Twitter Breach
130 high-profile Twitter accounts were hacked in July, including those of Bill Gates, Elon Mask and Jeff Bezos. This was allegedly masterminded by a 17-year old boy in Florida, whom monetised the hack by asking thousands of their Twitter followers for Bitcoins.
The attack was planned on Discord, a popular messaging application, and they would have gotten away with it, if the forum itself wasn’t hacked by another hacking group and contents published on the web, which included personal email addresses, Bitcoin accounts, and ultimately the hackers’ identities.
The “hack” itself was not rocket science. Twitter employees were spear phished, and duped into providing access to internal systems and changing email addresses on accounts, which then let the perpetrators fire out Tweets at will, asking for Bitcoins. I mean, who wouldn’t want to give Jeff Bezos some Bitcoins? As one of the world’s richest people, Twitter fans should have suspected something, but went ahead and gave “Jeff” some Bitcoins anyway.
Marriott Hotels Breach
OK, so this one was discovered in 2018, but what makes it a 2020 feature is the issuance of a £18.4m fine on Marriott Hotels, for failing to secure their systems, over a period from 2014 to 2018, during which hackers were inside their networks.
The other interesting piece, is that it wasn’t Marriott Hotels per se, but Starwood Hotels Group, which was purchased by Marriott Hotels. It seems along the way, they’d also unwittingly purchased the services of several hackers, that had been helping themselves to guest’s data over a 4-year period.
Always operate under the assumption you’ve already been hacked, and carry out proper due diligence in any M&A activity.
British Airways Breach
Another example is British Airways breach which happened a few years ago. I know it’s 2020, but it’s been interesting to look at the evolution of what happened. As you know back in 2018 there was a breach detected, but nobody knows the exact details, except the threat of a £183m fine to be imposed by the ICO.
This year, a £20m fine was announced, so naturally we’re keen to find out why the ICO didn’t use their full powers.
The breach itself was handled very well, and hackers locked out within a few weeks of discovery, however that didn’t stop them acquiring details of anybody that booked a flight during those few weeks, including credit card data and personal data.
Organisations handling larger volumes of data, should be making more effort to secure data, given the higher the data volume, the higher the risk of something going wrong, and the more likely the organisation be singled out for attack.
Contact us if you have any questions. We are here to help: contact@2-sec.com, +44 (0)20 7877 0060