A Look Back at the Top Breaches of 2011
2011 brought about a hacking renaissance. We were witness to more major data breaches than at any time in history. We were stunned by seemingly endless runs of intense hacking activity. Hacks against Sony yielded over 100,000,000 records. The dramatic journey of the lulz boat – the Lulzsec hacktivist spree- included breaches of US Senate and CIA systems.
Looking back over 2011’s breach activity there are a many that hit databases, but a few stand out. Here is my list of the 2011 breaches with the biggest impact on database security:
Top Breaches of 2011
#1 – Sony: With over 100M records stolen across more than 20 separate incidents, Sony’s global security woes rank as number 1 on my database security list. Many of the incidents were database dumps, with systems compromised via SQL Injection. The persistent and ongoing attacks made it seem like the attackers would stop at nothing to teach Sony to secure their databases.
#2 – CSDN/7K7K/178/DuoWan/Tianya: As the year comes to a close, a rash of data breaches has occurred in China, exposing around 100M records. First it was the China Software Developer Network reporting over 6M people’s usernames, passwords and email addresses stolen and posted online, then 7K7K reported they had lost info on 20M gamers. 178.com quickly followed, announcing they had been hit for 10M gamer records. DuoWan also disclosed a breach of over 8M records (again on gamers). A few days later, Tianya.com, a large social network site disclosed that usernames and cleartext passwords for 40M of their users had been stolen. This string of large scale data breaches is a first for China – and may be an indication that security of Chinese databases has a long way to go.
#3 – Valve’s Steam Network: One of 2011’s recurring themes was successful attacks on gaming vendors. The Steam Network attack was one of biggest ones of the year and resulted in the loss of their entire customer database. That database contained usernames, passwords (hashed), billing history, billing addresses and encrypted credit card numbers from all 35,000,000 of their customers.
#4 – Liza Moon: Liza Moon was a successful mass-SQLi attack against ASP and ASP.NET Web servers. Attackers used SQL Injec
tion to inject malware (in this case fake AV) into databases serving up a Web site’s content. The attack successfully embeddedredirect scripts into more than 1M Web pages across 10s of thousands of different sites. At first the kicker was that the attack required the input validation features on the target Web servers to be purposefully disabled. I say at first, because about 6 months after Liza Moon, an almost identical mass-SQLi attack hit the Web and using the exact same techniques and again injected code into over 1M Web pages. I was very disappointed that so few people learned from the first breach enabling the second attack be so successful. I wonder if anyone learned from the second one?
#5 – Epsilon: Email marketing is big business, and Epsilon is one of the biggest in the business. So many major brands outsource their email marketing efforts to Epsilon that they are now a company that touches almost every one of us. Epsilon’s website claims that in 2010, they sent out over 40,000,000,000 emails (that’s 40 billion)! In early April, the emails 
started to hit inboxes everywhere, and they seemed to come from trusted business partners. Retailers, banks, hotels and others were all reporting that they had lost our email addresses.
Details have remained sketchy, but hackers were able to obtain information on at least 50 of Epsilon’s customers’ (companies like Target, JP Morgan, and Tivo) customers (you and me) – with a total number of people affected well into the 10s of millions. This incident illuminated the risks of trusting 3rd parties with sensitive customer information. Hopefully we have learned from this attack and every company should be reviewing their contracts to make sure proper security controls are in place to protect any data that is share with vendors or partners.
#6 – Citibank: This summer, Citi disclosed that about 1% of their account holder’s names, addresses and contact info had been stolen. IN plain numbers, that’s the sensitive data of 200,000 people. Compared to other attacks this breach wasn’t very large in scale, wasn’t very sophisticated, and didn’t do major harm. It made the list because of the victim. Citigroup is serious about information security. As one of the largest financial institutions in the world, they have to be. They’re the target of attackers and regulators the world over, and in general they do a great job protecting themselves.
It’s very likely that Citi had sophisticated security tools installed on the databases that were involved in the breach. This incident is important because it reminds us that we must remain vigilant. Installing security systems that detect misuse or suspicious activity won’t help if people aren’t there to react when the alarms sound. Even the most technologically sophisticated organization can suffer from process deficiencies that can create a false sense of security and expose systems to attacks.
Honorable mention –Stratfor: Targeted by hacktivists from Anonymous on Christmas, databases at intelligence and forecasting company Stratfor were penetrated and summarily cleaned out. Inside hackers found a treasure trove of information, including Stratfor’s list of customers, a closely guarded secret until now. Their customer list is a who’s who of nearly every major industry, including nearly every major department within the US Government. This one is significant for a few reasons.
The customer list alone was valuable and interesting information that one might have expected a company like Stratfor to be capable of protecting. To make the story worse, after searching the contents of the databases, the hacktivists allegedly discovered that Stratfor was storing credit card information without encryption. The result was an alleged $1M dollars in unapproved donations to charities through the illegal use of those credit cards. After thebreach, Anonymous wrote a release commenting on the attack and noting “just how clueless this company is when it comes to database security”. Anonymous themselves remind us that hackers target databases, and companies ought to get serious about database security if they want to protect their sensitive information.
Looking Ahead to 2012
As the new year approaches, it’s a time for resolutions. I think we’d all be well served to resolve to do a better job protecting our data in 2012. Happy New Year everyone.
Leave a Reply