According to the Identity Theft Resource Center, as of December 3, 558 breaches have been reported in 2013, and we still have nearly a full month left for more potential breaches. These breaches hit across industries; no one is immune. In late November, BitSight Technologies released a report that investigated how well specific industries were doing in their security efforts. According to the survey, the financial industry has performed the best when it comes to security effectiveness.
At the bottom of the list was the technology industry.
Not surprisingly, a number of the worst security breaches of 2013 happened within the tech industry. In fact, when asked to list the top security breaches of the past year, security experts overwhelmingly named the Adobe breach, followed closely by the more recent Pony botnet attack that focused on companies like Google and Facebook.
One of the more surprising breaches named by experts was former NSA contractor Edward Snowden’s leaks about the extent of the U.S. intelligence community’s Internet surveillance. The data breach was significant for many reasons, starting with what was revealed: pervasive signals intelligence, subversion of encryption standards, collaboration with overseas intelligence communities and many other bombshells.
Other breaches were more predictable, involving stolen devices or phishing scams. Many of the breaches are blamed on foreign hackers and cyber criminals. But the end result is that all of these breaches caused significant damage to businesses and customers. As Costin Raiu, director, Global Research and Analysis Team, Kaspersky Lab, stated:
We predicted 2012 to be revealing and 2013 to be eye opening. That forecast proved correct – 2013 showed that everybody is in the same boat. In truth, any organization or person can become a victim. Not all attacks involve high profile targets, or those involved in ‘critical infrastructure’ projects. Those who hold data could be of value to cybercriminals, or they can be used as a ‘stepping-stones’ to reach other targets.
Here is a list of the worst data breaches of 2013.
Adobe: 150 million exposed account credentials, leading to secondary breaches all over the Internet
You can’t tell the story of 2013 without Adobe, said Scott Simkin, senior product marketing manager, Palo Alto Networks. It was a breach unique in both scale and, more interestingly, the asymmetric ripple effects across the security landscape. First disclosed by Brian Krebs, the story brought an official statement from Adobe, with research revealing that more than 150 million user IDs with hashed passwords were stolen, including at least 38 million active users. Second, it showed how lax security efforts can be, even in a large tech company. The breach reportedly occurred in August or September, but Adobe did not become aware until September 17 and then, it failed to notify the affected users for over two weeks.
Initially, the breach was thought to be much smaller until people started getting their hands on the breached data that was published, according to AppRiver Security Analyst Jon French. The leaked file from the breach contained email addresses, encrypted passwords, and even password hints for Adobe users. Along with the user data breach, some source code was stolen for Adobe products as well. This code could be used for malware writers to program viruses to be more effective in attacks against that software.
In SilverSky CTO Andrew Jaquith’s opinion, the worst data breach of 2013 was former NSA contractor Edward Snowden’s leaks about the extent of the U.S. intelligence community’s Internet surveillance. The data breach was significant for many reasons, he said, starting with what was revealed: pervasive signals intelligence, subversion of encryption standards, collaboration with overseas intelligence communities and other bombshells. He added:
The second reason the breach mattered — one that has not been explored nearly as much — is how Snowden was able to get his material, and what this says about the U.S. government’s ability to compartmentalize. Snowden didn’t work for one of the agencies. He worked for an outside defense contractor. He wasn’t even a full-time employee of that contractor either, but a part-timer who had only been there for a few months. You’ve got to ask how someone who is that far removed from the center of things could get so much top secret information so quickly. He’s either a world-class social engineer, or the NSA’s circle of trust was far too wide. I’m betting on the latter. The Manning case showed that the side-effect of “better intelligence sharing” between agencies resulted in millions of people having access to classified SIPRNET information. When millions of people have access to information, some of it is guaranteed to leak.
NSA’s Spying Program, MUSCULAR
The details of the NSA’s spying program, MUSCULAR, disclosed by Edward Snowden, may prove to have the greatest impact of any breach in 2013. According to J.J. Thompson, managing director and CEO of Rook Security, the MUSCULAR program involved intercepting data from Yahoo and Google private clouds where the data is unencrypted. The data collected included email, pictures, video, text documents, spreadsheets, and an array of other similar file types. And as Zack Whittaker pointed out in a ZDNet article:
In efforts to get “free access” to the traffic that flows between data centers, the NSA had to “circumvent gold standard security measures,” according to the [Washington] Post.
With this new revelation, Google has taken a considerably stronger stance against the NSA’s spying programs, Thompson stated, adding:
And, along with Microsoft, has begun encrypting its internal network traffic. These and other major tech companies are using every resource at their disposal to fight the NSA including public relations and lobbying efforts. It is likely the greatest level of national attention ever paid to a security incident.
In September 2013, it was announced that several data aggregator companies, such as Dun & Bradstreet, LexisNexis, and Kroll Background American, were hacked by some very sophisticated attackers who placed botnet software on compromised servers. According to Michelle Johnson Cobb, vice president, Skybox Security, this allowed the attackers to work undetected for months to consolidate massive amounts of PII. The attackers then sold identifying information directly to anyone who wanted it, and it’s clear that the information could be used for years to come to commit identify theft crimes.
This botnet provided a good look at how attackers can target the reservoirs of consumer and business data, using both sophisticated attack methods and ‘Big Data’ aggregation and analytical methods for their nefarious purposes. Also, this kind of stolen data has a ripple effect for a long time. Cobb said that unlike a credit card number that can be cancelled, the names of an individual’s last three employers, previous addresses and so on will live forever, and Social Security numbers are not easily changed. So once the thieves have the information, it can be used again and again in a widening circle of breaches and fraud.
