The Breaches Multifactor Authentication Could Have Prevented

Many people have heard about the Equifax breach of 2017, when 145 million records were at risk of being made public. But even before that, there was another breach that put employee records at risk, and at least 750 were used to file false tax returns to Internal Revenue Service (IRS) in the US.

Hackers gained access to a website using default login information based on social security numbers and dates of birth, and then used that access to company employees’ W-2 forms to file tax returns in their names to claim a refund. “Equifax should have known better than to rely on a simple PIN for a password,” says Avivah Litan, a fraud analyst with Gartner Inc. ‘That’s so 1990s. It’s pretty unbelievable that a company like Equifax would only protect such sensitive data with just a PIN.” Motherboard reported that Equifax was warned about security holes months before the infamous 2017 data breach occurred. In fact, former employees specifically called out a lack of multifactor authentication.

In the case of Target, cyber attackers accessed the company’s computer gateway through credentials stolen from a third-party vendor in November 2013. Attackers used the stolen credentials not only to gain access to a customer service database, but also to install malware that enabled them to capture names, phone numbers, email addresses, payment card numbers and credit card verification codes. This put 41 million customer payment card accounts and 60 million Target customers at risk. The result was that Target had to pay more than $18 million in a multi-State settlement, provide free credit monitoring services for consumers whose accounts may have been exposed, and pay up to $10,000 to consumers who suffered provable losses from the data breach. The settlement also required Target to set up a security program — including implementing two-factor authentication — to help control network access.

If Target had had multifactor authentication in place for its employees, the stolen credentials would have presented less of a security risk, because the hackers would have had an additional security barrier to overcome.

The accounting and professional services company Deloitte saw a hacker break into the firm’s global email server through an administrator’s account that had only a single password. The breach may have occurred in October or November 2016, but it wasn’t discovered until March 2017. The hacker potentially had access to usernames, passwords, IP addresses, architectural diagrams for businesses, health information and as many as five million email messages to and from 244,000 Deloitte employees. Some email messages had attachments with sensitive security and design details. If the administrator’s email account had been protected with multifactor authentication, this sensitive material would have been much more difficult to steal.

In December 2017, Timehop, an application that lets people see old photographs from social media, was broken into. However, the breach wasn’t discovered until July 2018, when the hacker used that access to steal personally identifiable data that had recently been added to the system. “At 2:04 US Eastern Time in the afternoon of the 4th of July 2018, Timehop observed a network intrusion,” the company said in a blog post. “The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication.” Names, email addresses, dates of birth, gender, country codes and some phone numbers belonging to Timehop customers could have been seen by other people. In addition, access tokens, which social media providers give to the Timehop application to enable it to gain access to the content, were also taken. This could have allowed a hacker to view customers’ social media posts.

Timehop said it took steps — including multifactor authentication — to secure authorization and access controls on all accounts, though the attack was on an internal account. Timehop hasn’t reported any break-ins since.

At a time when massive data breaches are growing in frequency, companies need to proactively implement multifactor authentication for both their internal processes and their external customers. Otherwise, they risk being the target for the next large-scale hack.