2011 continues to see database exposures hitting organizations and according to the Privacy Rights Clearinghouse, the first half of 2011 saw 234 breaches that affected more than hundreds of millions of individuals.
1. Victim: HBGary Federal
Assets Stolen/Affected: 60,000 confidential emails, executive social media accounts, and customer information.
Following an announcement by security firm HBGary Federal that it was planning on exposing information about the renegade Anonymous hacking community, the firm was assaulted by Anonymous members. Anonymous hacked into HBGary’s CMS database through a vulnerable front-end Web application, stealing credentials that they were able to then leverage to break into the company’s executives’ e-mail, Twitter, and LinkedIn accounts. They were also able to access, and then dump publicly, the email spools of HBGary proper via the HBGary Federal hack.
Lessons Learned: This attack proved that SQL injection remains a hacker’s prime tool . Anonymous used this method to enter into HBGary Federal’s systems and the attack was able to go deeper because the credentials stored within the affected database were not adequately hashed with something stronger than MD5. The passwords used by the executives were simple and the credentials were reused across many accounts.
2. Victim: RSA
Assets Stolen/Affected: Proprietary information about RSA’s SecurID authentication tokens.
After an employee retrieved a spear phishing e-mail from the Junk folder and opened an infected attachment contained within, the hackers were able to dig into the RSA network to find a database containing sensitive information pertaining to RSA’s SecurID authentication products. Though RSA has never confirmed exactly what was stolen, reports this week have surfaced of a U.S. defense contractor using SecurID and getting hackedwhich suggests the RSA attackers took the all-important SecurID seeds.
Lessons Learned: No hacking target is sacrosanct, not even one of the leading security companies in the world. The RSA breach shows how important is employee training. Even the most secure networks and databases can be penetrated if bumbling insiders open the door wide enough for hackers.
3. Victim: Epsilon
Assets Stolen: E-mail databases from 2 percent of the firm’s 2,500 corporate clients.
Marketing firm Epsilon has never confirmed exactly how many email addresses were stolen from its massive stores of consumer contacts, which were used to send messages on the behalf of behemoth customers, such as JPMorgan Chase, Kroger, and Tivo. But breach notifications trickling out from the firm’s client companies show that this exposure surely impacts millions of customers, putting them at higher risk of phishing and spam attacks in the future.
Lessons Learned: Epsilon also has not confirmed the technical details , but a sophisticated spear-phishing campaign against the email marketing industry has been fingered by many as a likely source of the attack, re-emphasizing the importance of awareness . When you outsource, you still retain the risk and responsibility for protecting the data a contractor oversees. Every Epsilon client is still on the hook for disclosure and associated costs due to this breach caused by a partner.
4. Victim: Sony
Assets Stolen: More than 100 million customer account details and 12 million unencrypted credit card numbers.
Attackers were able to compromise three different databases containing sensitive customer information, including names, date of birth, and, to some extent, credit card numbers owned by Sony, affecting customers of PlayStation Network (PSN), Qriocity music and video service, and Sony Online Entertainment. So far, some nine Sony assets have been hacked as a result of the initial breach.
According to testimony by respected security expert Dr. Gene Spafford of Purdue University, Sony was using an outdated Apache server that was unpatched and had no firewall installed — a fact that Sony knew about months before the breach went down. Last week hackers poured salt on the wound when they started to exploit PSN once again after Sony didn’t fortify the password reset system in light of the fact that hackers had email addresses and dates of birth. The bad guys were able to change the password of users who had not changed the email associated with their PSN accounts before Sony shut down PSN once again to fix the problem.
Lessons Learned: A corporate culture devoid of security emphasis can cost a company a fortune in this day and age. According to reports out this week, Sony has spent $171 million so far on customer remediation, legal costs, and technical improvements in the wake of the breach — and that cost is only rising. Recovery from such a massive breach can be not only expensive, but is also embarrassing and damaging to the brand.
5. Victim: Texas Comptroller’s Office
Assets Stolen: The names, Social Security numbers, and mailing addresses of 3.5 million individuals, plus dates of birth and driver’s license numbers of some.
Sensitive information collected in databases by three Texas agencies — the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC), and the Employees Retirement System of Texas — were exposed for nearly a full year by the Texas Comptroller’s Office on an unencrypted publicly accessible server. The employees responsible for putting the data online purportedly broke departmental procedures and were fired when the breach was discovered
Lessons Learned: Policies and procedures don’t mean much when there are no technical controls or monitoring solutions installed to enforce them. The fact that employees were able to place database information in such a vulnerable position shows how policies without “teeth” can expose an organization. The State of Texas now faces two class-action lawsuits as a result of this breach, one of which is going for a $1,000 statutory penalty for each affected individual — a whopping charge when it’s aimed at a breach impacting millions.
