2010: The Year in Data Breaches
December 28, 2010 9:56 AM Subscribe
Wikileaks may have been the big news, but there were numerous other data breaches in 2010.
The year started off with 'Aurora' - a coordinated attack against Google, Adobe, and others, which used vulnerabilities an Internet Explorer and Adobe Reader and Acrobat to steal intellectual property and attempt to access to the Gmail accounts of human rights activists. This attack brought the phrase "Advanced Persistent Threat" into the lexicon. Also, it supposedly got Google to switch all employees off Windows systems and take a more 'open' approach towards China.
It wasn't just the big guys. Many, many small businesses were targeted, too. Specialized malware hit systems used for accounting and stole hundreds of thousands of dollars, often using "money mules" recruited through help-wanted ads.
Health care companies also lost your info: a former Wellpoint employee was convicted of stealing health care providers' info to buy cell phones and forge checks. Wellpoint also notified up to 470,000 members that their personal health and financial information, including some social security numbers, were exposed after a botched website upgrade. Aetna threw out a file cabinet with the personal information of about 5,000 customers, Marsh and Mercer lost a backup tape being sent by courier with data for 121 patients and KPMG lost an unencrypted flash drive with 3,630 records. All in all "medical identity theft" struck 5.8% of US adults.
Hotels, especially luxury brands, rose in prominence as targets of data thieves. Westin and Wyndham both acknowledged being hit. HEI, operator of Marriotts, Sheratons and Westins, sent letters to 3,400 customers stating their credit card numbers may have been compromised.
AT&T and Apple got bad press for exposing the email address of everyone who bought an iPhone 4 in its early days, and disclosing[*] information on 114,000 3G iPad purchasers. Even an Energizer USB battery charger contained a backdoor that allowed remote access into the user's system. Malicious code spread through Twitter and a large email marketing firm had their database stolen.
Banks remained a popular target. They did themselves no favors: it was reported up to 9,000 USB sticks are left in suit pockets at dry cleaners in London. A couple ID thieves were convicted of stealing names and account numbers at Wells Fargo, and Wells had more trouble with insider breaches. Hackers hit online check image archiving companies for $9 million. Can't get your bank on the phone? Maybe you're the victim of a telecom denial of service, where your phone system is overloaded to divert your bank trying to confirm a transaction.
Governments lose data too: from UK Ministry of Defence down to state retirement boards. And, high school students still test their school's systems. Former NYC employees stole birth certificates and social security cards to sell. The Stuxnet worm supposedly was written by one government to target the operations of another. The Pentagon reported the "most serious" breach ever, caused by a flash drive inserted into a military laptop.
Security remains hard to do right: the much-hyped Haystack program to allow dissidents free communication turned out to be snakeoil. Intel admitted the encryption key for Blu-Ray was disclosed, possibly having been brute-forced instead of leaked. A proprietary encryption key in car immobilizers was cracked. The BackTrack security testing Linux distro had their site compromised.
[*] Link goes to Gawker, who had their own small data breach incident, too.
Want to read more? My most frequent sources are The Office of Inadequate Security, the RISKS digest, and the great reporting of Brian Krebs.
The year started off with 'Aurora' - a coordinated attack against Google, Adobe, and others, which used vulnerabilities an Internet Explorer and Adobe Reader and Acrobat to steal intellectual property and attempt to access to the Gmail accounts of human rights activists. This attack brought the phrase "Advanced Persistent Threat" into the lexicon. Also, it supposedly got Google to switch all employees off Windows systems and take a more 'open' approach towards China.
It wasn't just the big guys. Many, many small businesses were targeted, too. Specialized malware hit systems used for accounting and stole hundreds of thousands of dollars, often using "money mules" recruited through help-wanted ads.
Health care companies also lost your info: a former Wellpoint employee was convicted of stealing health care providers' info to buy cell phones and forge checks. Wellpoint also notified up to 470,000 members that their personal health and financial information, including some social security numbers, were exposed after a botched website upgrade. Aetna threw out a file cabinet with the personal information of about 5,000 customers, Marsh and Mercer lost a backup tape being sent by courier with data for 121 patients and KPMG lost an unencrypted flash drive with 3,630 records. All in all "medical identity theft" struck 5.8% of US adults.
Hotels, especially luxury brands, rose in prominence as targets of data thieves. Westin and Wyndham both acknowledged being hit. HEI, operator of Marriotts, Sheratons and Westins, sent letters to 3,400 customers stating their credit card numbers may have been compromised.
