With 5 billion records exposed in 6,515 data breaches in 2018, it was the second most active year for publicly exposed breaches after 2017, reports Risk Based Security (RBS) in its The Year End 2018 Data Breach QuickView Report.
Among the data breaches, 12 breaches exposed 100+ million records. Also, the web gained the top spot for breach type, owing for 39.3% of the breaches; and 65.8% of the exposed records resulted from the business sector.
So, the questions arise after witnessing the facts:
- what can one learn from these breaches?
- What data security measures could have practised to avoid them?
In this post, you’ll find answers to these and more such questions. You’ll learn about the mistakes that led to the top two breaches and how to avoid them.
India’s National ID [1.1 Billion Records]
Aadhar — India’s national ID database — contains identity information including biometric data of 1.1 billion registered Indians. Any organization — like Amazon and Uber — registered with Aadhar can tap its records to verify customers.
In March 2018, Karan Saini — a security researcher from New Delhi — found a vulnerability in Aadhar that allowed anyone to access all data in its database.
What was the problem?
- Indane — a state-owned utility provider — used to access and verify customers via an unsecured endpoint. It was leaking data of all persons with an Aadhar, exposing their names, bank details, and more personal info.
The only required input was an Aadhar ID, which is just a 12-digit number. So, one can easily enumerate the identity numbers by random-picking or cycling through combinations like 1234-5678-9001 to 1234-5678-9999. Then, one can call the endpoint with it — if there comes a response, one gets a person’s data.
- The target endpoint didn’t just supply data about the utility provider’s customers, but anyone with an Aadhar. “it seems that everyone’s information is available, with no authentication — no rate limit, nothing,” posted ZDNet.
- “the Indian authorities did nothing for weeks to fix the flaw. ZDNet spent more than a month trying to contact Indane, and the Indian authorities — including … National Informatics Centre. Nobody responded to … emails,” wrote ZDNet.
Read More , https://dazeinfo.com/2019/10/03/worlds-worst-biggest-two-data-breaches/