Case Study

Facebook Data Leak Impacts 533 Million Users In April, Alon Gal, co-founder, and CTO of cybercrime intelligence firm Hudson Rock seemingly discovered the latest incident which involved the personal information of 533 million Facebook users from 106 different countries. The personal information included Facebook members’ bio, birthdate, full name, location, past location, relationship status, and Facebook IT. The members of the hacking forum have got access to freely avail these pieces of information. Facebook claims that it did not know whose information was leaked and therefore could not inform the members about the leakage. FTC conducted an investigation pertaining to the incident and concluded that Facebook had used illusive divulgence and settings to undermine users’ privacy preferences in violation of a 2012 FTC order. In short, it means Facebook has enabled third-party applications to collect personal information of Facebook members whose friends had downloaded the applications.

Scripps Health Malware Attack Could Cost Lives In May, Scripps Health IT systems were closed down due to a malware attack. Scripps Health is a nonprofit health care system in San Diego, Calif. It includes 5 hospitals and 19 outpatient clinics. On May 1, Scripps Health said its IT systems had been harmed by a malware attack that affected its hospitals and other clinics. The company provisionally suspended user access to IT systems, including the patient portal.

Patient appointments and surgical procedures were canceled provisionally and business has recommenced, though not as usual yet.

Microsoft Exchange, A Lack of Mending In March, Volexity, the security firm, unearthed a Microsoft Exchange flaw that enabled hackers to install web shells to extract data and

credentials. The four CVEs that were involved are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Among these the first one provides access and the last three allow code implementation. 120,000 systems had been contaminated and less than 10,000 remained unpatched. On April 14, NIST produced four other distinctive CVEs, all of which included remote execution. Though the FBI’s attempts are necessary, organizations cannot depend on the agency for their safety.

Howard University cancels classes after ransomware attack

https://www.cnn.com/2021/09/07/politics/howard-university-ransomware- attack/index.html

Yahoo data breach 2017

Date: October 2017

Impact: 3 billion accounts

Yahoo disclosed that a breach in August 2013 by a group of hackers had compromised 1 billion accounts. In this instance, security questions and answers were also

compromised, increasing the risk of identity theft. The breach was first reported by Yahoo while in negotiations to sell itself to Verizon, on December 14, 2016. Yahoo forced all affected users to change passwords and to reenter any unencrypted security questions and answers to re-encrypt them.

However, by October of 2017, Yahoo changed the estimate to 3 billion user accounts. An investigation revealed that users' passwords in clear text, payment card data and bank information were not stolen. Nonetheless, this remains one of the largest data breaches of this type in history.

First American Financial Corp. data breach

Date: May 2019

Impact: 885 million users

In May 2019, First American Financial Corporation reportedly leaked 885 million users' sensitive records that date back more than 16 years, including bank account records, social security numbers, wire transactions, and other mortgage paperwork.

LinkedIn data breach 2021

Date: June 2021

Impact: 700 million users

Data associated with 700 million LinkedIn users was posted for sale in a Dark Web forum on June 2021. This exposure impacted 92% of the total LinkedIn user base of 756 million users.

The data was dumped in two waves, initially exposing 500 million users, and then a second dump where the hacker "God User" boasted that they were selling a database of 700 million LinkedIn.

Preview of leaked data - Source: 9to5mac.com The hackers published a sample containing 1 million records to confirm the legitimacy of the breach. The data included the following:

• Email addresses • Full names • Phone numbers • Geolocation records • LinkedIn username and profile URLs • Personal and professional experience • Genders • Other social media accounts and details

The hacker scraped the data by exploiting LinkedIn's API.

LinkedIn claims that, because personal information was not compromised, this event was not a 'data breach but, rather, just a violation of their terms of service through prohibited data scraping.

Learn about the difference between a data breach and a data leak.

But the leaked data is sufficient to launch a deluge of cyberattacks targeting exposed users, which makes the incident heavily weighted towards a data breach classification.