As a proud member of the “Internet Generation,” I grew up with a personal computer in my living room and free time. A lot of free time.
One day, I turned to the internet to watch a movie called Shrek that I’d been dying to see. By the time “All-Star” finally stopped ringing in my head a few weeks later, I’d received a letter in the mail from the government — a DMCA notice.
Now, I don’t remember exactly what it said, but I remember what reading it felt like: “We’re watching you.”
That was the first time I realized my private internet connection wasn’t so private.
These days, people do a lot more on the internet than watch green ogres or visit funny websites. People share their lives and chat with their loved ones online. 78% of people even access their banks online. As of 2017, data surpassed oil as the world's most valuable resource.
…So what happens when that data gets leaked?
With people sharing their valuable personal data online more than ever, it opens the doors for bad actors to try and steal that information. In fact, since 2005, the number of data breaches has increased from just 157 to over 1800!
This might sound alarming, but a big part of that is an increased number of websites. Even more encouraging is the fact that the individuals impacted are actually on a downward trend, from a high of 2,541 in 2016 to 422 in 2022.
Companies are getting better at protecting users’ data. Today, I’m going to take a look at how some of the biggest companies have responded to major breaches from common scam tactics. If it can happen to these massive companies, it can happen to you.
And if it does, you’ll be equipped with the tools and knowledge on how to fight it.
Apple iCloud Leak - Brute Force Hacking
One of the biggest stories in 2014 was the massive iCloud photo leak, where hackers gained unauthorized access to multiple Hollywood celebrities' iCloud accounts. They achieved this by writing a script to “query iCloud services via the ‘Find My iPhone’ API to guess username and password combinations,” a technique known as brute force hacking.
The hackers then released explicit photographs of celebrity victims to the public in a widescale attack on privacy.
Because of the involvement of A-list celebrities, this attack was forever etched into pop culture and was one of the first incidents to really spark conversations about security. Less than a decade later, Apple is now known as THE tech company to put customer privacy first.
So what the heck happened?
As a green bubble Android user who’s been relentlessly bullied for not having an iPhone, I want to say that it’s because of Apple’s brilliant marketing efforts and *cough* loyal customer base that its reputation has turned around so quickly. But even I can admit that there’s much more to it.
Just weeks after the hacking incident, Apple publicly stated it would no longer unlock iPhones and iPads for police. This was a hard-line statement - your privacy matters more to Apple than anything else, even the law.
But viral marketing campaigns aside, Apple also took big steps to address the issue technically. In 2015, Apple strengthened its two-factor authentication in IOS 9 to help make sure that you’re the only one logging into your account.
Two-factor authentication requires you to combine your password with a second form of authentication, like facial recognition, fingerprint, or signing in through a mobile device.
More recently, in 2022, Apple also implemented end-to-end encryption, which ensures that communication between any number of people can only be accessed by those directly in the conversation. Even Apple can’t access your conversations through iMessage.
Apple has also (with encouragement from the EU legal system) announced that it will implement RCS messaging, a more secure form of messaging than SMS for Apple-to-Android communications. Android users will finally be able to send high-quality images and videos to Apple users that don’t look like they were shot on a potato.
The overall takeaway from Apple is to stay on top of security breaches as soon as they happen and constantly provide security updates.
You can’t expect to contain every breach before it happens, but as long as you show your customers that their privacy is a top priority, you can regain trust.
Cambridge Analytica/Facebook Data Harvesting Breach
Are you an extrovert or an introvert? Which Harry Potter house are you? Can we guess your favorite Taylor Swift song from the toppings you put on your pizza? If you’ve ever taken a quiz like this on Facebook, first of all, you’re a nerd (Dear John, for the record).
But more importantly, your data might have been used to socially engineer you and/or your friends for political gain.
The Cambridge Analytica scandal, which occurred in the mid-2010s, involved the illegal harvesting of user data from Facebook through these seemingly innocent quizzes.
Cambridge Analytica, a political consulting firm, allegedly obtained personal information from millions of Facebook users without their explicit consent. The data was then used to create psychological profiles of users for targeted advertising and political influence during the 2016 United States presidential election.
