Application Security // Database Security
11/25/2013
05:02 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Lessons Learned From 4 Major Data Breaches In 2013

Breach stats are declining, but data is still at risk from poorly protected databases, applications, and endpoints

In many respects the breach trends of 2013 have borne out some good news for the security industry. Unlike the past four to five years, this one has not been awash with mega database breaches of tens of millions of records containing personally identifiable information (PII). And according to statistics compiled by the Privacy Rights Clearinghouse, both the number of breaches publicly reported and the volume of records breached have declined. Last year at this time, the running count already totaled approximately 27.8 million records compromised and 637 breaches reported. This year, that tally so far equals about 10.6 million records compromised and 483 breaches reported. It's a testament to the progress the industry has made in the fundamentals of compliance and security best practices. But this year's record is clearly far from perfect.

When comparing year-to-date numbers, the volume of records breached went down a drastic 61.7 percent, while the number of reported breaches was only reduced by about 24.2 percent. This shows that breaches are still occurring at a fast clip -- it's just now the distribution of theft and compromise has spread out. Breaches are smaller, and according to security insiders, they're far more targeted. And frequently the theft is of IP or other digital property that could be even more damaging than customer records when stolen, but which are more difficult to quantify and don't make the statistical headlines.

Delving deeper into the specifics of breaches occurring this year, it is evident there's still work to do. As evidenced by the 2013 track record, valuable databases are still left unprotected and unencrypted, applications are still riddled with vulnerabilities, and users are still allowed to download huge quantities of information from sensitive databases and store them on poorly protected endpoints. To plead our case, Dark Reading has cherry-picked a few helpful examples and offered up some valuable lessons the industry can learn from these incidents.

Company Compromised: CorporateCarOnline.com
Breach Stats: 850,000 records stolen
The Details: Personal details, credit card numbers, and other PII from some of the biggest American names in professional sports, entertainment, Fortune 500 business, and politics were all stolen in this juicy heist of a plain text archive held by this company that develops a SaaS database solution for limo services across the country. Some of the big names on the list include Tom Hanks, Sen. Tom Daschle, and Donald Trump.

Lessons Learned: A key lesson is how the ingenuity of attackers knows no bounds when the most valuable financial and social-engineering-fueling information is at stake. According to KrebsOnSecurity.com, a quarter of the compromised card numbers were high- or no-limit American Express cards, and other information would prove a treasure trove for corporate spies or tabloid media players. Meanwhile, the company at hand paid absolutely no regard to the security of the information, without even trying to take the most basic of cryptographic measures to protect it.

[How do you know if you've been breached? See Top 15 Indicators of Compromise.]

Company Compromised: Adobe
Breach Stats: Nearly 3 million PII records, more than 150 million username/password combos, and source code from Adobe Acrobat, ColdFusion, ColdFusion Builder and other unspecified products were stolen.
The Details: This is the breach that just keeps unraveling as the hits keep coming more than a month after the compromise was first disclosed. Originally just though a compromise of 3 million PII records, it's now clear that Adobe is contending with the loss of a vast trove of login credentials, and, more startlingly, its source code.

Lessons Learned: Not only is the still-unfolding Adobe story a good teaching moment for how thoroughly a company can be owned by attackers once they've established a foothold in a corporate network, it's also a lesson on how dependent the entire enterprise ecosystem is on the security of its software supply chain. The potential ramifications could ripple out for a long while yet as a result of this breach.

Company Compromised: U.S. Department Of Energy
Breach Stats: PII stolen for 53,000 former and current DOE employees
The Details: Attackers targeted DOEInfo, the agency's outdated, publicly accessible system built on ColdFusion for the office of its CFO. DOE officials say the breach was limited to PII about employees.

Lessons Learned: There were two big lessons here. First, patching always has been and always will be paramount. Second, organizations must think about reducing their attack surfaces by reconsidering which systems connected to sensitive databases should be left open on publicly facing websites.

Company Compromised: Advocate Medical Group
Breach Stats: 4 million patient records stolen
The Details: The theft of four computers from offices owned by this medical company exposed more than 4 million patient records in what officials are calling the second-largest loss of unsecured health information since notification to the Department of Health and Human Services became mandatory in 2009.

Lessons Learned: Health-care breaches are dominating the 2013 breach disclosure list thus far, but this one in particular is the most egregious. With patient records dating back to the 1990s compromised from a physical computer theft, it is clear that the basics in physical security, endpoint security, encryption, and data protection were all deficient. In particular, endpoint theft and loss in health-care issues seems to come up time and time again. It may be time for these organizations to reconsider how much data an endpoint is allowed to download and store from centralized databases.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1233964134849
50%
50%
ANON1233964134849,
User Rank: Apprentice
12/4/2013 | 1:17:56 PM
re: Lessons Learned From 4 Major Data Breaches In 2013
Adobe's systems were unable to perform the needed " real time data inspection & Classification on Data at rest and in motion while at the same time Enforcing security policies." http://www.gtbtechnologies.com...
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.