after the Saks Fifth Avenue and Lord & Taylor
breach, Under Armor learned that someone had gained unauthorized
access to MyFitnessPal, a platform that hosts IoT device data
for tracking a users' diet, exercise, and health. Upwards of 150
million MyFitnessPal users are believed to have had their
CNBC reported at
the time of disclosure that threat actors claimed responsibility
for breaching individuals' usernames, email addresses, and
hashed passwords. While the incident did not expose users'
credit card information (unlike Saks and Lord & Taylor) due to
architectural designs in data, process segmentation, and payment
storage, it lay bare the cyber risks inherent of storing IoT
data in the cloud.
Based on reports from Forbes and CNBC, the incident arose due to
"unauthorized access" to user data. That alone reflects
inadequate privileged access management and underscores this
attack as another reason mature identity and privilege
management capabilities and processes are critical for
organizations to embrace.
Fast forward a few months to August and land on our second worst
breach of 2018. T-Mobile
threat actors stole the personal data of approximately 2 million
of its customers (3% of its clients). The leaked data was
typical: usernames, billing zip codes, phone numbers, email
addresses, and account numbers, as well as information on
whether customers prepaid or postpaid their accounts.
T-Mobile's cybersecurity team reportedly "discovered and shut
down an unauthorized capture of some information" after
the breach. Those words are key. Was it a man in the middle
attack (MITM), was data stolen from a database or log files, or
did someone have inappropriate privileged access? The public may
never know the full details, but the word "unauthorized" implies
the threat actor did not have authorization to collect the
privileged data in the first place. This brings us full circle
back to yet another privileged attack based on poor identity and
privilege management hygiene.
And, making things a little more grey, T-Mobile indicated that
no passwords were compromised, but recommended, "it's always a
good idea to regularly change account passwords." That statement
should make customers wary, since, in 2015, Experian, which
processes credit applications for T-Mobile, was itself breached.
That incident impacted
15 million customers!
Compromised customer data in 2015 included social security
numbers, drivers' licenses, and passports for T-Mobile
customers. In retrospect, it appears T-Mobile did not learn its
lesson three years ago.
In 2016, Marriott acquired the Starwood hotel chain, including
leading brands like St. Regis, Westin, Sheraton, and W Hotels.
Two years before the acquisition, an
incident began that was only identified last week.
So, for four years, "unauthorized access" occurred within the
Starwood reservation system that ultimately involved the leaking
of names, phone numbers, email addresses, passport numbers,
birthdates, and reservation information (arrival, departure, and
points) for an estimated 500 million customers. Additionally, a
subset of those customers numbering in the millions may have
also had their credit card numbers and expiration dates
disclosed. The size, severity, duration, and breach lasting over
a major acquisition puts the Starwood breach atop all others in
In an official statement from the company, "Marriott learned
during the investigation that there had been unauthorized access
to the Starwood network since 2014." And, "Marriott recently
discovered that an unauthorized party had copied and encrypted
information, and took steps towards removing it."
As the statement reveals, the threat
"unauthorized access" which implies inappropriate identity and
privileged access to key systems that, strictly by the nature of
the data, should have been segmented. For example, in line with
PCI DSS standards, credit card access should never allow
reassembly, even if encrypted, to allow association with the
The threat actor must have gained lateral access across zones
and systems in order to perform the many types of operations
needed to exfiltrate the data. Outside of poor incident
monitoring technology, log monitoring, privilege
and network and data segmentation, Starwood failed in an epic
fashion to identify and contain the incident.
Considering the regency of the Starwood breach announcement, I
expect there to be more revelations regarding the incident over
the coming months.
Since the breach falls under the European
GDPR regulations for
some of its 1,200 properties, Starwood may incur significant
financial penalties of up to four percent of its global annual
revenue if found to be liable for breach rules. That is
significant for any business and should be a strong message for
every executive, employee, stock holder, and board member.
Will 2019 bode any better with regard to improved security and
data protection? Only if we really start to heed the security
lessons of 2018 and years past.
About the Author
more than 20 years of IT industry experience and author of
Privileged Attack Vectors, Mr. Haber joined Beyond Trust in 2012
as a part of the eEye Digital Security acquisition. He currently
oversees Beyond Trust technology for both vulnerability and
privileged access management solutions. In 2004, Mr. Haber
joined eEye as the Director of Security Engineering and was
responsible for strategic business discussions and vulnerability
management architectures in Fortune 500 clients. Prior to eEye,
he was a Development Manager for Computer Associates, Inc. (CA),
responsible for new product beta cycles and named customer
accounts. Mr. Haber began his career as a Reliability and
Maintainability Engineer for a government contractor building
flight and training simulators. He earned a Bachelor's of
Science in Electrical Engineering from the State University of
New York at Stony Brook.
eNEWS is available FREE upon request by visiting our Web site and
filling out the contact
selecting "Yes" for "Add to Mailing List.
Please pass this eNEWS on to your peers and interested others and
invite them to subscribe
Also, visit the ICFE's new Web site: StudentDebtHelp.org
Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)
About the ICFE:
The Institute of Consumer Financial Education (ICFE) was founded in 1982 by
the late Loren Dunton (creator of the Certified Financial Planner (CFP)
designation and founder of the College for Financial Planning in Denver, CO.)
The ICFE is dedicated to helping consumers of all ages to improve their spending
practices, increase savings and use credit more wisely.
The ICFE is an
award winning, nonprofit, consumer education organization that has helped
millions of people through its financial continuing education courses programs
and resources. In addition to eight Certification courses covering identity
theft, credit files, credit repair and credit scoring, among others, it also
publishes the Do-It-Yourself Credit File correction Guide, which is updated
annually. The ICFE has distributed over one million Credit/Debit Card Warning
Labels and Credit/Debit Card Sleeves world wide.
The ICFE is a partner
with the national Jump$tart Coalition for Financial Literacy and the California
Jump$tart chapter. The ICFE staff is also active with San Diego Saves and
Military Saves, both offshoots of America Saves.
The ICFE is also an
on-line help for consumers who spend too much. ICFE's spending help was featured
in PARADE Magazine in the Intelligence Report section. The money helps and tips
are from the ICFE's Money Instruction Book, our course in personal finance.
The ICFE helps consumers and students with mending spending, learning about
the proper use of credit, budget and expense guidelines, how to set up and
implement a spending-plan and also how to access financial education courses and
how to teach children about money. Other ICFE services include: Ask Mr. G
library, a free eNews service, and an online resource center for students,
parents and educators, plus financial education learning tools in the ICFE Book