AT&T and Apple got bad press for exposing the email address of everyone who bought an iPhone 4 in its early days, and disclosing[*] information on 114,000 3G iPad purchasers. Even an Energizer USB battery charger contained a backdoor that allowed remote access into the user's system. Malicious code spread through Twitter and a large email marketing firm had their database stolen.
Banks remained a popular target. They did themselves no favors: it was reported up to 9,000 USB sticks are left in suit pockets at dry cleaners in London. A couple ID thieves were convicted of stealing names and account numbers at Wells Fargo, and Wells had more trouble with insider breaches. Hackers hit online check image archiving companies for $9 million. Can't get your bank on the phone? Maybe you're the victim of a telecom denial of service, where your phone system is overloaded to divert your bank trying to confirm a transaction.
Governments lose data too: from UK Ministry of Defence down to state retirement boards. And, high school students still test their school's systems. Former NYC employees stole birth certificates and social security cards to sell. The Stuxnet worm supposedly was written by one government to target the operations of another. The Pentagon reported the "most serious" breach ever, caused by a flash drive inserted into a military laptop.
Security remains hard to do right: the much-hyped Haystack program to allow dissidents free communication turned out to be snakeoil. Intel admitted the encryption key for Blu-Ray was disclosed, possibly having been brute-forced instead of leaked. A proprietary encryption key in car immobilizers was cracked. The BackTrack security testing Linux distro had their site compromised.
[*] Link goes to Gawker, who had their own small data breach incident, too.
Want to read more? My most frequent sources are The Office of Inadequate Security, the RISKS digest, and the great reporting of Brian Krebs.
For cyber-surfing.
This is clearly a fascinating post and you deserve more informed comments.
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 10:01 AM on December 28, 2010 [2 favorites]
This is clearly a fascinating post and you deserve more informed comments.
posted by East Manitoba Regional Junior Kabaddi Champion '94 at 10:01 AM on December 28, 2010 [2 favorites]
The etymology of the term ' surfing the web' is now less of a mystery.
posted by omnikron at 10:02 AM on December 28, 2010 [3 favorites]
posted by omnikron at 10:02 AM on December 28, 2010 [3 favorites]
Where I come from, we call 'em "britches." And yes, interesting post!
posted by FelliniBlank at 10:04 AM on December 28, 2010
posted by FelliniBlank at 10:04 AM on December 28, 2010
Har, spell check wouldn't catch that. Mod help?
posted by These Premises Are Alarmed at 10:05 AM on December 28, 2010
posted by These Premises Are Alarmed at 10:05 AM on December 28, 2010
pipped at the post, with a better joke too...I'll just go back to lurking.
posted by omnikron at 10:05 AM on December 28, 2010
posted by omnikron at 10:05 AM on December 28, 2010
TPAA, nice post. Mmmmmmm, RISKS digest....
posted by PROD_TPSL at 10:12 AM on December 28, 2010 [1 favorite]
posted by PROD_TPSL at 10:12 AM on December 28, 2010 [1 favorite]
Mod note: Once 'r' into the beach, dear friends. As you were.
posted by cortex (staff) at 10:32 AM on December 28, 2010 [4 favorites]
posted by cortex (staff) at 10:32 AM on December 28, 2010 [4 favorites]
So, a more informed comment:
I work with people's financial data. Obliquely or directly, I have access to SSNs, addresses and other confidential information. My institution reports to state agencies and we send them all kinds of demographics information. Protecting data is hard, and for really dumb reasons. Here are some of the things that I've seen from my own position and comments I've heard.
It's hard for people in data entry positions to understand the need for rigorousness and security: "My job is just typing numbers and names into a terminal, how dangerous could that be?"
It's hard because of cultural inertia: "I don't see why I have to connect with (an SSL encrypted tool that looks slightly different) when (plaintext tool) works just fine".
It's hard because people who are designing the systems don't understand the tools or the risks: "SSL would take up extra bandwidth and we'd have to look at upgrading our network to accommodate that." or "FTP works just fine, why would we reimplement this data transfer to use SFTP? That's extra work for me." "(State agency) doesn't have a secure file transfer mechanism; we have to use HTTP or FTP for the data. No, they're not willing to discuss changes".
