Hacks are hitting headlines again

Remember all of the data breaches that hit the headlines in 2017? Hacks were so prolific in 2017 that it was dubbed “year of the cyber-attack”.

In comparison, 2018 has been relatively quiet in terms of headline-hitting hacks in the UK. We’ve had the Facebook and Cambridge Analytica scandal and the Ticketmaster breach that is murky in terms of GDPR compliance, but not a lot else.

Whilst major US companies including Macy’s and Saks Fifth Avenue have been high-profile victims if data breaches, it’s been significantly quieter on this side of the Atlantic. Until now.

Today, Butlin’s confirmed that it has experienced a data breach affecting around 34,000 customers within the last 72 hours. No payment information has been stolen, but Personally Identifiable Information (PII) including names, addresses, phone numbers and email addresses were amongst the information breached.

It has also been confirmed that the breach occurred due to a phishing email posing as the local Chamber of Commerce.

Butlin’s has been swift in announcing the breach both publicly and to the Information Commissioner’s Office (ICO), meeting its GDPR reporting obligations. The business has also set up a dedicated team that will directly contact affected customers.

This attack occurred only a week after a double cyber-attack that breached the data of Reddit users was publicly disclosed; the attack itself happened between 14^th-18^th June and was discovered by Reddit on 19^th June. The information breached from a 2007 backup log included usernames, hashed passwords and public and private content, while the breached 2018 data included email addresses and associated usernames.

Reddit hasn’t detailed how many of its 234 million users have been affected by the recent breach, drawing criticism for this move. The company has also been condemned for placing the onus on the users to find out if they’ve been affected by the hack of the 2018 data, rather than proactively contacting victims. Reddit, in turn, has criticised SMS-based 2-factor authentication (2FA) after a 2FA text message to a staff member was intercepted and used to gain access to its systems.

Finally, Dixons Carphone has been back in the news after announcing that its 2017 data breach was far bigger than first thought. The company announced in June that 1.2 million customer records were infiltrated, but recently disclosed that the real figure is about 10 million. It was revealed originally, however, that hackers had gained access to the information of almost 6 million cards, but that no fraud attempts had occurred. The company says this is due to their chip-and-pin protection.

This isn’t the first time the company has experienced a significant data breach; Carphone Warehouse, one of the businesses it owns, was fined £400,000 by the ICO for a 2015 breach – one of the highest pre-GDPR fines to be handed out.

So, what can you take away from these latest breaches?

Firstly, the most recent of these high-profile hacks highlights the importance of employee awareness. It would appear an employee fell for a phishing email posing as the local Chamber of Commerce, where it’s likely that login credentials were harvested. Fake emails are becoming harder than ever to spot than their real counterparts. That’s where phishing tests can come in handy; by using a tool like Sophos Phish Threat, you can carry out simulated attacks on your colleagues that not only test their ability to spot a potential cyber-attack, but educate those who fall victim.

Check out our blog on email spoofing for some top tips on spotting the fakes.

Butlin’s has set an extremely good example, however, in its swift reporting of the breach to the ICO and to affected customers. The business has wasted no time in informing the relevant authorities and customers and has no doubt done so within the 72-hour GDPR timescale.

The Reddit hack has drawn attention to two key security areas: the re-use of passwords and 2-factor authentication. The company has warned that users still using their Reddit password from 2007 for any login could potentially be hacked. It seems unlikely that someone would still be using a password they used 11 years ago, but you’d be surprised. With over half of arguably the most tech-savvy generation re-using passwords, it’s not too far beyond the realms of possibility.

Reddit has recommended that any users using text message verification as part of their account 2FA – whether on Reddit or elsewhere – switch to token-based 2FA. For example, using an authentication app attached to your relevant account(s) that regenerates a new passcode every 30 seconds rather than text messages.

As for the Dixon Carphone breach, consumers should be on high alert for phishing attempts. While the less serious of the two types of data breached – personal information rather than financials – is a lot higher than first thought, the access to this PII data means those affected could be targeted by hackers themselves.

One thing is for sure – GDPR might now be in effect, but businesses of all shapes and sizes are still at risk of cyber-attacks and subsequent data breaches.