This section consists of investigated facts and findings about a data breach that happened in VTech Holdings Limited in November 2015, with the aim of establishing how the breach occurred and why it happened.
VTech Holdings Limited Data Breach
Based in Hong Kong, VTech Holdings Limited is an electronic manufacturing company that supplies digital toys products and cordless phones (VTech, 2017). One of VTech’ store was compromised in November 2015 where customer information including children and adult account were illicitly accessed. According to an article by Yadron (2015) published in the wall street journal, five million customer accounts illicitly accessed. Accessed children accounts consisted of their names, birthdate and gender while parents accessed data included their names, addresses, account passwords and downloads history (CNBC, 2015). Experts term VTech Holdings as the largest known hack pointing at youngsters (CNBC, 2015).
The company database were not secured enough. The hacker was able to access them and steal both children and parent’s data and information. The attack gave the intruder access to customer photos and chat data (Kelion, 2016). From the time when VTech learned of its database hack, they have toiled to heighten the security of their web services to protect customer data and information (Kelion 2016). The company was also quick to state that their customer database did not comprise of credit card data and that they do not store or process any customer credit card data on the hacked website. To finalize payments, customers use secure payment gateways (VTech, 2015).
Reason for VTech Holdings Limited Data Breach
System intrusion through hacking have of recent become a serious threat to companies and they therefore require to be on the lookout. According to an article published by Regis University College computer and information services (2017), some of the reasons why hackers intrude systems illegally include
- Personal thrill and challenge where a hacker attacks a computer system just for fun or because they have the skill and want to challenge themselves.
- Financial gain – other times attackers intrude system in order to gain information; either login information or financial related information. With login credentials, hackers use it to get access to systems illegally and with people’s information and data, they sell it in the black market for financial gain.
- Security breach identification – in order to try and identify system vulnerabilities, sometimes network administrators hack computer systems. This way they are able to recognize system weaknesses and work on preventing, eliminating them and making systems secure.
- Malicious resolves by militants and foreign governments. According to Judge (2014), breaches that can be traced to be for the interest of foreign governments have been on the increase.
In the case of VTech Holdings Limited, the hacker on being probed said that the accessed information was for nothing (VTech, 2017). The researcher is of the opinion that the hacker was probably proving his newly acquired hacking skills or that his aim was to look for some information in the data and sell it in the black market. On their website, VTech Holdings Limited expressed that the attack was a carefully planned criminal attack. This surely indicates that the hacker must have had a good reason for illicitly accessing VTech Holdings databases. Since the database did not store credit card details, it is possible the attacker mission bore no fruits since credit card numbers and social security numbers are some of the information sought out by hackers.
Possible Preventive Measures Against Security Breaches
Some measures that can avoid systems hacks include the following
- Data encryption where data and information within the network systems is encoded with strong encryption mechanism including Wi Fi Protected Access.
- Making use of strong login identifications and together with the accommodation of two factor authentication (2FA). 2FA is an extra layer of security that requires not only a password and username but also something that only and only the use has on them(Secur Envoy, 2016).
- Biometric measures for authentication which rely on computerized computable physical attributes including fingerprint, face, voice etc.
- Ensuring that all software’s are updated on time since hackers make use of software that has taken extensive time before being updated.
- Perform security checks by hiring white hat hackers who perform vulnerability scans to try and detect system weaknesses. After weaknesses are identified, they can therefore be prevented or eliminated completely.
- Training system users on the importance of strong passwords and against tactics of social engineering by hackers.
