Flipboard Data Breach: Time to Detection Lessons Learned
Flipboard, the news aggregator platform, last week told users that unknown to the company, hackers had camped inside its network starting as far back as a year ago and eventually made off with some sensitive customer data.
Read between the lines: The breach was serious. But that lengthy time to discovery likely made matters far worse.
Flipboard told affected users that the hackers were able to tap into databases where the company housed customer information such as names, user names, hashed and uniquely salted passwords, as well as some emails and digital tokens tied to accounts on third-party services.
“Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information,” the company said in an alert. “We have not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts.”
Flipboard doesn’t yet know how many accounts the hackers infiltrated nor has it come to a full assessment of the damage. One piece of good news for Flipboard: Inasmuch as the company doesn’t collect social security or driver’s license numbers, bank card information or other financial data on its users there’s no worry there for users.
Time to Discovery: Flipboard’s Apparent Failure
But here’s the thing: The hacker or hackers were rooting around inside the company’s network looking for user credentials between June 2, 2018 to March 23, 2019 and again on April 21 – 22, 2019. Time to discovery or dwell time — the hackers were wandering inside Flipboard’s network for months before being found out — has to worry every organization everywhere. In plain terms, the Flipboard thieves cased the joint for quite a while before they went about their robbery business.
In hacks worldwide, cyber attackers are wandering inside networks for weeks or months at a time – sometimes years – before being discovered. While it may seem like Flipboard’s hackers took up residence for a long time, it was in line with how long it took entertainment (287 days) and healthcare companies (255 days) to detect a breach, and only a bit longer than media organizations (225 days) and educational institutions (217 days), according to a 2018 IBM Security report. At the low end of the spectrum (industries discovering breaches the fastest) were manufacturing (168 days), financial services (163 days) and energy (150 days). Even the quickest to detect are taking five months.
Average Time to Breach Detection
The average time to detect a breach among 17 industries IBM studied was 197 days. The average time to contain a breach, however, is significantly less than the time it takes to identify the breach. Healthcare, at 103 days to contain a breach, is the slowest, while the research industry is the quickest at 53 days. So, healthcare hackers spend the highest number days living in the network and it takes security pros the longest to find and expel them.
A FireEye 2019 M-Trends study produced more optimistic results, observing that the median dwell time worldwide had tightened from 416 days in 2011 to 78 days in 2018. Worldwide, attackers are operating for just under three months, on average, before they are detected. In 2018, 31 percent of the hacks that FireEye’s Mandiant unit investigated had dwell times of 30 days or less, compared to 28 percent the year earlier. About 12 percent had dwell times of more than 700 days, down from 21 percent in 2017. In FireEye’s view, the improvement comes from more ransomware and crypto mining incidents, both of which are detected faster. “Organizations are getting better at detecting breaches quickly,” the report said.
But there are other factors as well. Companies are improving their internal hunting capabilities and enhanced network, endpoint and cloud-service provider visibility are contributing factors.