Five Infamous Database Breaches So Far In 2011

In today's era of the massive data breach, 2011 seems to have only continued the trend of database exposures slamming organizations large and small. According to the Privacy Rights Clearinghouse, the first half of 2011 has seen 234 breaches that affected more than hundreds of millions of individuals.

Here’s a look at some of the most impactful database exposures so far this year, all of which lessons for IT security pros:

1. Victim: HBGary Federal
Assets Stolen/Affected: 60,000 confidential emails, executive social media accounts, and customer information.

Following an announcement by security firm HBGary Federal that it was planning on exposing information about the renegade Anonymous hacking community, the firm was assaulted by Anonymous members. Anonymous hacked into HBGary's CMS database through a vulnerable front-end Web application, stealing credentials that they were able to then leverage to break into the company's executives' e-mail, Twitter, and LinkedIn accounts. They were also able to access, and then dump publicly, the email spools of HBGary proper via the HBGary Federal hack.

Lessons Learned: This attack proves once again that SQL injection remains a hacker's prime tool to jimmy into database systems; Anonymous used this method to make its first foray into HBGary Federal's systems. But the attack probably wouldn't have been able to go deeper if the credentials stored within the affected database had been hashed with something stronger than MD5. More disconcerting, though, was the fact that the passwords used by the executives were simple and the credentials were reused across many accounts.

2. Victim: RSA
Assets Stolen/Affected: Proprietary information about RSA's SecurID authentication tokens.

After an employee retrieved a spear phishing e-mail from the Junk folder and opened an infected attachment contained within, the hackers responsible for this breach were able to dig deep enough into the RSA network to find a database containing sensitive information pertaining to RSA's SecurID authentication products. Though RSA has never confirmed exactly what was stolen, reports this week have surfaced of a U.S. defense contractor using SecurID and getting hacked that bolster murmurs that the RSA attackers took the all-important SecurID seeds.

Lessons Learned: No hacking target is sacrosanct, not even one of the leading security companies in the world. The RSA breach shows how important employee training can be; some of the most secure networks and databases can be penetrated if bumbling insiders open the door wide enough for hackers. Security experts also believe this breach shows that the industry still has a long way to go to achieve effective real-time monitoring to prevent deep attacks like this from making their way to something as sensitive as what was pilfered from RSA.

3. Victim: Epsilon
Assets Stolen: E-mail databases from 2 percent of the firm's 2,500 corporate clients.

Marketing firm Epsilon has never confirmed exactly how many email addresses were stolen from its massive stores of consumer contacts, which were used to send messages on the behalf of behemoth customers, such as JPMorgan Chase, Kroger, and Tivo. But breach notifications trickling out from the firm's client companies show that this exposure surely impacts millions of customers, putting them at higher risk of phishing and spam attacks in the future.

Lessons Learned: Epsilon also has not confirmed the technical details of this attack, but a sophisticated spear-phishing campaign against the email marketing industry has been fingered by many as a likely source of the attack, re-emphasizing the importance of awareness among worker bees. Perhaps more important for enterprises, though, is the lesson that when you outsource, you still retain the risk and responsibility for protecting the data a contractor oversees. Every Epsilon client is still on the hook for disclosure and associated costs due to this breach caused by a partner.

Next: Game over?