Overview of the Snap Inc. Data Breach
Founded in 2011, Snap Inc. is an American transnational social media company based in Los Angeles. Initially, the company dealt with multimedia messaging but has since introduced other products including Spectacles and Bitmoji application (Snap Inc, 2017). In February 2016, Snap Inc. clarified that its payroll section had been attacked through the use of a secluded email phishing trick. The attacker had posed as one of the chief executive officer and requested for employee information (Snap Inc, 2017). It was unfortunate that the swindle was not identified on time and payroll information of previous and present workers had been unveiled (Peterson, 2016). This was not the first time Snap Inc had suffered a data breach attack. In 2014, Snap Inc had experienced a breach that affected approximately 4.6 users where their usernames and phone numbers had been downloaded by an external site (Fung, 2014).
Impacts of the Snap Inc Data Breach
The 2014 Snap Inc data breach affected millions of users in that their personal data was exposed online including their names and phone numbers (Olivarez-Giles, 2014). The attackers behind the breach said that they wanted to get the company’s attention in securing their system (Fung, 2014). The 2016 data breach affected the company’s previous and present day employees by accessing their payroll data and information (Peterson 2016). Snap Inc did not reveal the exact data and information that was at large, but since it was delicate workforce information, it may well could have included the whole lot from salary information including names, email addresses, phone numbers, home addresses, social security numbers and credit card numbers.
How the Data Breach Occurred
According to an article by Perlroth and Wortham (2014), a group of researchers wanted to expose the company’s system vulnerabilities and therefore had accessed the system and exposed customer data and information. This was to be a wakeup call for Snap Inc but the company did not respond quickly to the threat exposure. As a result, the researchers decided to expose the information online after their discovery was ignored by Snap Inc. (Pelroth & Wortham, 2014). On the other hand, the 2016 data breach was as a result of a phishing scam. Snap Inc acknowledged that an employee had freely sent over highly sensitive data and information on belonging to the company’s employees to a hacker (Gael, 2016). The attacker sent an email posing as the company’s Chief Executive Officer asking for payroll records of the employees. (Gael 2016). This clearly demonstrates the importance of internal system security. System data breaches do not necessarily originate from external sources but can be internal like in the case of Snap Inc. Like in the case of Snap Inc, hackers occasionally personate company directors in order to attack and intrude company systems (Gredler, 2016). These kind of intrusions are not easily detected as the victims really think of the attackers as genuine company personnel. It is therefore vital that businesses capitalize on enlightening their staff on email assessment procedures including the following
- By means of strong, distinctive passwords and facilitate two-factor authentication
- Keeping all systems and software updated with the up-to-date security patches and updates
- Ensuring avoidance of sharing delicate data and information through mail
- Applying code words to authenticate that the persons asking for specific information are who they say they are and that they are not attackers
- Avoid opening and clicking on all doubtful links
- Setting up spam filters
Possible Measures that would have Prevented Snap Inc Data Breach
Several procedures that could have stopped the data breach in attack at Snap Inc include the following
- Crafting strong login identifications including accommodating two factor authentication (2FA) which is an additional security layer that requires password and username as well as an extra attribute that only the user has on them. By applying 2FA, hackers are not able to intrude company systems using login credentials because then they would require more than just password and username making it difficult for them to hack.
- Training company employees regarding how they should access, protect company data and information and how to work delicate data. Comprehensively sensitize employees who utilize business devices and gain access to sensitive data and information about phishing and other social engineering procedures would have generated a strong defense mechanism against the breach
- Capitalize on data and information security procedures to prevent attacks by means of the latest security technologies.
- Guaranteeing that protection of network security software’s by regularly updating them to prevent fresh threats.
- Frequent inspection of network systems to double-check the executing processes. Inspection would have warranted the discovery soon as it occurred.
- Data and information encryption within the internal and external links of the network system through the use of secure encryption techniques including Wi Fi Protected Access (WPA)
- Using biometrics procedures to perform system authentication. Biometrics makes use of an individual’s physical traits such as fingerprints, face, and voice etc. and automates them to allow access to computer systems.
- Performing network security assessments by either outsourcing IT specialists to assess the computers systems or insourcing from highly skilled network personnel. The specialists are able to discover any possible risks and can advise on methodologies to prevent and eliminate such discoveries.
