You may have heard of the popular social app, Timehop, which trawls through users’ historic social media data to display posts from the same day years ago in a “before and after” style. The nature of the app means that users have to give it permission to access their social media data, meaning that Timehop have access to a LOT of personally identifiable information (PII).
Well, as it turns out, your data wasn’t as safe in the hands of Timehop as you’d like to have believed. The company confirmed that it suffered a data breach that affected 21 million (approximately one fifth) of its users. As with other high-profile data breaches this year, personal information of users was illegally obtained, including names, addresses and phone numbers.
In accordance with the GDPR, Timehop disclosed the breach to the relevant authorities while it was in progress and shutting it down some 2 hours after initially discovering it. Timehop confirmed that the breach arose as a result of an admin account that was initially compromised in December of 2017. Timehop’s cloud environment was accessed and the attackers presumably scoped out it out before finally launching the attack on July 4th. Luckily, due to the nature of Timehop, no credit card information, financial data or PII of that kind was compromised, as it is not stored.
So, How Was the Admin Account Compromised?
The attacker was able to get access through an admin account that was not protected by multi-factor authentication. In the public disclosure of the breach, Timehop stated: “We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”
But why wasn’t this in place already? The quote implies that there were numerous accounts within Timehop’s cloud environment that were unprotected by multifactor authentication, which is a severely poor lapse in judgement from an IT security perspective.
Organizations that store and process potentially sensitive information must ensure that they do everything they can to secure administrative accounts, including through multifactor authentication. Many people naturally use the same password for multiple accounts which can be a nightmare if one account is compromised, as in the Timehop scenario. Admins must not fall into this trap. Ensure that your account is protected by using a complex password and changing it at least once every 90 days.
How Did GDPR Affect This Breach?
Timehop themselves stated that they weren’t sure whether they were legally obligated to report this breach. It did involve the personal data of EU citizens, but organizations are only required to report a breach that is “likely to result in a risk to the rights and freedoms of the individuals.”
To Timehop’s credit, they decided to take initiative and inform those affected regardless. They are also working closely with a number of GDPR specialists to ensure they don’t fall foul of any part of the regulations.
If you’re concerned about how quickly you would be able to spot a breach in action, it’s likely you will need to deploy a change auditing solution, like LepideAuditor. Such solutions enable you to monitor, detect and respond to unwanted or unauthorized changes to your critical on-premise or cloud-based systems.