Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

11/29/2012
04:26 AM
50%
50%

10 Top Government Data Breaches Of 2012

SQL injection, post-phishing privilege escalation, and poorly secured back-up information all played their part in exposing sensitive government data stores this year

With federal and local government agencies suffering the brunt of Anonymous protests, targeted phishing attacks leading to privilege escalation, and highly effective SQL injection attacks granting wide-scale access to information, citizen privacy definitely took a hit in 2012.

1. South Carolina
More than 3.3 million unencrypted bank account numbers and 3.8 million tax returns were stolen in a wide-ranging attack against the South Carolina Department of Revenue. Itt all started through a state employee falling for a phishing attack that enabled hackers to leverage that employee's access rights to gain access to the government entity's systems and databases.

Lessons Learned: Database protection layers, such as database activity monitoring, not to mention other network detection measures could have gone a long way toward minimizing the damage caused by the type of phishing attack that all organizations, public and private, face today.

[Find out where your privacy risk posture stands. See Free Risk Indexing Tool Offers Start For Assessments.]

2. California Department of Social Services
Sensitive payroll information about approximately 700,000 individuals was lost in the mail en route between IT contractors with Hewlett Packard and the California Department of Social Services. Information, such as caregiver and care recipient names, wages, and Social Security numbers, was exposed when package sent by U.S. Postal Service with microfiche containing the information was damaged with much of the data missing.

Lessons Learned: Databases are often most vulnerable when the information within them are put into more archaic forms like paper and microfiche. This breach proves that physical security and common sense still play a big role in data privacy protection.

3. Utah Department of Health
The health information and PII of more than 780,000 Utah citizens were put at risk when Eastern European hackers broke into a server maintained by the Utah Department of Technology Services this spring by taking advantage of poor authentication configuration following database migration to a new server.

Lessons Learned: Poor authentication controls, uneven patch management, and dicey configuration management add a inordinate amount of risk to the database protection equation.

4. California Department of Child Support Services
Californians suffered not one, but two huge breach events stemming from old-school data storage and questionable shipping of unobfuscated files. The California Department of Child Support Services lost more than 800,000 sensitive health and financial records when a FedEx shipment sent by the state's contractors with IBM and Iron Mountain containing backup tapes with the data in question fell off the proverbial truck.

Lessons Learned: Just because a database is on a backup tape or drive does not make the information contained within any less valuable or vulnerable. Protection of backup information needs to be accounted for within data protection policies.

5. United States Bureau of Justice Statistics
Anonymous embarrassed the United States Bureau of Justice Statistics (BJS) when it leaked 1.7 GB of sensitive data belonging to the bureau on The Pirate Bay this spring. Files included internal emails and a database dump with information from the BJS website.

Lessons Learned: While information stolen was generally publicly available anyhow, the database dump offers yet another example of how insecure Web applications put entire back-end databases at risk.

6. City of Springfield
Though government officials report that the number of citizens stung by a recent hack of the website run by the City of Springfield was only about 2,100, the perpetrators from Anonymous said they actually were able steal from municipal databases that included more than 1,000 vehicle descriptions from online police reports and records from more than 280,000 summons filed in city digital data stores. The grey hat hackers claimed to have more than they leaked to the public, reporting that they removed sensitive information as a public service to citizens.

Lessons Learned: Speculation on this one is that it was carried out through SQL injection. Even smaller municipalities are going to find themselves targets of SQLi attacks if they leave the Web app barn door open.

7. United States Navy & DHS
Hackers from a group calling itself Digital Corruption busted into Department of Homeland Security and U.S. Navy websites using Blind SQL injection attacks. They stole database information that included usernames, passwords, email IDs, and security questions and answers for all users on the Navy's Smart Web Move website and Homeland Security's Transportation Worker Identification Credential website.

Lessons Learned: As long as organizations fail to validate input in their Web applications, hackers will continue to run roughshod with these kinds of attacks.

8. Wisconsin Department of Revenue
South Carolina's tax authorities weren't the only government tax offices to suffer an embarrassing breach in 2012. In July, the Wisconsin Department of Revenue reported that it exposed sensitive seller information about more than 110,000 people and businesses who sold property in 2011 by allowing an unknown embedded file in a Microsoft Access file with public-facing sales data to go live with that information in a report that was available to real estate professionals from April through July.

Lessons Learned: Sometimes our databases' worst enemies aren't hackers, but, instead, unknowledgeable employees who put sensitive information in the most inopportune of places.

9. NASA
Although the 10,000 employees affected by the latest security lapse at NASA is fairly small compared to other big-number government privacy breaches this year, the circumstances offer glaring evidence of how government agencies still lag in employee awareness and training. Personally identifiable information was left on an unencrypted agency laptop, which was subsequently stolen from an employee's car on Halloween.

Lessons Learned: When large caches of information are transferred from the database, who knows where they'll end up. The NASA breach shows once again how easy it is for unencrypted information on laptops to "walk away" from authorized users.

10. New Hampshire Department of Corrections
In a case of the foxes running the hen house, the New Hampshire Department of Corrections found that inmates at a state correctional facility were able to access the main offender management database system. How so? That system was linked to a server that inmates working in the prison industries shops used. Access to the system would allow inmates to change items like parole dates and sentencing information, as well as view personally identifiable information on prison staff members.

Lessons Learned: This case offers a stark example of why uber sensitive databases require special segmentation measures to keep them safe from side-channel attacks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
12/7/2012 | 12:23:00 PM
re: 10 Top Government Data Breaches Of 2012
Really great and resourceful
article! I personally enjoyed it really much, maybe because it perfectly proves
our vital need for a Cyber Security Bill that has measurable accountability
controls and/or we suffer an attack that takes out our power grid or another
piece of critical infrastructure. I know there's a lot of fear mongering out
there which is unfortunate as it then becomes difficult for people to separate
the wheat from the chafe. I've been in the IT Security space for enough time to
understand how fragile our corporate and government infrastructure is. Actually,
hereGs an interesting article on this matter: http://blog.securityinnovation....
Hope you find it useful!-
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18238
PUBLISHED: 2020-02-26
Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility ioLogik 2500 series firmware, Version 3.0 or lower IOxpress configuration utility, Version 2.3.0 or lower. Sensitive information is stored in configuration files without encryption, which may allow an attacker to a...
CVE-2019-17274
PUBLISHED: 2020-02-26
NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.
CVE-2019-17275
PUBLISHED: 2020-02-26
OnCommand Cloud Manager versions prior to 3.8.0 are susceptible to arbitrary code execution by remote attackers.
CVE-2020-3169
PUBLISHED: 2020-02-26
A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root on an affected device. The vulnerability is due to insufficient validation of arguments passed to a spe...
CVE-2020-3170
PUBLISHED: 2020-02-26
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could expl...