Cybersecurity Lessons From 3 Public Breaches

COMMENTARY

The statistics paint a clear picture — over 9,000 cyber incidents were reported in just the first half of 2024, translating to nearly one new attack every single hour.

This escalating risk has pushed cybersecurity to the forefront of business strategy. According to a study by Accenture, 96% of CEOs identified security as essential to their company's growth, prompting continuous investment. Yet, despite these efforts, 74% of them expressed concern about their ability to effectively mitigate or withstand cyberattacks due to the increasing complexity of threats. High-profile security incidents provide examples of common vulnerabilities and highlight strategies for businesses to avoid sophisticated attacks.

1. The Importance of Password Policy

Maintaining a strong password policy is essential for all organizations. A typical policy should mandate a minimum length of eight (better 12) characters, combining letters, numbers, and special symbols. Regularly updating passwords is also a widely accepted practice.

However, experience has shown us that guideline compliance is only one part of the equation. At Sigma Software Group, we emphasize the importance of thoughtful password creation, encouraging our team to steer clear of easily guessable patterns, like "Spring2024!" or "Summer2024!" This proactive mindset helps foster a culture of security awareness, which is crucial for preventing password breaches — an alarming trend that affects individuals and organizations alike.

The damage: A striking example of this vulnerability occurred in 2020 when Dutch ethical hacker Victor Gevers guessed then-candidate Donald Trump's Twitter password on his fifth attempt. The password, "maga2020!" — a nod to Trump's campaign slogan "Make America Great Again" — highlighted a significant security gap. Gevers clarified that his intention wasn't to steal sensitive information but to raise awareness about online security risks. He advocates for stronger online security measures, including complex password protocols, two-factor authentication, and effective password management.

The lesson: By adopting a comprehensive approach to password protection, organizations can significantly mitigate risks and bolster their overall cybersecurity posture.

2. Multifactor Authentication Hits Its Limits

Multifactor authentication (MFA) was once hailed as a major leap forward in security. By requiring additional layers of verification — such as passwords, hardware tokens, or biometric scans — MFA significantly raises the barrier for unauthorized access. However, while MFA adds protection, it is far from infallible.

Consider a scenario where a user loses their phone and laptop simultaneously. Regaining access to critical accounts often involves contacting IT support to verify their identity — an approach that seems secure but has its flaws, as the gaming giant EA Games found out the hard way.

The damage: In July 2021, EA Games suffered a significant breach due to a clever MFA bypass. Hackers used stolen cookies containing an employee's login credentials to infiltrate the company's Slack channel. Impersonating the employee, they contacted IT support, claiming they had lost their phone at a party and needed a new multifactor authentication token. This social engineering tactic worked, granting them access to EA's corporate network.

The outcome was disastrous. The hackers stole 780GB of sensitive data, including the source code for FIFA 21, the Frostbite engine, and various internal development tools. This data has since been sold on underground forums.

The lesson: While EA confirmed that no player data was compromised, the incident exposed the vulnerabilities in its security protocols. EA has since acknowledged the gravity of the breach and has been bolstering its defenses to prevent future occurrences.

3. Humans Are Only Human

Even the most advanced security systems are not immune to vulnerabilities. A seemingly minor mistake can introduce significant risks, regardless of the sophistication of tools or protocols in place.

The damage: A pertinent example comes from Estonia, where engineers implemented best practices while developing national digital identity cards. Unfortunately, errors during this process resulted in critical security flaws affecting over 750,000 cardholders.

These issues primarily stemmed from the card manufacturer, Gemalto. Between 2014 and 2017, Estonian authorities uncovered a major vulnerability in the cryptographic library responsible for private key generation. This flaw created a potential pathway for identity theft, yet Gemalto failed to promptly inform the government. Consequently, Estonian officials had to take emergency measures, suspending the use of digital certificates on the affected cards. This situation led to litigation, resulting in a settlement where Gemalto agreed to pay €2.2 million in compensation.

Additional vulnerabilities arose from ID card management practices. Gemalto generated private keys outside the secure chip and reused the same key across multiple cardholders. This oversight allowed for potential impersonation — although, fortunately, no actual identity misuse was reported. Estonian experts quickly identified and rectified the issue, ensuring that the threat to digital identities remained theoretical.

The lesson: A robust security framework is insufficient on its own; the human element must also be addressed. To mitigate the potential risks associated with human error, organizations should implement strategies that enhance oversight and resilience. This includes providing comprehensive staff training to elevate security awareness, conducting regular security audits of both internal systems and third-party providers, and establishing clear security protocols that empower employees to recognize and address potential security issues.

In a Nutshell

A recurring theme in these case studies is the impact of human error. As cybersecurity becomes more complex, shortcuts — such as using simple passwords or bypassing MFA — often create vulnerabilities that attackers exploit.

The primary and biggest challenge in cybersecurity lies in striking a balance between implementing robust security controls and maintaining user convenience.

Cybersecurity is an ongoing process, not a one-time fix. No single tool can offer complete protection, so a multilayered defense approach, where measures complement each other, is the most effective strategy to mitigate risks and stay ahead of evolving threats.