Avoid Cyber Risk: 7 Major Global Security Breaches
Avoid Cyber Risk: 7 Major Global Security Breaches
Data security is a huge issue for any business today, as hackers have become increasingly sophisticated and, in many cases, their attacks are able to go completely undetected. The reasons individual companies experience security breaches vary from failing to follow standard safety protocols, to employees unknowingly aiding the attackers in their crimes. Business leaders would be wise to learn from the mistakes of their peers and not make the major security gaffes that the following organizations have made:
1. Heartland Payment Systems
In 2008, Heartland’s computer system was hacked, exposing the credit card transaction data of hundreds of thousands of merchants who use Heartland to conduct transactions. The hackers penetrated the system and used SQL injection attacks to harvest 134 million credit card numbers. Albert Gonzalez was later indicted for the attack and sentenced to 20 years in prison.
The weakness in Heartland’s system lay in the fact that although its database of card numbers was encrypted, the numbers were decrypted for use in other applications, exposing them in transit or while they were being processed. Due to the attack and the resulting media and public fallout, Heartland fast-tracked the development of an end-to-end encryption security solution to protect transaction data. The new system gave merchants the option of encrypting cards via a tamper-resistant security module on the cash register, so the card numbers weren’t kept on the merchant’s system. The numbers then remained encrypted throughout Heartland’s network.
2. RSA Security
In 2011 the security of 40 million employees’ two-factor authentication tokens was compromised when hackers breached RSA’s servers. The tokens granted access to both corporate and government networks, including defense contractor Lockheed Martin, which suffered a targeted attack as a result of RSA’s security breach. Lockheed Martin worked swiftly to stop the attack and replaced all of its RSA SecurID tokens, leaving the defense contractor’s security in tact.
RSA, on the other hand, still had some work to do to secure its system and restore trust with its customers. Its investigation discovered that a spear phishing campaign lured an employee to retrieve a message from their junk mail and open a spreadsheet with an Adobe Flash zero-day vulnerability. Once inside, the attackers continued to elevate their security privileges until they had access to proprietary data. As a result of the attack, the company started development on projects to increase security, such as incorporating geo-location data into the user authentication process.
In 2006 TJX disclosed that intruders had accessed its payment system due to poorly protected wireless LANS. The intruders remained undetected for 18 months, during which time they accessed millions of customers’ credit card data. TJX had failed at the time to be in compliance with the Payment Card Industry Data Security Standard, which required merchants to implement 12 security controls for protecting consumer data. At the time, TJX was not in compliance with nine. After the attack, TJX implemented the improvements necessary to become compliant, including upgrading wireless security, and no longer storing sensitive authentication data.
4. Department of Veteran Affairs
When a VA analyst’s laptop and external drive were stolen containing the unencrypted personal information of 26.5 million veterans in 2006, it revealed a weakness in how the VA both reported and responded to security breaches. While the analyst informed the police immediately of the theft, the VA secretary was not informed of the incident until three weeks later. It took several more days after that before a public statement was released.
In an effort to improve internal reporting, the VA created the Data Breach Core Team, which meets every week to go over suspected data breaches and categorize each potential breach as low, medium or high risk. The agency also mandated that potential breaches be reported within an hour of their discovery.
5. Sony’s PlayStation Network
Sony ended up having to shut down its online PlayStation Network for a month after the site was breached, exposing the personal information of more than 100 million users. The hackers gained access to usernames, passwords, credit card information, addresses and other sensitive data. Up to that point Sony had used a cryptographic hash function rather than encryption to protect passwords, a method proven to be weak and easy to crack.
After the attack, Sony worked to improve security by increasing software monitoring, increasing the use of encryption, adding additional firewalls and adding an early-warning system for unusual patterns.
6. Gawker Media
A hacker group called Gnosis infiltrated Gawker’s system, compromising the email addresses and passwords of 1.3 million commentators. The group also stole the source code of Gawker’s content management system. Gnosis claimed it targeted Gawker because of its arrogance and taunting remarks toward the hacking community.
Luckily, Gawker learned its lesson in humility, and mandated the use Secure Sockets Layer encryption for employees with company accounts via Google apps as well as two-factor authentication for those trying to access sensitive data. In order to further protect its users, Gawker created optional disposable accounts for users to leave comments without storing email or password information.
In an interesting twist, AOL caused its own security breach by publishing a data file of search terms—as well as when searches were conducted and whether users clicked on search results. The data file was meant to be a resource for researchers, but as many queries contained personally identifiable information, it was quickly identified as a security breach and taken down. Unfortunately by that time, the data had already been copied and circulated.
Several AOL employees lost their jobs as a result of the breach, and AOL created a task force to examine privacy issues, such a how long AOL saves search data. The company also placed restrictions on access to databases with search or other sensitive data and started training employees on privacy issues.