U.S. Government Breaches
The Department of Energy (DoE) breach in July leaked over 104,000 employees’ and contractors’ personal information, with huge implications in the cybersecurity world. Technically, this was the second major successful hack against the DoE this year, said Mark Vankempen, security research engineer, LogRhythm Labs:
The first one that occurred back in February left 14 servers and 20 workstations compromised. This earlier breach also led to the exposure of PII of hundreds of employees, not to mention leaving behind backdoors for future exploits. These types of breaches clearly affect the way people perceive the security of their personal information as well as federal agencies. A solid security posture that utilizes advanced security analytic techniques across the universe of data sources in your environment, combined with contextual emerging threat data, could have been the golden ticket to limiting the scope of the breach or even preventing it entirely.
The attack was made possible by leveraging a flaw in an Adobe product, most likely executed by an unsuspecting employee, added Paul Lipman, CEO of Total Defense. This highlights the need to offer employees protection while they are beyond the corporate firewall, with persistent endpoint protection.
Living Social Breach
This breach stood out in two unique ways. First, it was one of the first major breaches to hit a popular consumer site. As Paul Lipman, CEO of Total Defense, said:
Attackers having access to those users’ information (name, email, password, buying history), from a site where there is already a level of trust established, as well as urgency of message (timed deals), could lead to spear-phishing attempts in the future (such as purported emails from vendors of previous purchases, or fake new offers). This attack highlights the continued need for endpoint and email security, where any malware introduced has the chance to move laterally within a network.
The Living Social breach was also one of the first breaches that involved encrypted password theft. Encrypted passwords, Tom Cross of Lancope said in an IT Business Edge article, are valuable to bad guys:
Encrypted password hashes can be “cracked” with computer software that essentially tries millions of different possible passwords looking for a match. The bad guys will successfully crack the passwords of many Living Social users, and knowing the password, name, and email address for a person, they may be able to break into other accounts that those people maintain on other websites.
California-Based AHMC Hospitals Breach from Laptop Theft
Not all of the breaches were due to highly skilled hackers or government negligence. Sometimes terrible breaches happen because of low-tech carelessness.
In October, more than 729,000 patients were put in jeopardy when two unencrypted laptops were stolen from California-based AHMC hospitals. Private patient information, including patient names, Social Security numbers and diagnostic and procedure codes, was compromised in the theft, affecting six major health institutions overall. According to Darren Leroux, WinMagic senior director of product marketing, it took this breach for an encryption policy to be put into place at the AHMC hospital network. He said:
The damage had already been done and if you’re a person that was at risk because the data has been stolen, that’s a pretty scary situation. That health system had to answer to the people whose information was exposed and deal with the reputation and financial implications of such an event, something that could’ve been easily prevented by having a data encryption policy in place. Full disk encryption should be the foundation of any device security.
Hijacking Media Outlets
The Syrian Electronic Army (SEA) captured the “hacktivist” crown this year, with a series of defacements and hacks of major news organizations and Twitter handles, according to Scott Simkin, senior product marketing manager, Palo Alto Networks. The SEA made national headlines with its claim of an attack on President Obama from the Associated Press’ Twitter handle, causing a brief $136 billion dollar dive in the stock market. The SEA then went on to deface the New York Times, Washington Post, National Public Radio, Al-Jazeera and other major news outlets. How does this constitute a data breach? Simkin explained:
Data breaches are always about information, whether it is PII, accounts and passwords, or intellectual property. The SEA flipped this strategy on its head; marking the first time information distribution itself became the target. Social media and the news are primarily about connecting the right people with the information they want to find. When those stories come from a trusted source such as the AP’s Twitter handle or the New York Times, it is often inherently trusted itself. As we saw with the fake President Obama message, information is inherently valuable in its own right. The SEA learned that controlling the flow of information and message from a trusted source can have an outsized impact.
The Silent Breach
The scariest data breaches are the ones that companies don’t even know are happening or aren’t disclosing. In January, The New York Times revealed that its computers were stealthily compromised by Chinese hackers for a period of four months. According to a New York Times article:
The attackers first installed malware — malicious software — that enabled them to gain entry to any computer on The Times’s network. The malware was identified by computer security experts as a specific strain associated with computer attacks originating in China. More evidence of the source, experts said, is that the attacks started from the same university computers used by the Chinese military to attack United States military contractors in the past.
Yet, said Charles McColgan, CTO at TeleSign, what is even worse is the companies that don’t disclose when they have been attacked. Finance and health care companies have strict guidelines about disclosing data breaches. But many enterprise companies won’t disclose a data breach unless a legal or compliance issue forces them to do so, or unless the data has somehow already become public. If companies can get away without acknowledging a data breach, they will.
Even though the Pony botnet was first announced in early December, many security experts include it among the worst breaches of 2013. The botnet is responsible for the theft of 2 million passwords and user names from a number of different locations, including Google, Facebook, Twitter and Yahoo. According to CNN:
The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing login credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers.
According to Trustwave’s SpiderLab blog, while it looks like the attack came from the Netherlands, it is more likely that the Netherlands IP is a gateway or proxy for the infected machines. The security company believes that nearly 100 countries were hit by Pony, and that may make this breach, if not the largest in number of compromised accounts, the most international. If nothing else, the Pony botnet breach shows that way too many people are still using simple “12345” passwords.