Around this time of the year, many cybersecurity-related companies gather their statistics to publish annual reports for cyber events for the year. However, massive data breaches (such as Quora and Marriott) that hit the news in the early days of December do not let them wrap-up those reports. Some of them are candidates of the biggest hacks of the year.
100 million users affected after Quora breach
Quora, the popular question-and-answer website, has been hit a by a major data breach. It became a public knowledge after Quora posted a security update notice on December 5th. In the notice, Quora states that approximately 100 million users’ data were compromised as a result of unauthorized access to one of their systems by a malicious third party.
The potentially compromised data includes account information (name, email address, hashed password, data imported from linked networks when authorized by users), public content/actions (questions, answers, comments, upvotes), and non-public content/actions (answer requests, downvotes, direct messages). Basically, almost everything Quora knows about a user except for anonymous users. While Quora has been notifying its users and investigating the root cause, all affected users’ passwords were invalidated.
500 million Marriott-customers information are compromised
Data breach for Marriotts’ Starwood-branded hotels overshadowed the Quora breach. Approximately 500 million customers personally identifiable information such as name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Around 170 million customers encrypted financial data was also among the data breached, but Marriott claims that credit card data were encrypted with advanced techniques. Though, they do not strongly state that these data is not accessible. The interesting side of this data breach story is that the leaked went undetected for almost 4 years. So its origin goes back to 2014 when Starwood was not part of Marriott brand. Marriott acquired Starwood hotels in 2016. Lack of due diligence during the M&A process transferred the cyber risk to the Marriott’s system. This was a great reminder of how important to know security posture of the company to be acquired.