Computer system security is an abstraction piled on top of an abstraction and people are uniformly willing to compromise because of the perception that following secure procedures are irrelevant to or will slow down their workflow. Impressing on people that yes, this is how you act because it is your job and you are a professional and you're going to do your job like a professional can be an impossible task especially when (as an IT person) you have the culpability for a breach, but not the authority to prevent them (e.g. disciplinary actions).
posted by boo_radley at 10:34 AM on December 28, 2010 [3 favorites]
I work with people's financial data. Obliquely or directly, I have access to SSNs, addresses and other confidential information. My institution reports to state agencies and we send them all kinds of demographics information. Protecting data is hard, and for really dumb reasons. Here are some of the things that I've seen from my own position and comments I've heard.
It's hard for people in data entry positions to understand the need for rigorousness and security: "My job is just typing numbers and names into a terminal, how dangerous could that be?"
It's hard because of cultural inertia: "I don't see why I have to connect with (an SSL encrypted tool that looks slightly different) when (plaintext tool) works just fine".
It's hard because people who are designing the systems don't understand the tools or the risks: "SSL would take up extra bandwidth and we'd have to look at upgrading our network to accommodate that." or "FTP works just fine, why would we reimplement this data transfer to use SFTP? That's extra work for me." "(State agency) doesn't have a secure file transfer mechanism; we have to use HTTP or FTP for the data. No, they're not willing to discuss changes".
Computer system security is an abstraction piled on top of an abstraction and people are uniformly willing to compromise because of the perception that following secure procedures are irrelevant to or will slow down their workflow. Impressing on people that yes, this is how you act because it is your job and you are a professional and you're going to do your job like a professional can be an impossible task especially when (as an IT person) you have the culpability for a breach, but not the authority to prevent them (e.g. disciplinary actions).
posted by boo_radley at 10:34 AM on December 28, 2010 [3 favorites]
It's data security theater.
posted by Obscure Reference at 10:44 AM on December 28, 2010
posted by Obscure Reference at 10:44 AM on December 28, 2010
Sigh. I just got a letter a few days ago from the great Ohio State University indicating that a laptop with the names and SSNs of every student who took a class in the ag school from 2001-2007 was stolen, and I now get free identity protection because someone was an idiot.
My annoyance isn't the one isolated incident of someone sucking at keeping my data. It's that this happens about twice a year.
dammit.
posted by Mister Fabulous at 10:49 AM on December 28, 2010
My annoyance isn't the one isolated incident of someone sucking at keeping my data. It's that this happens about twice a year.
dammit.
posted by Mister Fabulous at 10:49 AM on December 28, 2010
Say it with me people...
Full Disk Encryption!
Full Disk Encryption!
Full Disk Encryption!
posted by PROD_TPSL at 10:57 AM on December 28, 2010
Full Disk Encryption!
Full Disk Encryption!
Full Disk Encryption!
posted by PROD_TPSL at 10:57 AM on December 28, 2010
Computer system security is an abstraction piled on top of an abstraction and people are uniformly willing to compromise because of the perception that following secure procedures are irrelevant to or will slow down their workflow
If it's badly designed.
Using, say, SSH or HTTPS vs. Telnet or HTTP is almost unnoticeable. The trick is not to give them the option to use the less secure route.
Of course, that doesn't stop someone who's trying to leak.
posted by ChurchHatesTucker at 10:58 AM on December 28, 2010
If it's badly designed.
Using, say, SSH or HTTPS vs. Telnet or HTTP is almost unnoticeable. The trick is not to give them the option to use the less secure route.
Of course, that doesn't stop someone who's trying to leak.
posted by ChurchHatesTucker at 10:58 AM on December 28, 2010
Full disk encryption helps with laptops (or similar schemes for tapes or usb drives), but cold boot-style attacks are still possible. Full disk encryption is mostly a waste when used on servers in a datacenter (where it's often demanded) because in practice the contents of the drive are fully exposed to the OS - this only protects you if someone with a forklift steals your drive array of in the case of improper disposal.
Not to say it shouldn't be used, especially on frequently-lost mobile devices. Sadly 'disk encryption (often poorly-defined) can be a get-out-of-jail-free card for data breach notifications - if you claim the disk was encrypted you don't have to notify the individuals potentially exposed.
posted by These Premises Are Alarmed at 11:54 AM on December 28, 2010 [1 favorite]
Not to say it shouldn't be used, especially on frequently-lost mobile devices. Sadly 'disk encryption (often poorly-defined) can be a get-out-of-jail-free card for data breach notifications - if you claim the disk was encrypted you don't have to notify the individuals potentially exposed.
posted by These Premises Are Alarmed at 11:54 AM on December 28, 2010 [1 favorite]
Well, FDE must be used wisely. Data compartmentalization is key. No sensitive data of ANY sort should be on a portable device...
