TeamSHATTER and other industry resources have deemed that 2011 is the Year of the Data Breach. October was National Cyber Security Awareness Month and recent data breaches had many talking about security vigilance and data protection.
A study done by Verizon, the US Secret Service and the Dutch High Tech Crime Unit offered some important information regarding data breaches:
- 92% of data breaches studied were from external agents.
- 50% used some form of hacking, while 49% incorporated malware.
- 83% of victims were targets of opportunity.
- 92% of all attacks were classified as “not highly difficult.”
- 76% of all data was compromised from servers.
- 86% were discovered by a third party.
- 96% of breaches were avoidable through simple or intermediate controls.
- 89% of victims subject to PCI DSS had not achieved compliance.
Although there are significant data breaches each and every year, experts point out that data breaches really came into their own in 2011. The trend in previous years was a single, large data breach, for instance credit card data theft from Heartland Payment Systems, or the TJX breach. This year, we witnessed numerous substantial data breaches.
Privacy Rights Clearinghouse & Data Breaches
According to the Privacy Rights Clearinghouse, over 30 million records were stolen or lost as of October 25, 2011. The Privacy Rights Clearinghouse has been tracking data breaches since 2005 and has published a Chronology of Data Breaches. This includes only breached records that contain information that could be deemed useful to identity thieves, for instance Social Security Numbers (SSNs), financial account numbers, driver’s license numbers, etc.
In 2011 alone, the Privacy Rights Clearinghouse has tracked 382 breaches, involving 23.2 million sensitive records. It’s likely that the number of breached records is much higher, as not all breaches are reported and it’s often difficult to determine the actual extent of a data breach before it unfolds.
Top Ten of 2011
According to the website Security Dark Reading, the top ten largest data breaches in 2011 are as follows:
- Comodo (March 15, 2011) – After an Iranian attacker stole the username and password belonging to a Comodo-trusted partner, he used the credentials to register nine SSL certificates for seven high-profile domains (i.e. Google, Skype and Yahoo, amongst others).
- RSA (March 17, 2011) – Attackers infected an employee at RSA with the Poison Ivy Trojan by exploiting a Flash vulnerability in an Excel spreadsheet. This was carried out through a phishing attack disguised as an email with recruitment information. Through the compromised beachhead in the RSA network, the attackers proceeded to gather information on the SecurID authentication tokens widely used as a two-factor authentication mechanism.
- Epsilon (March 30, 2011) – Attackers got into an email server at Epsilon, a major marketing firm. Over 100 companies depended on this service, including Best Buy, Chase Disney Destinations and Target. Attackers stole customers’ names and email addresses, which resulted in worries that advanced phishing attacks would soon result.
- Automattic & WordPress (April 14, 2011) – Attackers were able to hack a number of servers run by Automattic, the company responsible for maintenance and augmentation of WordPress code. With root-level access, the attackers stole the WordPress source code, the majority of which is open source, but some is proprietary. It’s suspected that partner code was also accessed.
- Sony PlayStation Network (April 17, 2011) – Sony claimed that a PlayStation hacker (identified as part of the Anonymous movement) and the LulzSec group broke into a host of Sony properties (i.e. PlayStation Network, Qriosity and Sony Online Entertainment). The attack took down the Playstation Netowkr for over a month, affecting around 75 million owners, costing the company an estimated $171 million. Other US game companies, such as Sega and Bethesda Softworks, were also affected.
- Citibank (May 2011) – Hackers stole names, account numbers and contact information from Citibank. The attack took advantage of the poor design of the financial company’s website. Hackers accessed customers’ accounts by logging into a customer’s credit card account and changing the account number in the URL. Attackers gained access to about 360,000 customers’ information.
- CyWorld (July 28, 2011) – Hackers access the names, phone numbers and email addresses of about 35 million users from the servers of CyWorld, a social and virtual-world website. The company targeted Chinese hackers for the data breach.
- TRICARE (September 13, 2011) – TRICARE Management Activity is the US military’s healthcare provider. In September, it announced that its contractor, SAIC, had lost back-up tapes which contained information on 4.9 million patients. The companies did not disclose if the information was encrypted or unencrypted, nor did they mention the format of the information that was breached.
- Facebook (November 1, 2011) – University of British Columbia researchers sent out over 5,000 Facebook users friend request over eight weeks. With 102 fake accounts, the researchers set out friend requests, which once accepted, were used to connect with even more individuals. The researchers then gathered 250 GB from 3,000 profiles of friend-only data from the accounts. According to their research, about 80 percent of Facebook users could be compromised with a social network.
- Valve Software’s Steam (November 6, 2011) – Cyber-vandals were responsible for defacing Valve’s forum for its Steam game download service. The attackers accessed the database which stored account information on Steam’s 35 million users. As of December 2011, the company has not determined the amount of data taken.
Given the number of significant data breaches of high-profile companies, 2011 has been deemed the Year of the Data Breach. This article takes a look at the top ten data breaches which occurred this year, affecting organizations such as Facebook, TRICARE, Citibank, and Sony. The article also provides data breach statistics from the Privacy Rights Clearinghouse.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Data security lifecycle (Domain 5)