Cloud systems are considered a safer place than on-premises models, but you still can’t be completely sure of the integrity of your data. Microsoft’s Security and Intelligence report revealed that the number of cyberattacks on clouds increased by 300% in 2017. When companies move their business to the cloud, they are at risk of compromising their sensitive data and losing their customer’s loyalty and business reputation. That’s why so many companies would like to hide the cases of data breaches in the cloud during many years after incidents occurred.
Here is a list of most secret data breaches that evidently shows the importance of protecting clouds against cyber attacks.
1. FedExIn February this year, Kromtech Security Center disclosed data breach of FedEx, an American delivery company. FedEx stored personal data of their clients on an unsecured Amazon S3 virtual server. There were more than 100,000 scanned documents that included driver licenses, passports, and security IDs of the company’s clients. The unsecured server was previously owned by Bongo International, but FedEx acquired the company in 2014 and rebranded as FedEx Crossborder. After Kromtech’s disclosure, FedEx removed the server from public access ensuring that no data was compromised.
2. MicrosoftData breach occurred with customers of Business Productivity Online Suite in 2010 wasn’t caused by malicious activity. It was a result of a configuration problem in Microsoft’s data centers. The problem allowed any users of the cloud service download the Offline Address Book with contacts of BPOS clients. Microsoft apologized and reported that they fixed the issue within two hours and asked illegitimate users to remove the files.
3. SalesforceSalesforce.com, an American cloud computing company, was also appeared to be vulnerable to cyber attacks. In 2007, one of Salesforce employees became a victim of a phishing attack that resulted in disclosing their company credentials. After getting access to Salesforce’s client list, hackers arranged a highly targeted phishing scam by sending emails with fake invoices. In 2014, the company also detected a malware injection attack on its end-users aimed to steal their bank credentials.
In 2016, Deloitte, one of the largest accountancy companies, became a victim of hacker’s attack on the firm’s global email server stored in the Microsoft Azure cloud service. The hackers compromised the email base of 244,000 company employees through a privileged account that required only password-based authentication. As a result, attackers got unlimited access to the confidential data of more than 350 VIP clients.
5. LinkedInLinkedIn, the largest business-networking website, suffered from one of the greatest data breaches in 2012. The company disclosed that attackers compromised 165 million accounts. Nearly 6.5 million hashed passwords were posted on a Russian forum when LinkedIn forced their users to change passwords. However, there was no further investigation of the breach that also affected more than 100 million users with unsalted passwords by 2016.
6. ZapposIn 2012, Zappos.com, an online retailer belonged to Amazon, revealed details about its massive data breach that affected 24 million of customers. The hackers got unauthorized access to the company’s data center located in Kentucky. The compromised data included personal information, credit card numbers, and encrypted account credentials. One of the website customers even filled a lawsuit for the potential personal and financial harm.
7. DropboxIn 2012, Dropbox accounts were compromised as a result of a spam attack. After hijacking usernames and passwords from other accounts, attackers used them to sign in to Dropbox accounts. Hackers also used stolen credentials to access an employee Dropbox account with the company’s client’s emails. Dropbox informed their users about the data breach and recommended to select new passwords. However, the consequences of this breach appeared in 2016 when hackers offered video-news site Vocative to buy 68 million Dropbox passwords for $1,100.
8. Apple iCloudWhen in 2014, the nude photos of Kate Upton and Jennifer Lawrence spread over the Internet, celebrities thought that their phones were hacked. However, the source of data appeared to be the iCloud servers that backed up users images. The company conducted an investigation and revealed that the cloud servers were not compromised. Apple recommended its customers to use more secure passwords. Lately, a Chinese web monitoring group discovered that hackers arranged a man-in-the-middle attack to steal user credentials, messages, and photos.
9. Sony PlayStation NetworkSony data breach was one of the largest in the history as of 2008. Arranging a successful SQL injection attack on the company’s website, hackers gained unauthorized access to the subscriber’s personal information. Another attack on PlayStation Network and Qriocity services was arranged in 2011, but the company informed their subscribers about it only in a week after it abruptly cut access to its services. The company had a 77 million global subscriber database that included information about account credentials, home addresses, birth dates, and credit card data.
10. YahooIn 2017, Yahoo was revealed of becoming a victim of a massive cyber attack that compromised nearly three billion accounts with data about user’s names, telephone numbers, emails, and dates of birth. The breach occurred in 2013 and was allegedly arranged by an “unauthorized third party.” Another security incident with Yahoo was in 2014 when a “state-sponsored actor” stolen credentials of more than 500 million accounts. However, most of the passwords were encrypted and hashed with irreversible mathematical algorithms.
ConclusionCloud technologies can benefit businesses with optimized performance and costs, but the cloud security is now the biggest challenges in IT industry. While cloud providers constantly release security patches, cloud systems are still susceptible to attacks on web applications, account hijacking, and malware injection. Therefore, cloud users and cloud service providers should also think about taking security measures for the cloud. Only a shared responsibility for security in the cloud can help us take the full advantage of cloud opportunities.
By: Marcell Gogan