Skip to content ↓ | Skip to navigation ↓

Henry David Thoreau, a famous American essayist, poet, and philosopher who is known for having lived simply along Walden Pond, once observed, “If misery loves company, misery has company enough.”

Thoreau chose his life deliberately in response to the “quiet desperation” he saw in his fellow man during the nineteenth century. He has since passed, but that desperation he once saw still lingers on, albeit in another form.

Today, Thoreau’s desperation has been made anew by information technology. Users are dependent on data, yet they are beginning to appreciate the true number, scope, and severity of threat actors who wish to compromise their personal information and intellectual property. We as information security professionals work to prevent these instances of data theft from happening, yet we cannot anticipate every vulnerability. Attackers will find a way to penetrate our corporate networks, whether we like it or not.

The data breaches we have seen in 2014 best demonstrate this inevitability. These incidents, the number and scale of which were largely unprecedented, have challenged the security community, in part leading to an overall shift in philosophy away from prevention toward detection/remediation. Each event has been a painful reminder of the work the industry still has left to do, but it has also been an opportunity for us as a community to learn and grow.

2015 now lays before us. That we might learn from our mistakes this coming year, it is fitting that we take a look back at some of the most “miserable” data breaches of 2014. These incidents are compiled below. May we internalize their lessons going forward.

 

  • Korea Credit Bureau (January) – January of 2014 started off with a bang. In the wake of the data breaches at Target and Adobe, the South Korean government reported a massive security breach that compromised more than 100 million South Korean credit card accounts. The breach occurred when a contractor at the Korean Credit Bureau copied customers’ payment credentials and personal information onto an external drive. Following the incident, more than half a million customers, especially those at KB Kookmin Bank, Lotte Card and Nonghyup Bank, applied for replacement cards. At least 130 cardholders also joined a class-action lawsuit against the affected credit card providers just days after the incident.
  • AOL (April) – In mid-spring, the mass media corporation AOL reported a security breach of its users’ email accounts. In a statement released on the company’s blog, the AOL Mail Team said that their investigation began after they noticed an influx of spam messages sent from AOL Mail addresses. Neither users’ financial information nor the encryption protocols protecting users’ passwords and security questions had been compromised by the incident, which affected in total approximately two percent (around 500,000) unique AOL users. Around the same time the hack was announced, VirusBulletin published a post demonstrating that when Android users opened the AOL spam messages, their devices were infected with the ‘NotCompatible’ Trojan.
  • UPS (August) – UPS customers learned in late summer that their payment card details might have been hacked by cybercriminals. This revelation followed the company’s announcement that between January 20th and August 11th of this year, its security teams had seen 105,000 separate payment card transactions in which malware had infected UPS systems. In all, the malware affected 51 franchises in 24 states, or only about one percent of the company’s nearly 4,500 U.S. locations. A few days after its initial announcement, UPS declared that its security teams had successfully eradicated the malware from its PoS terminals and announced that it would offer its customers identity protection services just to be safe.

Stay tuned for Part 2 of the series coming soon.

 

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Image header courtesy of ShutterStock.com.