• Dark Web
• Data Centre
• Deep Web
“Thieves made off with usernames, email addresses and encrypted passwords.
Health and fitness app MyFitnessPal has been hit by one of the biggest data breaches in history, after cyber thieves made off with the personal data of around 150 million users.
Under Armour, the activewear brand that owns and operates the app, confirmed last week that usernames, email addresses and hashed passwords were all stolen in the breach. The company has said that the majority of the affected passwords were encrypted with the Bcrypt algorithm, which has a good reputation for security.
The breach occurred in February and was detected on 25 March. MyFitnessPal has notified users, and will be requiring all affected accounts to change their passwords.”
Under Armour actually handled this breach correctly. Unlike previous breaches of this scale (it is possibly the third largest breach of this nature) it was addressed immediately and affected parties informed in a very short time. It is notable that strong encryption was in use (bcrypt) which should slow any attempt to crack a user’s password from the dump (depending on the number of iterations implemented by the affected platform). Slowing down an attacker’s chance to retrieve a password from a dump is vital in allowing users a chance to change their password on any other site where they may have used the same password as they did with MyFitnessPal. Latest research indicates that over 80% of users aged 18 or over reuse the same password across multiple accounts, meaning an account being compromised on one site can impact the same user across multiple sites.
Password managers are a great tool and there really are no compelling reasons not to use one – they can help eliminate password reuse and generate complex, high entropy passwords that would be extremely difficult to crack if compromised. A MyFitnessPal user using a password manager service would have a lot fewer concerns once they received notification of the breach.
“Most UK firms are failing to plan for the financial impact of cyber attacks, a survey by Lloyds Bank has revealed.
Only a third of UK business leaders say they have a financial plan in place to counter the effects of a cyber attack, a survey shows.
This is despite the fact that 80% of UK business leaders are concerned or very concerned about the financial implications of a cyber attack on their business, according to a poll of more than 150 business leaders at Lloyds Bank’s recent Cyber Beyond IT event in London.”
Companies often look at the risks from cyber attacks with a very narrow viewpoint – failing to take into account that it is not just an IT issue in the event of an attack. As well as the obvious IT issues, there is the larger impact that can occur when a company is a victim of a cyber attack. The NotPetya malware cost TNT Express around $300million dollars in the last quarter of 2017 – with no data breach occurring. This disruption can cause operational issues leading to reputational damage and cash-flow issues. Without sufficient financial planning these liquidity issues can cause a business to fail.
Cyber insurance is an option to help provide peace of mind but companies should also focus on prevention rather that recovery – there are many frameworks such as ISO 27001 that allow a company to develop and mature their internal policies so that a good cyber security posture becomes engrained in the workflow. Regular testing of the controls put in place is vital to ensure that they are working – relying on the ransomware operator to unlock your files once you have paid the ransom (as over a third of the companies polled indicated they would) is really not a great business continuity strategy.
PGI in Pictures
This week we have been presenting at the NCSC Managing Cybersecurity Risk: Cases Studies and Solutions book launch. Our Managing Director of Cyber, Brian Lord, put together an excellent chapter for the book. This will be distributed across the UK and the aim is for it to be a go-to guide for UK businesses.