Disney drama highlights important data breach trend

When Disney+ launched last month, it was a significant milestone for the content giant – a streaming, subscription-based service on which fans could watch all of their old and new favourites, on demand.

The high-profile launch, however, soon had a hiccup, with thousands of Disney+ user accounts suddenly popping up for sale on the dark web.

It has since emerged that Disney’s security was not breached. But the incident highlighted an important trend in data breaches, both in Australia and around the world.

The Disney+ accounts were able to be hacked because their owners had used the same combination of email and password as they had on other sites – which were in fact the sites which had been genuinely breached. Using a process known as “credential stuffing” attackers use the log-in details obtained in those breaches to gain access to other accounts the user may have – in this case Disney+.

Credential stuffing has been a key area of concern for the Office of the Australian Information Commissioner since the national Notifiable Data Breaches Scheme was introduced in February 2018.

While phishing (attacks using emails which coerce users to click a malicious link) continue to be the biggest source of cyber-related notifiable data breaches, attacks using compromised or stolen credentials from “source unknown” contributed to more than 30 per cent of breaches.

The OAIC has linked the prevalence of “source unknown” breaches to credential stuffing.  The so-called “Collection 1-5” dump of more than 100 billion global records on the dark web earlier this year is thought to have been a significant source of credential stuffing.

Australian Information Commissioner and Privacy Commissioner Angeline Falk said there was a clear need for people to use multi-factor authentication, avoid re-using credentials and check whether they had been compromised using a tool like https://haveibeenpwned.com/.

“The fact that there is a human factor involved in so many cases demonstrates the need for staff training to increase awareness of cyber risks and to take the necessary precautions,” Ms Falk said.

The most recent set of data breach statistics released by the OAIC show that a dip in notifications in the first three months of 2019 was only temporary.

The Office of the Australian Information Commissioner reported 245 Notifiable Data Breach Scheme notifications between April 1 and June 30, equalling the tally from July to September of last year and trailing only the 262 breaches registered in the last three months of 2018 as the most prolific quarter.

The April-June figure was a 14 per cent increase on the 215 breaches recorded from January to the end of March.

Once again, malicious acts were the major source of breaches, with 62 per cent of notifications falling under that category.

Just four per cent of breaches were assessed as system error, while a further 34 per cent were attributed to human error – including, after a three-month hiatus, another breach relating to the largely obsolete fax machine!

Among other notable aspects of the April-June report:

• There was a single breach affecting more than 10 million people worldwide.
• The health sector finally has a challenger as the leading source of breaches, with financial services running a close second by five breaches. In four previous fully-completed quarters the gap had always been double figures, including a 31-breach difference in January-March.
• Retail appears in the top-five sectors for breaches for the second successive quarter.

Notifiable Data Breaches Scheme statistics will now revert to six-monthly intervals, with the next report set to cover July-December and be released early in 2020.

Purple’s Director of Digital, Jamie Wilkinson says as well as multi-factor authentication, the other single most useful tool you can employ to limit the chance of being a victim of credential stuffing is to use a password manager. These platforms and apps make it easy to generate unique and secure passwords for each of your online accounts, meaning you never have to use the same password twice.

Download our Data Breach Whitepaper

Purple Director of Digital Jamie Wilkinson is an expert in proactively preparing communications strategies to respond to data breaches and managing communications during a data breach crisis. Email Jamie.

More Purple news:

• What is branded journalism and how The 268 is leading the way
• Why somebody else’s data breach may actually be yours
• Why I ditched my iPhone and what I learned from it
• Millennials are more interested in news than you think
• What is doxxing and what do we have to worry about?

Photo by Denys Nevozhai on Unsplash