Blog Home  »  Attacks & Data Breaches   »   Top Application Breaches In 2019
Managed WAF

Top Application Breaches In 2019

Posted DateDecember 26, 2019
Author Bio
Posted Time 3   min Read

“Application breaches every other day” has been the unfortunate reality of 2019. As the year draws to a close, we must reflect on the top application breaches of the year and take the lessons into 2020 to be better equipped for the accelerated pace and increasing sophistication of these breaches.

Top 5 Application Breaches in 2019

Capital One

This massive breach was allegedly orchestrated by a software engineer who hacked into a server containing Capital One’s customer data, exposing over 100 million customer records including credit card applications from as far back as 2005, bank account numbers, social insurance numbers, credit scores, balances, and other confidential information.

The hacker made use of a misconfiguration in the open-source Web Application Firewall (WAF) that was being used by the company to orchestrate the well-known Server-Side Request Forgery (SSRF) attack, wherein she tricked the server into running commands (including access to the metadata service) that should not have been permitted. This breach is expected to have cost Capital One USD 100-150 million and the company’s stocks dropped by 5%.

Lesson: The WAF is a critical part of application security and organizations must carefully choose the right WAF instead of opting for open-source and automated ones just because they are cheaper offerings. Organizations must choose an intelligent, comprehensive, highly customizable, and managed WAF provided by a trustworthy service provider like AppTrana that is regularly updated and tuned to ensure that it is proactively securing the application. Else, they will have to face hefty costs.

Secondly, organizations need to be extremely stringent about permissions, authorizations, user privileges, etc., and need to be proactive about application security. Onboarding a managed web application security solution will enable organizations to do so.

First American Financial Corp.

This real estate and title insurance giant exposed over 850 million confidential records including mortgage deals dating as far back as 2003, bank account numbers, Social Security numbers, tax records, wire transaction receipts,  driver’s license images, and so on owing to a design defect called Insecure Direct Object Reference (IDOR) in their website. This vulnerability allowed anyone with an email link from the company to access non-public/ sensitive information by simply modifying the link without even the need to use a password. The company is facing several lawsuits and a big dent in its reputation.

Lesson: This mega data leak goes to show how little progress has been made in putting in place robust security measures to secure user data and that even big players and technologically advanced companies are overlooking basic errors despite the incredibly high stakes.

Macy’s

This retail giant’s website was faced with a week-long application breach that led enabled the hacker group, Magecart, to skim customer credit card information through unauthorized code injection. The attackers placed malicious credit card skimming malware in the ‘My Wallet’ and ‘Checkout’ pages of the website that allowed them to steal thousands of customer credit card details and transaction details, as well as, their personal information.

Lesson: This is not the first time that the company has faced such an attack. Even though the attack may not be of a large magnitude, it highlights the lax attitude towards application security.

Epic Games – Fortnite

This gaming platform was faced with an XSS (Cross-Site Scripting) Attack in December 2018 – January 2019 which was orchestrated using multiple vulnerabilities present in the platform including legacy resources/ web pages, login system flaws, etc., and exposed over 200 million gamer records. Whenever a user clicked on the link (malicious payload) sent by the hacker, the hacker got access to the user’s account (even take over the account), make in-game purchases, and eavesdrop on and even record background home conversations.

Lesson: Despite being notified of the vulnerabilities in the platform, the company took two months to acknowledge the flaw and attempt to fix it. The breach highlights the need for organizations to take a comprehensive view of security and proactively and consistently strengthen their security posture.  

verification.io

This email validation service provider faced a major breach (biggest breach from a single source) in March exposing nearly 2 billion records wherein 150 GB of digital marketing data was found in plaintext in a MongoDB database that was not password-protected and therefore, publicly accessible.

Lesson: Though corrective action was taken immediately when notified about the breach, it could have been avoided if the database had multi-factor authentication and encryption.

Overall, what we need to learn from the top application breaches of 2019 is that application security is not optional. Irrespective of the size and scale of the organization, the stakes are too high to risk being negligent and lackadaisical about application security.

web application security banner

Karthik Krishnamoorthy

Karthik Krishnamoorthy is a senior software professional with 28 years of experience in leadership and individual contributor roles in software development and security. He is currently the Chief Technology Officer at Indusface, where he is responsible for the company's technology strategy and product development. Previously, as Chief Architect, Karthik built the cutting edge, intelligent, Indusface web application scanning solution. Prior to joining Indusface, Karthik was a Datacenter Software Architect at McAfee (Intel Security), and a Storage Security Software Architect at Intel Corporation, in the endpoint storage security team developing security technology in the Windows kernel mode storage driver. Before that, Karthik was the Director of Deep Security Labs at Trend Micro, where he led the Vulnerability Research team for the Deep Security product line, a Host-Based Intrusion Prevention System (HIPS). Karthik started his career as a Senior Software Developer at various companies in Ottawa, Canada including Cognos, Entrust, Bigwords and Corel He holds a Master of Computer Science degree from Savitribai Phule Pune University and a Bachelor of Computer Science degree from Fergusson College. He also has various certifications like in machine learning from Coursera, AWS, etc. from 2014.

Share Article:

Tags:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.