Months have been spent planning and millions have been invested. It is nearly time for the big announcement introducing the world to a market-disrupting innovation. But suddenly your plan is shattered as your organization’s secret announcement virally spreads across social media, and you realize your headlines have been stolen.
The cause? A malicious breach by a hacktivist, a disgruntled insider leaving to a competitor, or a rogue partner looking to make a name for themselves? None of the above. It was an accidental leak from your own corporate website. Your own corporate website, really?
As advanced cybersecurity systems, training, and policies become more widespread each year, the accidental publishing of confidential or personal information to a corporate website should be extremely rare and innocuous at best. But you should think again. Some of the most noteworthy data leaks in the past few years – from Yahoo's, Microsoft's, and Facebook's to First American Corporation's, JPMorgan Chase's, and Equifax's – resulted from accidental website leaks.
We have compiled five recent website leaks in technology, sports, and entertainment that have shocked the world and rocked the threat landscape:
"Zoom" Leak Boom
Upon the heels of the Zoom debacle in 2020, where over 500 million usernames and passwords were leaked to the dark web, the booming videoconference service experienced a credential breach involving hackers discovering 500,000 reused username/password pairs that matched Zoom accounts.
To pile on even more, Zoom was implicated in a plethora of other recent scandals, including selling individuals' PII to Facebook, becoming a boon for malware, end-to-end encryption deception, and even channeling calls through China.
NBA Newsletter Nightmare
The National Basketball Association (NBA) told fans earlier this year that a breach had leaked their PII (including fans' names and email addresses) via a third-party newsletter service. Once the NBA got wind that an unauthorized party had gained access, it activated internal incident response and mediation tactics by engaging external cybersecurity experts.
JD Sports' MVB (Most Valuable Breach)
UK-based sports retailer, JD Sports, confirmed earlier this year that a data breach led to the leaking of 10 million customers' PII across the UK and Australia, including names, billing and delivery addresses, phone numbers, order details, and the last four digits of their credit cards.
Plex's Password Pilfering
Plex, a leading movie & TV streaming platform, had to issue password-reset notices to nearly all of its 30-million customer base a year ago after noticing that an outside actor had gained access into emails, usernames, and–the most alarming–encrypted passwords. So how did this threat actor do this?
Unfortunately, there was an unpatched vulnerability in the hashing algorithm that allowed the criminal to employ encryption-cracking software and used trial-and-error guesswork of passwords, or "brute force", to hack in!
HUGE MGM Dilem-ma
Late on a Friday night this past September, the L1 Help Desk for MGM Resorts (located offshore) received a phone call for the rather benign request of a password reset for an "employee", who claimed that they lost their phone and couldn't access their MFA token but turned out to be a bad actor. Once the password was reset, the attacker proceeded to Okta's SSO login and was given carte blanche into MGM's employee portal.
To say this wreaked havoc on the chain's clientele and operations would literally be THE understatement of the year. . .The impact lasted weeks and led to an $100 million loss, and brought all of MGM Resorts' services and amenities to a grinding halt, including electronic gaming; credit card denials; malfunctioning of ATMs, room keys and elevators; HUGE lines caused by manual check-ins and checkouts; and data leaks and theft galore of SSNs, driver's license numbers, and a myriad of other PII information.
Prevent Accidental Website Leaks
The shocking reality behind embarrassing website leaks is that most of them can easily be avoided. In a time of extreme pressure and last-minute deadlines, organizations can no longer simply depend upon human processes to review and control what information should be shared with third parties and when it should be posted on their website. A safety-net that monitors for an accidental release of confidential information prior to the announcement date can go a long way in automating the avoidance of a public-relations disaster.
Information security teams can easily enhance their existing web technology (reverse proxy) to ensure web content is automatically inspected at the most granular levels, and then redacted and sanitized prior to being published on the corporate website. This includes the detection and removal of confidential information parsed and distributed as web copy, images, complete or sub-file documents, as well as information that has been copied and pasted into other marketing and communication form factors.
Automatically sanitizing all documents being published removes often overlooked revision history, comments, and hidden metadata that can be embarrassing if distributed outside the organization. Imagine if you mistakenly sent an embargoed press release to hundreds of media publications that included internal comments discussing positioning and competitive strategies.
Adaptive security policies are key to identifying and preventing accidental leaks without disrupting time-sensitive communications with burdensome false positives. Redaction and sanitization policies can be configured to remove only the confidential information detected, allowing the rest of the post or communications to continue without quarantines or delays.
Adaptive security policies will only be successful in a dynamic organization when the stakeholders who have the most to lose and are the closest to the project are empowered to protect their confidential information. IT security departments may not be familiar enough with the confidential information associated to the announcement (e.g., new design image, logo, or product names) to set the appropriate policies. As a result, enabling adaptive classification and crowd-sourced security policies to be set by key stakeholders helps ensure complete protection.
Key Website Leak Prevention Tips
- Enhance existing web proxy to inspect and remove confidential information (if not currently available on existing proxy, vendor independent ICAP add-ons are available)
- Sanitize all shared documents to automatically remove hidden revision history, comments, and metadata
- Leverage redaction policies to remove only confidential information, thereby eliminating delays and false positives
- Empower key stakeholders to classify confidential information related to their announcement by crowdsourcing information security policies