Currently, the rate at which this cyber- attacks are happening is alarming. Advancement in technology has led to an increase in cyber-attacks including malicious codes and threats to computer systems. With the amount of data and information theft growing every day, companies, organizations and institutions are confronted with a challenge of having their data and information retrieved, manipulated and embezzled by unapproved persons. Attackers usually access and sometimes modify data or steal it for individual monetary gains which significantly impacts both an organization and all its stakeholders. Information should be held in reserve, be private and confidential. The Internet has augmented the convenience, approachability, stowage and dissemination of data and information. Corporations are nowadays storing their data and information online on the cloud because it is easy to access and retrieve. However, on the other hand, attacks on the data and information stored online are on the increase being geared by technology advancements. Therefore, it is vital that establishments make use of advanced procedures to protect their data and information from such threats and attacks. Without securing their computer systems, it is clear that business will suffer the adverse effects of illegal information access and theft from hackers.
From the study and analysis of the two hacking cases presented on the report, the researcher recommends that all business organizations adopt and implement secure procedures and controls to protect data and information from intruders. Companies should ensure use of updated software’s, inspect their computer systems to detect system vulnerabilities, and mostly sensitize employees about the importance of checking user authenticity to prevent against phishing scams and social engineering tactics geared at obtaining login information from system administrators.
CNBC 2015. VTech hack: Data of 6.4M kids exposed. Retrieved from https://www.cnbc.com/2015/12/02/vtech-hack-data-of-64m-kids-exposed.html
Fung, B. (2014). A Snapchat security breach affects 4.6 million users. Retrieved from https://www.washingtonpost.com/news/the-switch/wp/2014/01/01/a-snapchat-security-breach-affects-4-6-million-users-did-snapchat-drag-its-feet-on-a-fix/?utm_term=.779032607794
Gael, A. (2016). Snapchat Breach and the Biggest Security Flaw Ever. Retrieved from https://news.filehippo.com/2016/03/snapchat-breach-and-the-biggest-security-flaw-ever/
Gredler, C. (2016). Snapchat’s Phishing Attack: A Reminder That Security Starts with Employee Education. Retrieved from https://www.csid.com/2016/03/snapchats-phishing-attack-a-reminder-that-security-starts-with-employee-education/
Judge, K. (2014). Hackers: Why They Do It. Retrieved from https://blog.comodo.com/it-security/hackers-why-they-do-it/
Kelion, L. (2016). BBC NEWS: Parents urged to boycott VTech toys after hack. Retrieved from https://www.bbc.com/news/technology-35532644
Olivarez-Giles, N. (2014). Snapchat Data Breach Exposes Millions of Names, Phone Numbers. Retrieved from https://blogs.wsj.com/digits/2014/01/01/snapchat-alleged-leak-4-million-users/
Peterson, A. (2016). The human problem at the heart of Snapchat’s employee data breach. Retrieved from https://www.washingtonpost.com/news/the-switch/wp/2016/03/01/the-human-problem-at-the-heart-of-snapchats-employee-data-breach/?utm_term=.d43d4802873f
Pelroth, N. & Wortham, J. (2014). Snapchat Breach Exposes Weak Security. Retrieved from https://bits.blogs.nytimes.com/2014/01/02/snapchat-breach-exposes-weak-security/?_r=0
PWC Survey Technical Report. (2015). Information Security Breaches Survey 2015. Retrieved from https://www.pwc.co.uk/assets/pdf/2015-isbs-technical-report-blue-digital.pdf
Secur Envoy (2016). What is 2FA? Retrieved from https://www.securenvoy.com/two-factor-authentication/what-is-2fa.shtm
Yadron, D. (2015). VTech Holdings: Data From 5 Million Customer Accounts Breached. Retrieved from https://www.wsj.com/articles/vtech-holdings-data-from-5-million-customer-accounts-breached-1448896876