“Application breaches every other day” has been the unfortunate reality of 2019. As the year draws to a close, we must reflect on the top application breaches of the year and take the lessons into 2020 to be better equipped for the accelerated pace and increasing sophistication of these breaches.
This massive breach was allegedly orchestrated by a software engineer who hacked into a server containing Capital One’s customer data, exposing over 100 million customer records including credit card applications from as far back as 2005, bank account numbers, social insurance numbers, credit scores, balances, and other confidential information.
The hacker made use of a misconfiguration in the open-source Web Application Firewall (WAF) that was being used by the company to orchestrate the well-known Server-Side Request Forgery (SSRF) attack, wherein she tricked the server into running commands (including access to the metadata service) that should not have been permitted. This breach is expected to have cost Capital One USD 100-150 million and the company’s stocks dropped by 5%.
Lesson: The WAF is a critical part of application security and organizations must carefully choose the right WAF instead of opting for open-source and automated ones just because they are cheaper offerings. Organizations must choose an intelligent, comprehensive, highly customizable and managed WAF provided by a trustworthy service provider like AppTrana that is regularly updated and tuned to ensure that it is proactively securing the application. Else, they will have to face hefty costs.
Secondly, organizations need to be extremely stringent about permissions, authorizations, user privileges, etc. and need to be proactive about application security. Onboarding a managed web application security solution will enable organizations to do so.
This real estate and title insurance giant exposed over 850 million confidential records including mortgage deals dating as far back as 2003, bank account numbers, Social Security numbers, tax records, wire transaction receipts, driver’s license images and so on owing to a design defect called Insecure Direct Object Reference (IDOR) in their website. This vulnerability allowed anyone with an email link from the company to access non-public/ sensitive information by simply modifying the link without even the need to use a password. The company is facing several lawsuits and a big dent in its reputation.
Lesson: This mega data leak goes to show how little progress has been made in putting in place robust security measures to secure user data and that even big players and technologically-advanced companies are overlooking basic errors despite the incredibly high stakes.
This retail giant’s website was faced with a week-long application breach that led enabled the hacker group, Magecart, to skim customer credit card information through unauthorized code injection. The attackers placed a malicious credit card skimming malware in the ‘My Wallet’ and ‘Checkout’ pages of the website that allowed them to steal thousands of customer credit card details and transaction details, as well as, their personal information.
Lesson: This is not the first time that the company has faced such an attack. Even though the attack may not be of a large magnitude, it highlights the lax attitude towards application security.
This gaming platform was faced with an XSS (Cross-Site Scripting) Attack in December 2018 – January 2019 which was orchestrated using multiple vulnerabilities present in the platform including legacy resources/ web pages, login system flaws, etc. and exposed over 200 million gamer records. Whenever a user clicked on the link (malicious payload) sent by the hacker, the hacker got access to the user’s account (even take over the account), make in-game purchases, and eavesdrop on and even record background home conversations.
Lesson: Despite being notified of the vulnerabilities in the platform, the company took two months to acknowledge the flaw and attempt to fix it. The breach highlights the need for organizations to take a comprehensive view of security and proactively and consistently strengthen their security posture.
This email validation service provider faced a major breach (biggest breach from a single source) in March exposing nearly 2 billion records wherein 150 GB of digital marketing data was found in plaintext in a MongoDB database that was not password-protected and therefore, publicly accessible.
Lesson: Though corrective action was taken immediately when notified about the breach, it could have been avoided if the database had multi-factor authentication and encryption.
Overall, what we need to learn from the top application breaches of 2019 is that application security is not optional. Irrespective of the size and scale of the organization, the stakes are too high to risk being negligent and lackadaisical about application security.
Ashish Pradhan is responsible for all technology functions like engineering, client services and customer support at Indusface. Prior to joining Indusface, Ashish held various senior leadership roles at Symantec Corporation in India and USA. During his 25 years of global experience in the software industry, Ashish has helped create and grow a broad variety of software products spanning systems management, IT compliance, and information security domains.