Application Security // Database Security
11/29/2012
04:26 AM
Connect Directly
RSS
E-Mail
50%
50%

10 Top Government Data Breaches Of 2012

SQL injection, post-phishing privilege escalation, and poorly secured back-up information all played their part in exposing sensitive government data stores this year

With federal and local government agencies suffering the brunt of Anonymous protests, targeted phishing attacks leading to privilege escalation, and highly effective SQL injection attacks granting wide-scale access to information, citizen privacy definitely took a hit in 2012.

1. South Carolina
More than 3.3 million unencrypted bank account numbers and 3.8 million tax returns were stolen in a wide-ranging attack against the South Carolina Department of Revenue. Itt all started through a state employee falling for a phishing attack that enabled hackers to leverage that employee's access rights to gain access to the government entity's systems and databases.

Lessons Learned: Database protection layers, such as database activity monitoring, not to mention other network detection measures could have gone a long way toward minimizing the damage caused by the type of phishing attack that all organizations, public and private, face today.

[Find out where your privacy risk posture stands. See Free Risk Indexing Tool Offers Start For Assessments.]

2. California Department of Social Services
Sensitive payroll information about approximately 700,000 individuals was lost in the mail en route between IT contractors with Hewlett Packard and the California Department of Social Services. Information, such as caregiver and care recipient names, wages, and Social Security numbers, was exposed when package sent by U.S. Postal Service with microfiche containing the information was damaged with much of the data missing.

Lessons Learned: Databases are often most vulnerable when the information within them are put into more archaic forms like paper and microfiche. This breach proves that physical security and common sense still play a big role in data privacy protection.

3. Utah Department of Health
The health information and PII of more than 780,000 Utah citizens were put at risk when Eastern European hackers broke into a server maintained by the Utah Department of Technology Services this spring by taking advantage of poor authentication configuration following database migration to a new server.

Lessons Learned: Poor authentication controls, uneven patch management, and dicey configuration management add a inordinate amount of risk to the database protection equation.

4. California Department of Child Support Services
Californians suffered not one, but two huge breach events stemming from old-school data storage and questionable shipping of unobfuscated files. The California Department of Child Support Services lost more than 800,000 sensitive health and financial records when a FedEx shipment sent by the state's contractors with IBM and Iron Mountain containing backup tapes with the data in question fell off the proverbial truck.

Lessons Learned: Just because a database is on a backup tape or drive does not make the information contained within any less valuable or vulnerable. Protection of backup information needs to be accounted for within data protection policies.

5. United States Bureau of Justice Statistics
Anonymous embarrassed the United States Bureau of Justice Statistics (BJS) when it leaked 1.7 GB of sensitive data belonging to the bureau on The Pirate Bay this spring. Files included internal emails and a database dump with information from the BJS website.

Lessons Learned: While information stolen was generally publicly available anyhow, the database dump offers yet another example of how insecure Web applications put entire back-end databases at risk.

6. City of Springfield
Though government officials report that the number of citizens stung by a recent hack of the website run by the City of Springfield was only about 2,100, the perpetrators from Anonymous said they actually were able steal from municipal databases that included more than 1,000 vehicle descriptions from online police reports and records from more than 280,000 summons filed in city digital data stores. The grey hat hackers claimed to have more than they leaked to the public, reporting that they removed sensitive information as a public service to citizens.

Lessons Learned: Speculation on this one is that it was carried out through SQL injection. Even smaller municipalities are going to find themselves targets of SQLi attacks if they leave the Web app barn door open.

7. United States Navy & DHS
Hackers from a group calling itself Digital Corruption busted into Department of Homeland Security and U.S. Navy websites using Blind SQL injection attacks. They stole database information that included usernames, passwords, email IDs, and security questions and answers for all users on the Navy's Smart Web Move website and Homeland Security's Transportation Worker Identification Credential website.

Lessons Learned: As long as organizations fail to validate input in their Web applications, hackers will continue to run roughshod with these kinds of attacks.

8. Wisconsin Department of Revenue
South Carolina's tax authorities weren't the only government tax offices to suffer an embarrassing breach in 2012. In July, the Wisconsin Department of Revenue reported that it exposed sensitive seller information about more than 110,000 people and businesses who sold property in 2011 by allowing an unknown embedded file in a Microsoft Access file with public-facing sales data to go live with that information in a report that was available to real estate professionals from April through July.

Lessons Learned: Sometimes our databases' worst enemies aren't hackers, but, instead, unknowledgeable employees who put sensitive information in the most inopportune of places.

9. NASA
Although the 10,000 employees affected by the latest security lapse at NASA is fairly small compared to other big-number government privacy breaches this year, the circumstances offer glaring evidence of how government agencies still lag in employee awareness and training. Personally identifiable information was left on an unencrypted agency laptop, which was subsequently stolen from an employee's car on Halloween.

Lessons Learned: When large caches of information are transferred from the database, who knows where they'll end up. The NASA breach shows once again how easy it is for unencrypted information on laptops to "walk away" from authorized users.

10. New Hampshire Department of Corrections
In a case of the foxes running the hen house, the New Hampshire Department of Corrections found that inmates at a state correctional facility were able to access the main offender management database system. How so? That system was linked to a server that inmates working in the prison industries shops used. Access to the system would allow inmates to change items like parole dates and sentencing information, as well as view personally identifiable information on prison staff members.

Lessons Learned: This case offers a stark example of why uber sensitive databases require special segmentation measures to keep them safe from side-channel attacks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
12/7/2012 | 12:23:00 PM
re: 10 Top Government Data Breaches Of 2012
Really great and resourceful
article! I personally enjoyed it really much, maybe because it perfectly proves
our vital need for a Cyber Security Bill that has measurable accountability
controls and/or we suffer an attack that takes out our power grid or another
piece of critical infrastructure. I know there's a lot of fear mongering out
there which is unfortunate as it then becomes difficult for people to separate
the wheat from the chafe. I've been in the IT Security space for enough time to
understand how fragile our corporate and government infrastructure is. Actually,
hereG«÷s an interesting article on this matter: http://blog.securityinnovation....
Hope you find it useful!-Š
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-3518
Published: 2014-07-22
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to exec...

CVE-2014-3530
Published: 2014-07-22
The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.