What is a Data Breach and How to Stay Protected?

Posted December 14, 2021

I remember once many years ago going to pick up a takeout order my wife had placed at a local family-owned restaurant. When I got to the restaurant and received our food, I could see my wife’s order printed out on a piece of paper next to our food. The printed order information was formated like an email and included our credit card information. Working in security and development and knowing the pains we sometimes go through to implement PCI compliance, I was shocked at this complete disregard for protecting sensitive information. My mind quickly thought of the hundreds or thousands of card numbers and personal data laying out for any ambitious dumpster diver or even employee to grab.

A data breach is a security violation, in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. We don’t usually think of data breaches as they may relate to a small restaurant being careless with customer orders. Instead, our minds go to the headline-grabbing announcements of large corporations losing data in an attack.

On January 22, 2020, a customer support database holding over 280 million Microsoft customer records was left unprotected on the web

On February 20, 2020, Over 10.6 million hotel guests who have stayed at the MGM Resorts have had their personal information posted on a hacking forum

On April 14, 2020, the credentials of over 500,000 Zoom teleconferencing accounts were found for sale on the dark web

We trust companies with our sensitive information every day. And it’s not only the small mom-and-pop shops that can be careless. Last month it was revealed that GoDaddy, the largest web hosting company in the world by quantity of sites, had been breached. The attacker gained access to 1.2 million GoDaddy WordPress-hosted sites. GoDaddy’s complete SEC filing on the breach is below.

On November 17, 2021, we discovered unauthorized third-party access to our Managed WordPress hosting environment. Here is the background on what happened and the steps we took, and are taking, in response:

We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement. Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.

Upon identifying this incident, we immediately blocked the unauthorized third party from our system. Our investigation is ongoing, but we have determined that, beginning on September 6, 2021, the unauthorized third party used the vulnerability to gain access to the following customer information:

Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.

The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.

For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.

For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.

Our investigation is ongoing and we are contacting all impacted customers directly with specific details. Customers can also contact us via our help center (https://www.godaddy.com/help) which includes phone numbers based on country.

We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.

Demetrius Comes

Chief Information Security Officer

Of particular interest in the filing is the bullet point:

For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.

If passwords were exposed, they were stored in such a way that plain text passwords could be retrieved when instead they should be encrypted to add protection. We’ve written previously on the trouble with passwords and why strong passwords aren’t as secure as you think they are. When passwords are revealed in one data breach such as the GoDaddy breach, hackers now have a library of usernames and passwords to try against other sites to gain access to accounts where passwords have been reused. No matter how strong your password is, reusing passwords and careless security practices can quickly nullify any protection.

Of course, GoDaddy isn’t alone in revealing sensitive customer information. Data breaches occur regularly as cyber attacks continue to grow in scale and complexity. 2021 saw the largest ransomware attack ever affecting over 1,500 businesses. This year Verizon has already reported 29,207 data breach incidents, which boils down to 5,258 confirmed data breaches, and 28% of data breach victims are small businesses.

It seems data breaches are a reality we have to live with, and we should expect to see more of our personal data exposed in these breaches. However, there are steps you can take to protect yourself and your employees.

Implement a password manager with MFA and strong random passwords and never reuse a password
Invoke a zero-trust mindset on 3rd party sites and limit the sensitive information you share assuming they will be breached.
Monitor the dark web for your exposed data
Review your credit reports for suspicious activity

And most importantly don’t be careless with your own security implementations. Account credentials should never be retrievable in plain text and PCI compliance exists for a reason. If you are unsure of how you are protecting your sensitive and regulated data, contact us, we can help.

Kyle Vinar

Kyle Vinar is Partner / President of Verus Corporation. He oversees all business operations and coaches Verus teams to continually improve on their solutions from client experience to product development and overall solution implementation. He works with all Verus resources to increase efficiencies and excellence in every aspect of their organizational roles. Kyle believes that people are the last real competitive edge that a company can have and constructing a rich culture is a vital step in running a world-class organization. Therefore he strives to create a culture within Verus that allows everyone to show up authentically and grow both personally and professionally, which in turn allows Verus Corp team members to provide clients with top-of-the-line service. Kyle helps balance strategy, capacity, and culture in such a way that has allowed Verus Corp to achieve exponential growth since he joined the company in 2013. One of Kyle’s greatest professional achievements has been in helping lay the foundation upon which Verus Corporation could be named the 2nd Best Place to Work by the Minneapolis/St. Paul Business Journal. Kyle holds a Bachelor of Science in Marketing from St. Cloud State University. He lives in Champlin with his wife and 3 children. He has enjoyed volunteering as a soccer coach for over 6 years and was the former Director of Coaching for Rebels Soccer Club. If Kyle isn’t on the sidelines of one of his children’s soccer games or in the audience of his eldest’s musicals, he can often be found cruising scenic routes on his Harley, in a deer stand, or on the golf course.