What is a Data Breach and How to Stay Protected?
I remember once many years ago going to pick up a takeout order my wife had placed at a local family-owned restaurant. When I got to the restaurant and received our food, I could see my wife’s order printed out on a piece of paper next to our food. The printed order information was formated like an email and included our credit card information. Working in security and development and knowing the pains we sometimes go through to implement PCI compliance, I was shocked at this complete disregard for protecting sensitive information. My mind quickly thought of the hundreds or thousands of card numbers and personal data laying out for any ambitious dumpster diver or even employee to grab.
A data breach is a security violation, in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so. We don’t usually think of data breaches as they may relate to a small restaurant being careless with customer orders. Instead, our minds go to the headline-grabbing announcements of large corporations losing data in an attack.
On January 22, 2020, a customer support database holding over 280 million Microsoft customer records was left unprotected on the web
On February 20, 2020, Over 10.6 million hotel guests who have stayed at the MGM Resorts have had their personal information posted on a hacking forum
We trust companies with our sensitive information every day. And it’s not only the small mom-and-pop shops that can be careless. Last month it was revealed that GoDaddy, the largest web hosting company in the world by quantity of sites, had been breached. The attacker gained access to 1.2 million GoDaddy WordPress-hosted sites. GoDaddy’s complete SEC filing on the breach is below.
On November 17, 2021, we discovered unauthorized third-party access to our Managed WordPress hosting environment. Here is the background on what happened and the steps we took, and are taking, in response:
We identified suspicious activity in our Managed WordPress hosting environment and immediately began an investigation with the help of an IT forensics firm and contacted law enforcement. Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress.
Upon identifying this incident, we immediately blocked the unauthorized third party from our system. Our investigation is ongoing, but we have determined that, beginning on September 6, 2021, the unauthorized third party used the vulnerability to gain access to the following customer information:
- Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
- The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.
- For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
- For a subset of active customers, the SSL private key was exposed. We are in the process of issuing and installing new certificates for those customers.
Our investigation is ongoing and we are contacting all impacted customers directly with specific details. Customers can also contact us via our help center (https://www.godaddy.com/help) which includes phone numbers based on country.
We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.
Chief Information Security Officer
Of particular interest in the filing is the bullet point:
For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.
If passwords were exposed, they were stored in such a way that plain text passwords could be retrieved when instead they should be encrypted to add protection. We’ve written previously on the trouble with passwords and why strong passwords aren’t as secure as you think they are. When passwords are revealed in one data breach such as the GoDaddy breach, hackers now have a library of usernames and passwords to try against other sites to gain access to accounts where passwords have been reused. No matter how strong your password is, reusing passwords and careless security practices can quickly nullify any protection.
Of course, GoDaddy isn’t alone in revealing sensitive customer information. Data breaches occur regularly as cyber attacks continue to grow in scale and complexity. 2021 saw the largest ransomware attack ever affecting over 1,500 businesses. This year Verizon has already reported 29,207 data breach incidents, which boils down to 5,258 confirmed data breaches, and 28% of data breach victims are small businesses.
It seems data breaches are a reality we have to live with, and we should expect to see more of our personal data exposed in these breaches. However, there are steps you can take to protect yourself and your employees.
- Implement a password manager with MFA and strong random passwords and never reuse a password
- Invoke a zero-trust mindset on 3rd party sites and limit the sensitive information you share assuming they will be breached.
- Monitor the dark web for your exposed data
- Review your credit reports for suspicious activity
And most importantly don’t be careless with your own security implementations. Account credentials should never be retrievable in plain text and PCI compliance exists for a reason. If you are unsure of how you are protecting your sensitive and regulated data, contact us, we can help.