Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

04:26 AM

10 Top Government Data Breaches Of 2012

SQL injection, post-phishing privilege escalation, and poorly secured back-up information all played their part in exposing sensitive government data stores this year

With federal and local government agencies suffering the brunt of Anonymous protests, targeted phishing attacks leading to privilege escalation, and highly effective SQL injection attacks granting wide-scale access to information, citizen privacy definitely took a hit in 2012.

1. South Carolina
More than 3.3 million unencrypted bank account numbers and 3.8 million tax returns were stolen in a wide-ranging attack against the South Carolina Department of Revenue. Itt all started through a state employee falling for a phishing attack that enabled hackers to leverage that employee's access rights to gain access to the government entity's systems and databases.

Lessons Learned: Database protection layers, such as database activity monitoring, not to mention other network detection measures could have gone a long way toward minimizing the damage caused by the type of phishing attack that all organizations, public and private, face today.

[Find out where your privacy risk posture stands. See Free Risk Indexing Tool Offers Start For Assessments.]

2. California Department of Social Services
Sensitive payroll information about approximately 700,000 individuals was lost in the mail en route between IT contractors with Hewlett Packard and the California Department of Social Services. Information, such as caregiver and care recipient names, wages, and Social Security numbers, was exposed when package sent by U.S. Postal Service with microfiche containing the information was damaged with much of the data missing.

Lessons Learned: Databases are often most vulnerable when the information within them are put into more archaic forms like paper and microfiche. This breach proves that physical security and common sense still play a big role in data privacy protection.

3. Utah Department of Health
The health information and PII of more than 780,000 Utah citizens were put at risk when Eastern European hackers broke into a server maintained by the Utah Department of Technology Services this spring by taking advantage of poor authentication configuration following database migration to a new server.

Lessons Learned: Poor authentication controls, uneven patch management, and dicey configuration management add a inordinate amount of risk to the database protection equation.

4. California Department of Child Support Services
Californians suffered not one, but two huge breach events stemming from old-school data storage and questionable shipping of unobfuscated files. The California Department of Child Support Services lost more than 800,000 sensitive health and financial records when a FedEx shipment sent by the state's contractors with IBM and Iron Mountain containing backup tapes with the data in question fell off the proverbial truck.

Lessons Learned: Just because a database is on a backup tape or drive does not make the information contained within any less valuable or vulnerable. Protection of backup information needs to be accounted for within data protection policies.

5. United States Bureau of Justice Statistics
Anonymous embarrassed the United States Bureau of Justice Statistics (BJS) when it leaked 1.7 GB of sensitive data belonging to the bureau on The Pirate Bay this spring. Files included internal emails and a database dump with information from the BJS website.

Lessons Learned: While information stolen was generally publicly available anyhow, the database dump offers yet another example of how insecure Web applications put entire back-end databases at risk.

6. City of Springfield
Though government officials report that the number of citizens stung by a recent hack of the website run by the City of Springfield was only about 2,100, the perpetrators from Anonymous said they actually were able steal from municipal databases that included more than 1,000 vehicle descriptions from online police reports and records from more than 280,000 summons filed in city digital data stores. The grey hat hackers claimed to have more than they leaked to the public, reporting that they removed sensitive information as a public service to citizens.

Lessons Learned: Speculation on this one is that it was carried out through SQL injection. Even smaller municipalities are going to find themselves targets of SQLi attacks if they leave the Web app barn door open.

7. United States Navy & DHS
Hackers from a group calling itself Digital Corruption busted into Department of Homeland Security and U.S. Navy websites using Blind SQL injection attacks. They stole database information that included usernames, passwords, email IDs, and security questions and answers for all users on the Navy's Smart Web Move website and Homeland Security's Transportation Worker Identification Credential website.

Lessons Learned: As long as organizations fail to validate input in their Web applications, hackers will continue to run roughshod with these kinds of attacks.

8. Wisconsin Department of Revenue
South Carolina's tax authorities weren't the only government tax offices to suffer an embarrassing breach in 2012. In July, the Wisconsin Department of Revenue reported that it exposed sensitive seller information about more than 110,000 people and businesses who sold property in 2011 by allowing an unknown embedded file in a Microsoft Access file with public-facing sales data to go live with that information in a report that was available to real estate professionals from April through July.

Lessons Learned: Sometimes our databases' worst enemies aren't hackers, but, instead, unknowledgeable employees who put sensitive information in the most inopportune of places.

Although the 10,000 employees affected by the latest security lapse at NASA is fairly small compared to other big-number government privacy breaches this year, the circumstances offer glaring evidence of how government agencies still lag in employee awareness and training. Personally identifiable information was left on an unencrypted agency laptop, which was subsequently stolen from an employee's car on Halloween.

Lessons Learned: When large caches of information are transferred from the database, who knows where they'll end up. The NASA breach shows once again how easy it is for unencrypted information on laptops to "walk away" from authorized users.

10. New Hampshire Department of Corrections
In a case of the foxes running the hen house, the New Hampshire Department of Corrections found that inmates at a state correctional facility were able to access the main offender management database system. How so? That system was linked to a server that inmates working in the prison industries shops used. Access to the system would allow inmates to change items like parole dates and sentencing information, as well as view personally identifiable information on prison staff members.

Lessons Learned: This case offers a stark example of why uber sensitive databases require special segmentation measures to keep them safe from side-channel attacks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/7/2012 | 12:23:00 PM
re: 10 Top Government Data Breaches Of 2012
Really great and resourceful
article! I personally enjoyed it really much, maybe because it perfectly proves
our vital need for a Cyber Security Bill that has measurable accountability
controls and/or we suffer an attack that takes out our power grid or another
piece of critical infrastructure. I know there's a lot of fear mongering out
there which is unfortunate as it then becomes difficult for people to separate
the wheat from the chafe. I've been in the IT Security space for enough time to
understand how fragile our corporate and government infrastructure is. Actually,
hereGs an interesting article on this matter: http://blog.securityinnovation....
Hope you find it useful!-
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-26
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
PUBLISHED: 2021-01-26
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.
PUBLISHED: 2021-01-26
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.
PUBLISHED: 2021-01-26
NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, L4T versions prior to 32.5, contains a vulnerability in the apply_binaries.sh script used to install NVIDIA components into the root file system image, in which improper access control is applied, which may lead to an un...
PUBLISHED: 2021-01-26
NVIDIA Tegra kernel in Jetson AGX Xavier Series, Jetson Xavier NX, TX1, TX2, Nano and Nano 2GB, all L4T versions prior to r32.5, contains a vulnerability in the INA3221 driver in which improper access control may lead to unauthorized users gaining access to system power usage data, which may lead to...