Five Infamous Database Breaches So Far In 2011
An alarming trend of security companies getting hacked serves as a wake-up call that no one is immune
In today's era of the massive data breach, 2011 seems to have only continued the trend of database exposures slamming organizations large and small. According to the Privacy Rights Clearinghouse, the first half of 2011 has seen 234 breaches that affected more than hundreds of millions of individuals.
Here’s a look at some of the most impactful database exposures so far this year, all of which lessons for IT security pros:
1. Victim: HBGary Federal
Assets Stolen/Affected: 60,000 confidential emails, executive social media accounts, and customer information.
Following an announcement by security firm HBGary Federal that it was planning on exposing information about the renegade Anonymous hacking community, the firm was assaulted by Anonymous members. Anonymous hacked into HBGary's CMS database through a vulnerable front-end Web application, stealing credentials that they were able to then leverage to break into the company's executives' e-mail, Twitter, and LinkedIn accounts. They were also able to access, and then dump publicly, the email spools of HBGary proper via the HBGary Federal hack.
Lessons Learned: This attack proves once again that SQL injection remains a hacker's prime tool to jimmy into database systems; Anonymous used this method to make its first foray into HBGary Federal's systems. But the attack probably wouldn't have been able to go deeper if the credentials stored within the affected database had been hashed with something stronger than MD5. More disconcerting, though, was the fact that the passwords used by the executives were simple and the credentials were reused across many accounts.
2. Victim: RSA
Assets Stolen/Affected: Proprietary information about RSA's SecurID authentication tokens.
After an employee retrieved a spear phishing e-mail from the Junk folder and opened an infected attachment contained within, the hackers responsible for this breach were able to dig deep enough into the RSA network to find a database containing sensitive information pertaining to RSA's SecurID authentication products. Though RSA has never confirmed exactly what was stolen, reports this week have surfaced of a U.S. defense contractor using SecurID and getting hacked that bolster murmurs that the RSA attackers took the all-important SecurID seeds.
Lessons Learned: No hacking target is sacrosanct, not even one of the leading security companies in the world. The RSA breach shows how important employee training can be; some of the most secure networks and databases can be penetrated if bumbling insiders open the door wide enough for hackers. Security experts also believe this breach shows that the industry still has a long way to go to achieve effective real-time monitoring to prevent deep attacks like this from making their way to something as sensitive as what was pilfered from RSA.
3. Victim: Epsilon
Assets Stolen: E-mail databases from 2 percent of the firm's 2,500 corporate clients.
Marketing firm Epsilon has never confirmed exactly how many email addresses were stolen from its massive stores of consumer contacts, which were used to send messages on the behalf of behemoth customers, such as JPMorgan Chase, Kroger, and Tivo. But breach notifications trickling out from the firm's client companies show that this exposure surely impacts millions of customers, putting them at higher risk of phishing and spam attacks in the future.
Lessons Learned: Epsilon also has not confirmed the technical details of this attack, but a sophisticated spear-phishing campaign against the email marketing industry has been fingered by many as a likely source of the attack, re-emphasizing the importance of awareness among worker bees. Perhaps more important for enterprises, though, is the lesson that when you outsource, you still retain the risk and responsibility for protecting the data a contractor oversees. Every Epsilon client is still on the hook for disclosure and associated costs due to this breach caused by a partner.
Next: Game over? 4. Victim: Sony
Assets Stolen: More than 100 million customer account details and 12 million unencrypted credit card numbers.
Attackers were able to compromise three different databases containing sensitive customer information, including names, date of birth, and, to some extent, credit card numbers owned by Sony, affecting customers of PlayStation Network (PSN), Qriocity music and video service, and Sony Online Entertainment. So far, some nine Sony assets have been hacked as a result of the initial breach.
According to testimony by respected security expert Dr. Gene Spafford of Purdue University, Sony was using an outdated Apache server that was unpatched and had no firewall installed -- a fact that Sony knew about months before the breach went down. Last week hackers poured salt on the wound when they started to exploit PSN once again after Sony didn't fortify the password reset system in light of the fact that hackers had email addresses and dates of birth. The bad guys were able to change the password of users who had not changed the email associated with their PSN accounts before Sony shut down PSN once again to fix the problem.
Lessons Learned: A corporate culture devoid of security emphasis can cost a company a fortune in this day and age. According to reports out this week, Sony has spent $171 million so far on customer remediation, legal costs, and technical improvements in the wake of the breach -- and that cost is only rising. Recovery from such a massive breach can be not only expensive, but also embarrassing and damaging to the brand.
5. Victim: Texas Comptroller's Office
Assets Stolen: The names, Social Security numbers, and mailing addresses of 3.5 million individuals, plus dates of birth and driver's license numbers of some.
Sensitive information collected in databases by three Texas agencies -- the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC), and the Employees Retirement System of Texas -- were exposed for nearly a full year by the Texas Comptroller's Office on an unencrypted publicly accessible server. The employees responsible for putting the data online purportedly broke departmental procedures and were fired when the breach was discovered
Lessons Learned: Policies and procedures don't mean much when there are no technical controls or monitoring solutions installed to enforce them. The fact that employees were able to place database information in such a vulnerable position shows how policies without "teeth" can expose an organization. The State of Texas now faces two class-action lawsuits as a result of this breach, one of which is going for a $1,000 statutory penalty for each affected individual -- a whopping charge when it's aimed at a breach impacting millions.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024