Security's Biggest Train Wrecks of 2007

We've seen a boxcar o' breaches and break-ins this year, but these were the most grisly - and the hardest to take our eyes from

The old Chinese curse says, "May you live in interesting times." It seems a lot of IT security departments may have been cursed in 2007, because most of them have had one "interesting" year. In fact, according to one report, a whopping 85 percent of organizations have experienced at least one reportable breach in the past 12 months. (See Study: Breaches of Personal Data Now Prevalent in Enterprises.)

We've covered a lot of those breaches here at Dark Reading, and we've come to learn there are essentially three types of breach stories: the "pro forma" reports of lost jump drives and laptops that seldom result in any damage to end users; the mid-tier hacks and mistakes that might ding the organization and a relatively small number of users; and the whoppers that make your jaw drop, either because of the skill of the hacker or (more often) because of the shocking inattention of the IT organization.

The following is a look at some of the whoppers we saw in 2007, updating the list of shame we offered back in May. Here's hoping your organization doesn't find its way onto our list for 2008. (See Security's Biggest Train Wrecks.)

1. A Perfect Storm
We hate to give our top spot to a bunch of malicious attackers. But talk to any security pro about 2007, and they'll tell you that they can't help having at least a little admiration for the creativity and cunning that is the Storm botnet. (See 'Storm' Trojan Hits 1.6 Million PCs; Vista May Be Vulnerable, Storm Darkens Christmas, Takes Aim at New Year's, and about a hundred stories in between.)

This year's ugliest monster (OK, technically, it first emerged in November 2006, but it's mostly been a 2007 phenomenon) is so sophisticated that many experts still disagree on what to call it. It behaves like a worm, but it downloads a Trojan, which turns unprotected PCs into botnet zombies. No matter what you call it, it's seriously bad news.

What scares security researchers, among other things, is the worm/Trojan's ability to "morph" rapidly, creating hundreds of signatures in a matter of hours and making it extremely difficult to detect. Although it has been used primarily for spam so far, researchers worry that the resulting botnet could one day be harnessed for a denial-of-service attack on a large company or government entity, potentially disabling entire computer systems in a matter of minutes.

Oh, and if that's not enough, the botnet has the ability to attack anyone who tries to probe it and bring their computer systems down. Several researchers report reprisals from Storm, and some have stopped researching it altogether. (See Researchers Fear Reprisals From Storm.)

2. Maxx'd Out
Let's put it simply: It's the worst breach of customers' personal information in human history. At last count, the TJX Companies reported that the mammoth leak, first revealed in January, has exposed some 45 million credit and debit card numbers -- and maybe more. (See TJX Breach Skewers Customers, Banks and TJ Maxx Parent Company Data Theft Is the Worst Ever.)

That figure breaks the old record of 40 million set several years ago by Card Systems -- a breach that effectively put that company out of business.

Despite reaching court settlements with both customers and banks affected by the breach, TJX still isn't saying exactly how the leak occurred, though testimony in a Canadian court suggests the tapping of a wireless LAN at one of its retail outlets. But the retailer does admit that the credit card data dates back as far as 1993 -- a major violation of Payment Card Industry standards, which stated at the time that retailers were not supposed to store any customer transaction data for more than 30 days.

Ironically, the banks that issued the credit cards bore the brunt of the pain from the breach, but they only received $41 million in the breach settlement. Card customers who were affected got a few bucks' worth of cash or in-store vouchers, and the promise of a sale sometime in 2008. TJX itself has fared fairly well, and has continued to post profits since disclosing the leak. (See TJX Settles With Banks for $41 Million.)

3. British Blunders
For sheer lack of attention, it's tough to beat the recent series of breaches reported by various agencies of the British government. The disclosures, which began with the loss of two computer disks containing the personal information of some 25 million taxpayers and their families, have led to the exposure of several more incidents, which suggest that the disregard for security procedures among U.K. agencies is nothing short of systematic. (See UK Government in Uproar Following Data Loss, MRC's Extended Validation Certificates Recommendation Flawed, and Data on 3M UK Drivers 'Lost in Iowa'.)

When the scandal first broke, top-ranking officials blamed a mid-level civil service worker for "breaking protocol" by sending sensitive data disks through the mail. The worker boldly fought back, noting that sending such packages via the postal service was common practice. Other incidents of mail theft or loss have since come to light, indicating that the worker's statements were accurate.

Since the story broke, several other agencies have stepped forward to disclose the loss of sensitive data, most notably a misplaced hard drive containing data on some three million British drivers license applicants. More than 6,000 drivers' data was lost by the same agency in Northern Ireland during the same time period, when disks containing their personal information were also lost in the mail.

To Page 2

4. Cyberwar Comes Home
The year has seen several instances in which governments attacked each other's computer systems, but for Americans, none hit quite so close to home as the recent exploits perpetrated on U.S. government laboratories. (See DOE Lab Break-in May Be Tip of the Iceberg.)

In what may be part of a larger series of cyberattacks on various U.S. laboratories and institutions, cybercriminals have broken into computers at the Department of Energy's Oak Ridge National Laboratory (ORNL) and also reportedly targeted Los Alamos National Laboratory and Lawrence Livermore National Laboratory.

Authorities told ABC News that the attackers may be located in China. Security experts of late have been pointing the finger at China as the main source of many cyberattacks and cyber-espionage, but Chinese officials deny it.

Names, Social Security numbers, and birth dates of visitors who were at the ORNL facility between 1990 and 2004 may have been stolen in the attack, according to ORNL. The around 12,000 potential victims have been contacted by the lab, but so far, there's no evidence that the data has been used. ORNL says the sophisticated breach appears to be part of a wider "attempt to gain access to computer networks at numerous laboratories and institutions across the country."

5. Spy Where?
The U.S. Department of Energy would like you to know that it's doing all it can to protect the PCs and laptops containing sensitive information about nuclear technology. Ummm... It just needs to find all of them first. (See Dude, Where's Your PC?)

The DOE's Counterintelligence Directorate -- which is charged with protecting sensitive data and operations against espionage by foreign entities -- is missing 20 computers that may contain classified data, according to an inspection report issued in March by the DOE's Office of the Inspector General.

At least 14 of the computers were known to have processed classified information, the report says. "Based on these findings, we concluded that Counterintelligence was unable to assure that the computers for which it is accountable, and the often highly-sensitive and/or classified information they processed, were appropriately controlled or were adequately guarded from loss and theft," the Inspector General concluded.

The report cast a new light on the many "lost laptop" breaches of the previous months, most of which involved only a single machine. While such disclosures reveal the loss of devices that are known to be missing, most organizations are quietly unable to locate a large chunk of their PC inventory at any given time, experts said.

Gartner estimates that most enterprises can tell you the location and the user of only about 65 percent of their machines. While many of the "lost" PCs probably are still inside the enterprise, analysts estimate that as many as 3.5 to 5 percent of the missing machines are stolen, usually by employees.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.