Cambridge Analytica took advantage of a loophole in a Facebook update called “OpenGraph,” which allowed external developers to ask for users’ personal information if they consented to take a quiz.
More importantly, it also allowed developers to get those users’ friends’ information too. The company then used this information to psychologically analyze users and sway them by sending targeted political ads to sway neutral voters. Facebook reported that over 87 million people were affected.
Like Apple, Facebook has also implemented two-factor authentication. But unlike Apple, Facebook has had multiple high-profile leaks impacting hundreds of millions of users since. As a result, only 18% of users think Facebook protects their privacy.
There have been a few different reasons for Facebook’s security issues. In 2019, data stored on public servers led to two different attacks where 500+ million users and 400+ million users, respectively, were affected.
The lesson here is that user data needs to be stored on private servers where your website has more control over who gets to access it. Implementing tools like two-factor authentication and end-to-end encryption early on can also be an effective way to combat cyber attacks.
Overall, the lesson from Facebook is the opposite of Apple. Treating security problems after they happen instead of taking preventative action is a clear way of losing the trust of your customers.
AWS DDoS attack
A DDoS attack overloads your website with web traffic by using a massive network of bots or computers to slow down or crash your website. In February 2020, AWS mitigated the largest DDoS attack of all time, a 2.3 Tbps attack.
As far as DDoS attacks go, this is definitely the exception to the rule. According to CloudFlare, most DDoS attacks are actually under 500 Mbps. For context, 1 terabyte = 1 million megabytes.
However, AWS defended its services from this record-breakingly large DDoS attack using common security methods that you can easily implement for your own website. Using anomaly-based detection techniques can help identify unusual traffic sources and halt attackers in their tracks.
What can getting ahead of potential security breaches and DDoS attacks do for you? According to Simplilearn, “Amazon Web Services has more than 1 million active users. According to various consulting firms, enterprise-scale customers comprise about 10 percent of AWS users, and the rest are small and medium-sized businesses.”
This might not seem like a lot, but let’s put it in perspective. According to FourWeekMBA: “Amazon AWS (cloud) is the most successful business segment within Amazon, and it generated over $80 billion in revenues in 2022 and almost $23 billion in operating profit.”
If your business fosters trust that security breaches will be handled before they’re ever a problem, your profitability will skyrocket. Even HubSpot uses AWS for product infrastructure hosting.
Once you detect a potentially suspicious traffic source, you can use mitigation techniques to stop the attack in its tracks. One of the more common methods is Captcha, but with increased bot sophistication, this can be limited in scope.
The best way to combat bot traffic is still through multi-factor authentication, as I mentioned earlier. DDoS is one of the most common forms of cyber attacks for smaller websites, but that also means there are plenty of ways to defend yourself from them, like how AWS was able to.
How Can You Protect Yourself And Your Business?
As an individual, there are many ways to protect yourself from being scammed. Let’s go over some more general tips to make sure you’re being safe on the internet.
Use a VPN
A VPN reroutes traffic through a remote server, hides your IP address, and encrypts traffic so that no one is able to access your data. This is the best option if you’re an individual or you want your employees to be protected when working with sensitive information.
You can also find great deals on major VPNs like ExpressVPN or SurfShark through YouTube sponsorship videos.
Invest in Cyber Security Awareness Training
Helping your employees understand cyber safety through security awareness is one of the most efficient ways to protect your business. A study found that 90% of American organizations felt that security awareness training reduced phishing attacks.
When employees are more aware of the dangers of giving out personal information or clicking suspicious links, they’re less likely to fall for common traps.
Use Good Judgment
The first thing any HubSpotter learns when joining the company is the Code of Use Good Judgment, and aside from the actions to take against specific attacks that I outlined earlier, I think that’s the best advice you can get for staying safe on the internet.
Maybe don’t click on Facebook quizzes that require you to give out your personal information for the result. Or ignore that call from an area code you’ve never seen in your life. Just use good judgment, as simple as that.
Preventing Security Breaches
Now that you’ve seen some of the ways tech giants have dealt with security breaches (the good and the bad), you can start taking effective steps to protect your own business and/or self. Invest in a good security team, training, and tools.
People understand now more than ever that their private data is important. And how you handle that data matters.