Henry David Thoreau, a famous American essayist, poet, and philosopher who is known for having lived simply along Walden Pond, once observed, “If misery loves company, misery has company enough.”
Thoreau chose his life deliberately in response to the “quiet desperation” he saw in his fellow man during the nineteenth century. He has since passed, but that desperation he once saw still lingers on, albeit in another form.
Today, Thoreau’s desperation has been made anew by information technology. Users are dependent on data, yet they are beginning to appreciate the true number, scope, and severity of threat actors who wish to compromise their personal information and intellectual property. We as information security professionals work to prevent these instances of data theft from happening, yet we cannot anticipate every vulnerability. Attackers will find a way to penetrate our corporate networks, whether we like it or not.
The data breaches we have seen in 2014 best demonstrate this inevitability. These incidents, the number and scale of which were largely unprecedented, have challenged the security community, in part leading to an overall shift in philosophy away from prevention toward detection/remediation. Each event has been a painful reminder of the work the industry still has left to do, but it has also been an opportunity for us as a community to learn and grow.
2015 now lays before us. That we might learn from our mistakes this coming year, it is fitting that we take a look back at some of the most “miserable” data breaches of 2014. These incidents are compiled below. May we internalize their lessons going forward.
- Korea Credit Bureau (January) – January of 2014 started off with a bang. In the wake of the data breaches at Target and Adobe, the South Korean government reported a massive security breach that compromised more than 100 million South Korean credit card accounts. The breach occurred when a contractor at the Korean Credit Bureau copied customers’ payment credentials and personal information onto an external drive. Following the incident, more than half a million customers, especially those at KB Kookmin Bank, Lotte Card and Nonghyup Bank, applied for replacement cards. At least 130 cardholders also joined a class-action lawsuit against the affected credit card providers just days after the incident.
- AOL (April) – In mid-spring, the mass media corporation AOL reported a security breach of its users’ email accounts. In a statement released on the company’s blog, the AOL Mail Team said that their investigation began after they noticed an influx of spam messages sent from AOL Mail addresses. Neither users’ financial information nor the encryption protocols protecting users’ passwords and security questions had been compromised by the incident, which affected in total approximately two percent (around 500,000) unique AOL users. Around the same time the hack was announced, VirusBulletin published a post demonstrating that when Android users opened the AOL spam messages, their devices were infected with the ‘NotCompatible’ Trojan.
- eBay (May) – Earlier this summer, eBay asked all of its 145 million users to change their passwords following a successful attack by cybercriminals. Judging by the changes it made to its annual sales target, eBay expected a $200 million loss. Since the breach, user activity has not returned to pre-incident levels, which suggests that eBay’s economic loss might extend for months or years into the future. The auction site has also been hit by additional cyber attacks since the breach, including a XSS attack in September, an incident which has attracted criticism from multiple security experts.
- UPS (August) – UPS customers learned in late summer that their payment card details might have been hacked by cybercriminals. This revelation followed the company’s announcement that between January 20th and August 11th of this year, its security teams had seen 105,000 separate payment card transactions in which malware had infected UPS systems. In all, the malware affected 51 franchises in 24 states, or only about one percent of the company’s nearly 4,500 U.S. locations. A few days after its initial announcement, UPS declared that its security teams had successfully eradicated the malware from its PoS terminals and announced that it would offer its customers identity protection services just to be safe.
- Community Health Services (August) – Just a few days after UPS, Community Health Services, a leader in acute care medical centers in the United States, announced a breach in which 5 million patients’ medical records were exposed. In a media statement, Andi Bosshart, SVP, Corporate Compliance and Privacy Officer at CHS, said that the company suffered an external cyber attack from what they believed was an “Advanced Persistent Threat” actor based in China. The attackers allegedly gained access to the company’s networks after gleaning the user credentials off of a Juniper device via the Heartbleed vulnerability, which they then used to infiltrate a VPN and make their way through corporate networks to a patient database. By October of this year, at least one former patient had filed a class-action lawsuit against CHS.
Stay tuned for Part 2 of the series coming soon.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image header courtesy of ShutterStock.com.