Application Security // Database Security
11/25/2013
05:02 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Lessons Learned From 4 Major Data Breaches In 2013

Breach stats are declining, but data is still at risk from poorly protected databases, applications, and endpoints

In many respects the breach trends of 2013 have borne out some good news for the security industry. Unlike the past four to five years, this one has not been awash with mega database breaches of tens of millions of records containing personally identifiable information (PII). And according to statistics compiled by the Privacy Rights Clearinghouse, both the number of breaches publicly reported and the volume of records breached have declined. Last year at this time, the running count already totaled approximately 27.8 million records compromised and 637 breaches reported. This year, that tally so far equals about 10.6 million records compromised and 483 breaches reported. It's a testament to the progress the industry has made in the fundamentals of compliance and security best practices. But this year's record is clearly far from perfect.

When comparing year-to-date numbers, the volume of records breached went down a drastic 61.7 percent, while the number of reported breaches was only reduced by about 24.2 percent. This shows that breaches are still occurring at a fast clip -- it's just now the distribution of theft and compromise has spread out. Breaches are smaller, and according to security insiders, they're far more targeted. And frequently the theft is of IP or other digital property that could be even more damaging than customer records when stolen, but which are more difficult to quantify and don't make the statistical headlines.

Delving deeper into the specifics of breaches occurring this year, it is evident there's still work to do. As evidenced by the 2013 track record, valuable databases are still left unprotected and unencrypted, applications are still riddled with vulnerabilities, and users are still allowed to download huge quantities of information from sensitive databases and store them on poorly protected endpoints. To plead our case, Dark Reading has cherry-picked a few helpful examples and offered up some valuable lessons the industry can learn from these incidents.

Company Compromised: CorporateCarOnline.com
Breach Stats: 850,000 records stolen
The Details: Personal details, credit card numbers, and other PII from some of the biggest American names in professional sports, entertainment, Fortune 500 business, and politics were all stolen in this juicy heist of a plain text archive held by this company that develops a SaaS database solution for limo services across the country. Some of the big names on the list include Tom Hanks, Sen. Tom Daschle, and Donald Trump.

Lessons Learned: A key lesson is how the ingenuity of attackers knows no bounds when the most valuable financial and social-engineering-fueling information is at stake. According to KrebsOnSecurity.com, a quarter of the compromised card numbers were high- or no-limit American Express cards, and other information would prove a treasure trove for corporate spies or tabloid media players. Meanwhile, the company at hand paid absolutely no regard to the security of the information, without even trying to take the most basic of cryptographic measures to protect it.

[How do you know if you've been breached? See Top 15 Indicators of Compromise.]

Company Compromised: Adobe
Breach Stats: Nearly 3 million PII records, more than 150 million username/password combos, and source code from Adobe Acrobat, ColdFusion, ColdFusion Builder and other unspecified products were stolen.
The Details: This is the breach that just keeps unraveling as the hits keep coming more than a month after the compromise was first disclosed. Originally just though a compromise of 3 million PII records, it's now clear that Adobe is contending with the loss of a vast trove of login credentials, and, more startlingly, its source code.

Lessons Learned: Not only is the still-unfolding Adobe story a good teaching moment for how thoroughly a company can be owned by attackers once they've established a foothold in a corporate network, it's also a lesson on how dependent the entire enterprise ecosystem is on the security of its software supply chain. The potential ramifications could ripple out for a long while yet as a result of this breach.

Company Compromised: U.S. Department Of Energy
Breach Stats: PII stolen for 53,000 former and current DOE employees
The Details: Attackers targeted DOEInfo, the agency's outdated, publicly accessible system built on ColdFusion for the office of its CFO. DOE officials say the breach was limited to PII about employees.

Lessons Learned: There were two big lessons here. First, patching always has been and always will be paramount. Second, organizations must think about reducing their attack surfaces by reconsidering which systems connected to sensitive databases should be left open on publicly facing websites.

Company Compromised: Advocate Medical Group
Breach Stats: 4 million patient records stolen
The Details: The theft of four computers from offices owned by this medical company exposed more than 4 million patient records in what officials are calling the second-largest loss of unsecured health information since notification to the Department of Health and Human Services became mandatory in 2009.

Lessons Learned: Health-care breaches are dominating the 2013 breach disclosure list thus far, but this one in particular is the most egregious. With patient records dating back to the 1990s compromised from a physical computer theft, it is clear that the basics in physical security, endpoint security, encryption, and data protection were all deficient. In particular, endpoint theft and loss in health-care issues seems to come up time and time again. It may be time for these organizations to reconsider how much data an endpoint is allowed to download and store from centralized databases.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1233964134849
50%
50%
ANON1233964134849,
User Rank: Apprentice
12/4/2013 | 1:17:56 PM
re: Lessons Learned From 4 Major Data Breaches In 2013
Adobe's systems were unable to perform the needed " real time data inspection & Classification on Data at rest and in motion while at the same time Enforcing security policies." http://www.gtbtechnologies.com...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5619
Published: 2014-09-29
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame.

CVE-2012-5621
Published: 2014-09-29
lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows remote attackers to cause a denial of service (crash) via an OPAL connection with a party name that contains invalid UTF-8 strings.

CVE-2012-6107
Published: 2014-09-29
Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2012-6110
Published: 2014-09-29
bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor.

CVE-2013-1874
Published: 2014-09-29
Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.