Breach Details: In April The Department of Social Services in Virginia Beach, Va., announced it had fired or disciplined at least eight employees and supervisors in the past year for abusing their database privileges to access restricted information about former employees, family members, and clients. In one egregious example, a supervisor made her employees access a Virginia database to find information about her husband's child.
Lessons Learned: Insider threats to database information are very real, as this example clearly illustrates. While all of the employees involved in these incidents had legitimate access to departmental databases, their use of credentials was for purposes way outside the bounds of their job duties. Robust database activity monitoring tools are the only reliable way for organizations to ferret out account abuse cases on this plane.
5. Florida International University
Breach Details: Though details are sketchy about the exact nature of this breach, what is clear is that Florida International University found the "existence of a database containing sensitive information that did not reside in a secure computing environment" during a risk assessment following an unrelated security incident, according to notification letters sent to nearly 20,000 students and faculty. The unsecure database contained personal data, such as student data related to state mastery standards, grade tracking, assignments, and Social Security numbers of both students and faculty.
Lessons Learned: Not only do databases themselves need to be secured, but so, too, do the systems on which they run and the networks that they're attached to. This means practicing diligent patch and configuration management on database servers, segregating critical databases onto the most secure network segments, and employing the rule of least privilege for these critical database environments.
6. Lincoln National Corp.
Breach Details: In January this financial services firm revealed that lax password management practices and frequent credential-sharing for access to the company's client portfolio database potentially exposed the records of 1.2 million customers. Some shared passwords were used for as long as seven years. The security lapse was not uncovered until an anonymous whistleblower sent Financial Industry Regulatory Authority (FINRA) a user name and password combo that gave access to the portfolio.
Lessons Learned: Password-sharing is one of the most common and potentially damaging behaviors to affect enterprise database security postures. Not only do organizations need to develop and enforce password management policies, they also need a way to look for account use patterns that indicate illegitimate sharing.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.