Recent Database Breaches Teach Security Lessons -- The Hard Way

Gawker, Epsilon, TSS of San Juan offer window into database hacks -- and how to defend against them
[Excerpted from "Database Breaches: Lessons Learned From Real-World Attacks," a new report posted this week on Dark Reading's Database Security Tech Center.]

If a hack successfully queries and exports hundreds of thousands -- or even millions -- of customers' records, you have a major problem that’s likely to cost your company millions of dollars in notifications, incident investigation/recovery, and lost business.

According to the Ponemon Institute’s sixth annual U.S. Cost of a Data Breach Study, data breach incidents cost U.S. companies $214 per compromised customer record in 2010. The average total per-incident cost in 2010 was $7.2 million. Additionally, brand damage can be significant.

Yet despite the threat, many companies still have no idea that their most important data -- especially databases -- are being pillaged. Even when they do find out, weeks and often months pass between the time of the initial attack and the discovery, according to the 2010 Verizon Data Breach Investigation Report. What’s more, enterprises typically learn of the breach through third parties, rather than their own efforts.

How do such major breaches happen -- and how can you prevent them from happening to your organization? Let's look at a few recent breaches and see what lessons we can learn. The Gawker fiasco is one of the most highly publicized database attack of recent months, and the damage done to Gawker’s portfolio of blog sites was widespread. On Gawker, you must "audition" and be found worthy to post content; your comments must be approved, and you can be banned any time without warning if you rub a moderator the wrong way. Why was Gawker singled out for attack? There are several theories.

One suggests that Gawker became a target when one of its writers called out, a freewheeling and wide open message board, and Tumblr, a blogging platform, for unkind content posted about a young girl. Others believe Gawker was asking for trouble by making claims about how impenetrable its network defenses were. The likely culprit was Gnosis, a group of attackers not affiliated with 4Chan who picked up on that rhetoric and decided Gawker needed to be "brought down a peg or two," according to a interview with someone claiming to be a member.

Perhaps Gawker’s biggest mistake relates to the way it stored user account passwords. Many of the early accounts about the database attack reported that account passwords were encrypted with DES, rather than AES or Triple DES. Gawker also revealed that accounts created prior to the end of 2008 were hashed with crypt(3), an extremely outdated hashing algorithm, which is highly susceptible to dictionary attack.

In addition, Gawker reportedly failed to enable SSL authentication to various sites, passing user credentials over HTTP in clear text.

Epsilon If you think using a third-party service provider will guarantee the safety of your customer databases, think again.

Witness the massive attack at email marketing firm Epsilon Interactive, which resulted in the theft of customer email addresses from at least 50 clients, including JPMorgan Chase, Capital One, Marriott Rewards, US Bank, Citi, Ritz-Carlton Rewards, Walgreens, The College Board and the Home Shopping Network.

This was the second major email data breach in recent months. In December, several firms, including devianART, Honda, McDonald’s and Walgreens, revealed a similar attack in which email addresses were stolen from Silverpop, a third-party email service provider.

Detailed technical information about how exactly Epsilon and Silverpop were attacked is unavailable. But these breaches clearly illustrate that you should vet your service provider’s security and compliance policies and practices. You can’t outsource liability, and you will be held responsible by your customers for the security failures of any third parties handling your customers’ information. Ask if your service provider conducts periodic SAS70 and/or PCI compliance audits.

TSS of San Juan We already know compromised customer records have tremendous value on the black market. But don’t just assume it’s a cyberthief in the Ukraine or China trying to steal your data—it could be your competition.

TSS of San Juan is an HMO operating under the government of Puerto Rico’s health insurance plan. You do not need to be an attack expert to understand the technical details of this breach: At some point in September 2010, an undisclosed competitor gained access to the TSS member database through the use of one or more valid credentials.

A TSS press release hypothesizes that the unscrupulous competitor most likely was interested in the financial details of members’ healthcare transactions. TSS admits it did lose damaging personal information among the almost 400,000 records compromised. As a result of this breach, the Puerto Rican government fined TSS $100,000.

One lesson learned from this: Don’t allow simultaneous use of the same account with valid credentials from multiple locations, and audit applications with back-end database access for this kind of activity. Active Directory auditing tools and database activity monitoring products also can help determine if one of your user accounts has been compromised.

To learn more about these breaches -- and others -- and to get more information on the lessons that can be learned, download the free report.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.