Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

6/20/2012
11:50 AM
50%
50%

6 Biggest Breaches Of 2012 So Far

Take stock and learn from the mistakes of others

Now that we're just about at the halfway point of the year, it is just as good of a time as any to take stock of the data breach environment and start gathering lessons from others' missteps.

There's plenty to choose from. According to the Privacy Rights Clearinghouse, during the first half of 2012 we have seen 266 breaches that affect more than 18.5 million records. Dark Reading poured through the records and picked a breach for each month of 2012 so far to highlight as the most important exposures to learn from in the first half of the year.

[ Empower your users to stop big breaches. See When Will End Users Stop Being Fooled By Online Scams? ]

1. Zappos
Time Of Disclosure: January 2012

Records Breached: 24 million records, including names, email addresses, phone numbers, last four digits of credit card numbers, and encrypted passwords

Incident: A hacker gained access through a Zappos server into the company's internal network to snag personal information that could be used to phish Zappos customers.

Lessons Learned: While there may be no such thing as a good breach, many experts believe Zappos stands as a role model in reducing risk factors following a breach. For one, the encryption the company used for its passwords passed muster. Second, the company clearly had an incident response and notification plan in place and used it. In an era where it is not a question of if but when a breach will hit, these are two huge factors to consider.

2. University of North Carolina
Time Of Disclosure: February 2012

Records Breached: 350,000 records

Incident: Two separate incidents, one going back a decade, exposed Social Security numbers and financial information online.

Lessons Learned: System misconfigurations caused back-end university systems to be exposed on the Internet for public consumption. This is an increasingly familiar breach scenario these days, as organizations struggle to keep access control configurations in check so that database information is made available to the people who need it without being opened up to the world at large. Setting systems configurations is not sexy work, but it is critical.

3. Global Payment Systems
Time Of Disclosure: March 2012

Records Breached: 7 million consumer records, including 1.5 million credit cards

Incident: The credit card processor found in March that 1.5 million credit card records had been exported from its North American processing system. In its investigation, it most recently found that a database of new and past processing applicants had also been hit.

Lessons Learned: Without a doubt the most impactful breach of the year so far, this massive exposure offers a valuable lesson in the folly of point-in-time, check-box compliance. Hackers don't care whether your organization has been rubber-stamped by an auditor who sees the company is compliant on the day he or she signs the papers. Neither do regulatory bodies -- if you're breached, you're out of compliance. In the case of Global Payments, it has been delisted by the card companies as a company meeting its security standards until it can prove it is back in compliance.

4. South Carolina Health and Human Services
Time Of Disclosure: April 2012

Records Breached: 228,435 records

Incident: An employee was caught after emailing himself hundreds of thousands of patient records during the course of several months, including Medicaid ID numbers for more than 22,000 patients.

Lessons Learned: While many organizations are rightfully concerned about unauthorized access to their databases, sometimes it is the authorized users who can steal the most valuable and sensitive records. A data-centric security program that protects the information both inside and outside the database with means to track data movement is crucial to detecting insider theft before it does damage.

5. University of Nebraska
Time Of Disclosure: May 2012

Records Breached: 654,000 student records

Incident: Social Security numbers, addresses, grades, and more were stolen from the Nebraska Student Information System (NeSIS) database. Details of how the breach occurred are still under wraps, but a suspect has been identified and law enforcement is involved.

Lessons Learned: This particular breach affected a consolidated database system that stored volumes of information about students across the entire Nebraska State College System. As IT departments become more efficient and less siloed, information is increasingly consolidated into monolithic systems. This is a boon for organizations in many ways, but it also dramatically increases the importance of securing these data stores. Putting one's eggs in a single basket makes it prudent to make sure that basket is made out of Kevlar.

6. LinkedIn
Time Of Disclosure: June 2012

Records Breached: 6.5 million user passwords

Incident: The appearance of a password dump on an online forum prompted responses from the security community, which confirmed that the information was from LinkedIn. After some scrambling, LinkedIn confirmed the breach.

Lessons Learned: Just slapping any old encryption scheme onto sensitive data is not good enough these days. LinkedIn's failure to salt its passwords left them open to easy cracking by unauthorized parties. The incident also stands as an important lesson in incident response -- many experts believe LinkedIn was unprepared to swiftly handle response to a security incident such as this.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/25/2012 | 2:38:40 AM
re: 6 Biggest Breaches Of 2012 So Far
The eHarmony breach should probably be on here too. It was related to the LinkedIn breach and affected I believe over a million passwords.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.