As 2012 is coming to a close, it’s a good time to take a look back at some of the biggest and most interesting data breaches over the past year, to see how these attacks occurred, and how each organization was affected by the hack. The breaches from 2012 run the gamut, ranging from retail to government and from insurance companies to internet moguls. During 2012, we probably saw some of the most sophisticated and complex malware ever with Flame (and Gauss); clearly attackers are getting their acts together. Yet, many if not all of my list of top data breaches would probably have been avoided through simple data security measures.
1. Global Payments
In March 2012, electronic transaction processing provider, Global Payments, disclosed a data breach of 1.5 million credit cards. The story broke in a most unusual manner, starting with disclosures by Visa and MasterCard discussing an unnamed processor who had lost over 10 million cards’ Track 1 and Track 2 data. A few days later, the Global Payments notification came out announcing their breach, but the details were quite different, claiming the 1.5 million number and insisting that only Track 2 data (which includes card number and expiration date) was stolen. We also heard from other sources, some claiming that the real level of theft was closer to 24 million credit cards, and occurred over the period of a year. At the time of the breach, Global Payments with compliant with the Payment Card Industry’s Data Security Standard, but as I’ve commented many times before, being ”in compliance” says nothing about being secure.
The hack was likely caused by attackers taking control of an IT administrator’s account, correctly answering knowledge based authentication questions to enter the companies systems. Reportedly, the attackers were members of a Central American gang stealing card numbers for profit. As the result of this breach, Global Payments suffered significant damages. The firm immediately lost PCI-DSS certification, and has paid approximately $100,000,000 in breach-related costs. Add the loss of business that always comes when you destroy your customer’s confidence in your ability to protect their data – and the Global Payments Corporation will certainly never be the same as it once was.
2. New York State Electric and Gas Company
In January 2012, New York State Electric and Gas Company reported a data breach in which approximately 2 million customer records were exposed – which was their entire customer database! The hack was caused by an insider (reported to be a third party software consultant) who gained unauthorized access to NYSEG databases. That probably means nobody ever intended to give this person a login to the database, but somehow they got one anyway. It’s unclear if someone gave them access by mistake, or if the individual exploited vulnerabilities in the database to obtain their access. At the time of the breach, there was no database monitoring in place, so there is no way to know which data was stolen or modified. In general, organizations with a locked-in market for their product, such as this utility company, do not tend to lose any business as the result of a breach. However, they did spend millions, when something like this should have been avoided through simple database assessment and monitoring controls.
3. South Carolina Department of Revenue
This November 2012 breach was initiated via a successful spear phishing campaign in which phishing emails were sent to several employees on the same day. At least one employee was fooled and clicked on the email, causing malware to be installed on their system. That malware was then used to harvest the employee’s credentials and send them back to the attackers. From there, the attackers used the credentials they had stolen to connect to the SC Dept. of Revenue network through the organization’s Citrix system. From there, they appeared as a normal user in the environment and were able to directly access the databases storing taxpayer information. They took everything, stealing entire database backups from critical servers. As a result, nearly 10 million records, including 5.7 million social security numbers and 3.3 million bank account numbers were compromised. Unfortunately, there is little that South Carolina residents can do. They must continue to submit their personal information along with their taxes, whether the state protects their data or not. South Carolina Governor Haley blamed the incident on the IRS, saying that they were compliant with IRS standards that don’t require encryption of Social Security Numbers. The truth is, implementing encryption may have made no difference in this attack. What South Carolina really needed was database security, where they would have seen the unusual backup activity and been able to take steps to stop it before the data got into the attacker’s hands.
In January the online retailer, owned by Amazon, disclosed the largest breach of 2012 (by volume of records stolen) with 24 million customer records compromised. Customer records included names, shipping and billing addresses, email addresses, phone numbers, and passwords (cryptographically scrambled – but still quite crackable), last 4 digits of credit card numbers, and other information. The specific attack vector was never disclosed, but the database was perpetrated by an outside attacker who gained access through a Zappos server in Kentucky, where the retailer’s warehouse is located. More than likely, Zappos was running a web application that was vulnerable to SQL Injection. Opportunistic thieves have been able to largely automate the search for this type of weakness across the internet. Zappos was compliant with PCI-DSS when the incident occurred, but that didn’t stop the attackers, or the lawyers from filing suits against them from every direction.
5. LinkedIn & Yahoo!
While probably entirely unrelated, the breaches we saw this summer at LinkedIn and Yahoo! were awfully similar. The disclosures came within a few weeks of one another, and in both cases, it was account data that was stolen. We found out about the breach at LinkedIn when someone posted 6.5M unsalted password hashes to an online password cracking forum, asking for help to crack the passwords. It didn’t take long before researchers found their own (unique) LinkedIn passwords in the file, and let LinkedIn know they had a problem. While only password hashes were posted publically, it’s very likely the attacker got much more data than that. It was interesting to me at the time that the bigger story wasn’t that LinkedIn had been hacked (I guess we should all just expect our data to be stolen?), it was that they weren’t salting passwords. As if salting a password before hashing it is some magical recipe for security. The truth is, most implementations make it so easy to find the salt, the salting makes no difference to security in the end. It’s all about protecting the data in the first place! In Yahoo!’s breach, an attacker claimed to have used simple UNION-based SQL Injection to steal 450,000 user records. Apparently, it was an older system from Yahoo, but in this case, they didn’t even bother to hash the passwords. Everything was in clear text for the world to see. LinkedIn and Yahoo! are two seriously sophisticated and successful technology companies that knew better . . . but didn’t take the threat seriously enough.
6. Nationwide Insurance
Nationwide is one of the ten largest US insurance companies and recently disclosed a breach of 1.1 million records. Compromised data included names, social security numbers, driver license numbers, birth dates, marital status, gender and employer name/address. As this breach recently occurred in December 2012, no details have been disclosed yet on how the attackers accessed the database. Ponemon Research estimates the cost of a data breach to be around $300 per record when hacking is involved. When I get out my handy calculator, it says Nationwide should expect this breach to cost them approximately $330 million. According to Nationwide’s website, their operating income for the first 9 months of 2012 was $723 million. The cost of a data breach can really make an impact on your bottom line, and it always many orders of magnitude higher than the cost of proactive data security.