But "portable" is a fungible word. One mans data center, is another mans cargo container.
It really is a constant war... with battles fought everyday.
Proper computer security education is critical... and often completed forgotten.
posted by PROD_TPSL at 12:11 PM on December 28, 2010 [2 favorites]
But "portable" is a fungible word. One mans data center, is another mans cargo container.
It really is a constant war... with battles fought everyday.
Proper computer security education is critical... and often completed forgotten.
posted by PROD_TPSL at 12:11 PM on December 28, 2010 [2 favorites]
Related: Mozilla mistakenly posted a file containing registered user data for addons.mozilla.org.
The organization claims it was notified by a third party who discovered the file on December 17th via its Web bounty program, and after investigating, does not believe the file was downloaded by others outside of Mozilla and the third party who reported the file to Mozilla. In response, Mozilla deleted all user passwords and has asked users to reset their passwords manually and change the password to any other sites which may utilize the same password.posted by filthy light thief at 12:45 PM on December 28, 2010 [1 favorite]
There is computational overhead using HTTPS so we have to factor that in a bit. There are a lot of blog posts around about it.
Systems I work on do not offer HTTP, but if me or one of the dozens of people who have access to the DFS wanted to leak the data there is fuck all anyone could do about it. We take this stuff pretty seriously too. I once winessed a screaming argument where the security officer was berating an ops guy for not enough man traps in the datacenter.
posted by Ad hominem at 1:23 PM on December 28, 2010
Systems I work on do not offer HTTP, but if me or one of the dozens of people who have access to the DFS wanted to leak the data there is fuck all anyone could do about it. We take this stuff pretty seriously too. I once winessed a screaming argument where the security officer was berating an ops guy for not enough man traps in the datacenter.
posted by Ad hominem at 1:23 PM on December 28, 2010
To me, there isn't much commonality between these data spills, industrial espionage, and leaks. Yes, all three are fundamentally caused by data retention in digital form, but that's about it.
posted by jeffburdges at 1:39 PM on December 28, 2010
posted by jeffburdges at 1:39 PM on December 28, 2010
All right, I just Googled "man trap", and the top hits had nothing to do with data security, and lots to do with boobies, Star Trek, and covered pits with spikes in them. I would have to figure your security guy may be kind of unbalanced.
posted by Xoebe at 2:11 PM on December 28, 2010
posted by Xoebe at 2:11 PM on December 28, 2010
We need some real answers here. Better call Jack Bauer.
posted by Seekerofsplendor at 2:14 PM on December 28, 2010
posted by Seekerofsplendor at 2:14 PM on December 28, 2010
Holy insane tag list, Batman.
"(State agency) doesn't have a secure file transfer mechanism; we have to use HTTP or FTP for the data. No, they're not willing to discuss changes".
Provincial (Canada) agencies have the same issue. I absolutely hate it.
posted by swimming naked when the tide goes out at 2:20 PM on December 28, 2010 [1 favorite]
"(State agency) doesn't have a secure file transfer mechanism; we have to use HTTP or FTP for the data. No, they're not willing to discuss changes".
Provincial (Canada) agencies have the same issue. I absolutely hate it.
posted by swimming naked when the tide goes out at 2:20 PM on December 28, 2010 [1 favorite]
There is computational overhead using HTTPS so we have to factor that in a bit. There are a lot of blog posts around about it.
Fixed that for us.
(Of course, as soon as you're happy, they always come up with a bigger and better one)
posted by Make Way for Ducklings! at 9:26 PM on December 28, 2010 [1 favorite]
Fixed that for us.
(Of course, as soon as you're happy, they always come up with a bigger and better one)
posted by Make Way for Ducklings! at 9:26 PM on December 28, 2010 [1 favorite]
Sony's Playstation 3 console has had it's security model thoroughly eviscerated.
posted by PROD_TPSL at 3:04 PM on December 29, 2010 [1 favorite]
posted by PROD_TPSL at 3:04 PM on December 29, 2010 [1 favorite]
« Older NYC Sanitation Department Demolition Derby -... | Good Credit! Bad Credit! Even Bankruptcy! Newer »
This thread has been archived and is closed to new comments
posted by boo_radley at 9:59 AM on December 28, 2010 [5 favorites]