Popular flight tracking service Flightradar24 recently suffered a major breach of one of its retired servers that compromised email addresses and hashed passwords of hundreds of thousands of customers.
Flightradar24 confirmed the breach in an email to affected customers in which it said that the security breach may have compromised their email addresses and hashed passwords. According to some reports, the number of affected customers may have exceeded 230,000.
“The security breach may have compromised the email addresses and hashed passwords for a small subset of Flightradar24 users (those who registered prior to March 16, 2016). While we do not have any indication that your information was accessed, we still want to sincerely apologise for the breach and let you know what we’re doing, and what we encourage you to do,” Flightradar24 said.
“We do not store passwords in plain text on our servers. Instead we convert them into scrambled strings of characters (hashes) that are designed to be impossible to convert back. However, as a general precaution and because the hashing algorithm used in this retired part of our system no longer is considered sufficiently secure, we have decided to reset the passwords of all potentially affected users,” the firm added.
Presence of unsecured servers in IT networks
Flightradar24’s statement confirms that the retired server continued to store sensitive details of hundreds of thousands of customers even though it was no longer in use and was protected by an old hashing algorithm that did not conform to modern security standards.
“If Flightradar24 is adhering to best practices, they should have in place adequate logging and monitoring which will help them track down how the breach occurred and what was breached,” said Adam Brown, manager of security solutions at Synopsys.
“Without knowing details of the attack we can’t speculate about how it was done, however the attackers may have been most interested in payment card information given the company offer a commercial service.
“This could potentially fall under the eyes of the PCI Council and Datainspektionen (Swedish supervisory authority), who will be interested to know if the company has done its best to secure its data under the GDPR,” he added.
The need for cyber risk testing
The presence of critical security flaws in servers and the lack of modern security tools can only be identified by firms if they regularly carry out cyber risk testing of their servers. Regular cyber risk testing will allow firms such as Flightradar24 to identify weaknesses in their servers and fix them before the same are detected and exploited by malicious actors.
A recent study of annual reports of FTSE 100 companies by Deloitte revealed that only 21% of FTSE 100 companies carried out cyber risk testing of their networks, thereby indicating that a majority of them were sitting on critical vulnerabilities that could be exploited by hackers with serious consequences.
The report also revealed that only a tiny minority (8%) of FTSE 100 companies had a Board member which is not sufficient enough to deter cyber attacks or to create fool-proof cyber security strategies.
“Cyber security is now widely accepted as having strategic importance. Data breaches can adversely affect reputation (including the reputations of Board members) as well as damaging an organisation’s competitive positioning. And there is a big moral dimension too: allowing personal data to leak out can cause individual consumers enormous difficulties, from cloned credit cards and frauds to wholesale identity theft.
“But all too often cyber security seems to be treated as a technical issue for overworked IT departments and cyber breaches are considered simply a cost of doing business. Perhaps that will change with the considerable fines available to regulators under the new European privacy regulation, the GDPR, which will come into force from May 2018,” said Jeremy Swinfen Green, the head of consulting at TEISS.