Key Lessons Learned from Recent Cyber Incidents: Facebook, MyFitnessPal, and Panera Bread

Cyber-attacks continue to increase as new threats emerge. In the first half of 2018, several major breaches and incidents occurred at companies including Facebook, MyFitnessPal (Under Armour), and Panera Bread, to name a few. Let’s take a look at what happened and the lessons we can take away from these incidents.

Panera Bread

What Happened - On April 2, 2018, security researchers announced that information on 37 million customers had been exposed through a vulnerability in Panera Bread’s website and mobile application. Panera Bread was notified of the vulnerability by a security researcher in August 2017 but did not take steps to remediate the issue or announce it publicly until researchers publicized the breach eight months later.

Lessons Learned – Companies should have a plan for handling vulnerability notifications that includes working with outside counsel and involving a team in the remediation process. Conducting web application penetration testing is also critical in identifying vulnerabilities to better prevent breaches from occurring.

MyFitnessPal (Under Armour)

What Happened – On March 25, 2018, Under Armour discovered that an unauthorized party had accessed the data of 150 million MyFitnessPal app users. Under Armour launched an investigation and notified users within four days of discovering the breach.

Lessons Learned – While Under Armour was applauded for the speed of their response and notifying users within days of discovering the breach, the impact of the breach was exacerbated by the use of SHA-1, which is an antiquated encryption function that can be easy to crack. While Under Armour alerted users quickly, other companies may not, so it’s important to use a unique password for each account.

Facebook and Cambridge Analytica

What Happened – Data analytics firm Cambridge Analytica launched the “thisisyourdigitallife” app in 2013 and paid 300,000 users to create a profile, allowing Cambridge Analytica to gather information on users and their Facebook friends. Facebook eventually updated its rules to limit third-party app access to users’ Facebook friends’ data, but the rule was not retroactive and didn’t require attestation of data deleted until 2015. Even after Facebook required certification of data deletion, the rule was poorly implemented. As a result, Cambridge Analytica gained access to 87 million public Facebook profiles and then used the data to build a software program that profiled American voters and attempted to influence their voting behavior in the 2016 U.S. Presidential election. Facebook CEO Mark Zuckerberg recently testified before Congress to address questions about Facebook’s advertising and data policies.

Lessons Learned – The Cambridge Analytica incident shows why it is critical to assess the risks of your third-party vendors, and to exercise caution when granting permissions to third-party apps. In addition, Goldman Sachs recently released a research report estimating that Facebook would have been fined around $2 Billion under the European Union’s General Data Protection Regulation (GDPR), which goes into effect on May 25.

Additional Resources

• Lessons Learned from Recent Cyber Incidents: Facebook, Under Armour, Panera, and What You Need to Know – On-demand webcast with more key takeaways from recent cyber incidents.
• Cybersecurity and Risk Alerts and Events – Sign up to stay updated on cyber threats, webcasts, and guidance.

If you have any questions, please contact your ACA Aponix consultant.

About the Author

Raj Bakhru, CISSP, is a Partner at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. Prior to ACA’s acquisition of the firm, Raj was Chief Executive Officer of Aponix Financial Technologists, which he cofounded. Before that, he led firm-wide software development and was part of the founding team at Kepos Capital, now a $2 billion global macro quantitative asset manager. Prior to Kepos, Raj served as a Vice President at Highbridge Capital, where he led the team building the firm’s proprietary order and execution management system. In addition, he previously worked on research and cross-asset-class algorithmic trading algorithms and software systems at Goldman Sachs Asset Management’s quantitative hedge funds.

Raj earned his BS from Columbia University in Computer Engineering and has received his CFA charter and his CISSP designation. In the course of his career, he has been frequently quoted in Ignites, HFMWeek, MarketWatch, The Cybersecurity Law Report, and other industry-leading publications on information security in financial services.