The 15 worst data security breaches of the 21st Century
Security practitioners weigh in on the 15 worst data security breaches in recent memory.
February 15, 2012 — CSO —
Data security breaches happen daily in too many places at once to keep count. But what constitutes a huge breach versus a small one? For some perspective, we take a look at 15 of the biggest incidents in recent memory. Helping us out are security practitioners from a variety of industries, including more than a dozen members of LinkedIn's Information Security Community, who provided nominations for the list.
- 1. Heartland Payment Systems
- Date: March 2008
- Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.
A federal grand jury indicted Albert Gonzalez and two unnamed Russian accomplices in 2009. Gonzalez, a Cuban-American, was alleged to have masterminded the international operation that stole the credit and debit cards. In March 2010 he was sentenced to 20 years in federal prison. The vulnerability to SQL injection was well understood and security analysts had warned retailers about it for several years. Yet, the continuing vulnerability of many Web-facing applications made SQL injection the most common form of attack against Web sites at the time.
- 2. TJX Companies Inc.
- Date: December 2006
- Impact: 94 million credit cards exposed.
- 3. Epsilon
- Date: March 2011
- Impact: Exposed names and e-mails of millions of customers stored in more than 108 retail stores plus several huge financial firms like CitiGroup Inc. and the non-profit educational organization, College Board.
- 4. RSA Security
- Date: March 2011
- Impact: Possibly 40 million employee records stolen.
- 5. Stuxnet
- Date: Sometime in 2010, but origins date to 2007
- Impact: Meant to attack Iran's nuclear power program, but will also serve as a template for real-world intrusion and service disruption of power grids, water supplies or public transportation systems.
- 6. Department of Veterans Affairs
- Date: May 2006
- Impact: An unencrypted national database with names, Social Security numbers, dates of births, and some disability ratings for 26.5 million veterans, active-duty military personnel and spouses was stolen.
- 7. Sony's PlayStation Network
- Date: April 20, 2011
- Impact: 77 million PlayStation Network accounts hacked; Sony is said to have lost millions while the site was down for a month.
- 8. ESTsoft
- Date: July-August 2011
- Impact: The personal information of 35 million South Koreans was exposed after hackers breached the security of a popular software provider.
- 9. Gawker Media
- Date: December 2010
- Impact: Compromised e-mail addresses and passwords of about 1.3 million commenters on popular blogs like Lifehacker, Gizmodo, and Jezebel, plus the theft of the source code for Gawker's custom-built content management system.
- 10. Google/other Silicon Valley companies
- Date: Mid-2009
- Impact: Stolen intellectual property
- 11. VeriSign
- Date: Throughout 2010
- Impact: Undisclosed information stolen
- 12. CardSystems Solutions
- Date: June 2005
- Impact: 40 million credit card accounts exposed. CSS, one of the top payment processors for Visa, MasterCard, American Express is ultimately forced into acquisition.
- 13. AOL
- Date: August 6, 2006
- Impact: Data on more than 20 million web inquiries, from more than 650,000 users, including shopping and banking data were posted publicly on a web site.
- 14. Monster.com
- Date: August 2007
- Impact: Confidential information of 1.3 million job seekers stolen and used in a phishing scam.
- 15. Fidelity National Information Services
- Date: July 2007
- Impact: An employee of FIS subsidiary Certegy Check Services stole 3.2 million customer records including credit card, banking and personal information.
There are conflicting accounts about how this happened. One supposes that a group of hackers took advantage of a weak data encryption system and stole credit card data during a wireless transfer between two Marshall's stores in Miami, Fla. The other has them breaking into the TJX network through in-store kiosks that allowed people to apply for jobs electronically. According to KNOS Project cofounder and chief architect Kevin McAleavey, this was possible because TJX's network wasn't protected by any firewalls. Albert Gonzalez, hacking legend and ringleader of the Heartland breach, was convicted and sentenced to 40 years in prison, while 11 others were arrested.
The source of the breach is still undetermined, but tech experts say it could lead to numerous phishing scams and countless identity theft claims. There are different views on how damaging the Epsilon breach was. Bruce Schneier, chief security technology officer at BT and a prolific author, wrote in a blog post at the time that, "Yes, millions of names and e-mail addresses (and) other customer information might have been stolen. Yes, this personal information could be used to create more personalized and better-targeted phishing attacks. So what? These sorts of breaches happen all the time, and even more personal information is stolen." Still, Kevin McAleavey of the KNOS Project says the breach is being estimated as a $4 billion dollar loss. Since Epsilon has a client list of more than 2,200 global brands and handles more than 40 billion e-mails annually, he says it could be, "the biggest, if not the most expensive, security breach of all-time."
The impact of the cyber attack that stole information on the company's SecurID authentication tokens is still being debated. The company said two separate hacker groups worked in collaboration with a foreign government to launch a series of spear phishing attacks against RSA employees, posing as people the employees trusted, to penetrate the company's network. EMC reported last July that it had spent at least $66 million on remediation. But according to RSA executives, no customers' networks were breached. John Linkous, vice president, chief security and compliance officer of eIQnetworks, Inc. doesn't buy it. "RSA didn't help the matter by initially being vague about both the attack vector, and (more importantly) the data that was stolen," he says. "It was only a matter of time before subsequent attacks on Lockheed-Martin, L3, and others occurred, all of which are believed to be partially enabled by the RSA breach." Beyond that, Linkous says, is the psychological damage. "The breach of RSA was utterly massive not only from a potential tactical damage perspective, but also in terms of the abject fear that it drove into every CIO who lost the warm-and-fuzzy feeling that the integrity of his or her enterprise authentication model was intact. Among the lessons, he says, are that even good security companies like RSA are not immune to being hacked. Finally, "human beings are, indeed, the weakest link in the chain," Linkous says.
The immediate effects of Stuxnet were minimal -- at least in this country -- but eIQnetworks' John Linkous ranks it among the top large-scale breaches because, "it was the first that bridged the virtual and real worlds. When a piece of code can have a tangible effect on a nation, city or person, then we've truly arrived in a strange, new world," he says. Linkous says Stuxnet is proof that nation-states, "are definitely actors -- both attackers and victims -- in the cyberwarfare game." He adds that the more that electro-mechanical industrial and energy systems migrate to larger networks -- particularly the Internet -- "the more we're going to see these real-world intrusions."
The breach pointed once again to the human element being the weakest link in the security chain. The database was on a laptop and external hard drive that were both stolen in a burglary from a VA analyst's Maryland home. The analyst reported the May 3, 2006 theft to the police immediately, but Veterans Affairs Secretary R. James Nicholson was not told of it until May 16. Nicholson informed the FBI the next day, but the VA issued no public statement until May 22. An unknown person returned the stolen items June 29, 2006. The VA estimated it would cost $100 million to $500 million to prevent and cover possible losses from the theft.
This is viewed as the worst gaming community data breach of all-time. Of more than 77 million accounts affected, 12 million had unencrypted credit card numbers. According to Sony it still has not found the source of the hack. Whoever they are gained access to full names, passwords, e-mails, home addresses, purchase history, credit card numbers, and PSN/Qriocity logins and passwords. "It's enough to make every good security person wonder, 'If this is what it's like at Sony, what's it like at every other multi-national company that's sitting on millions of user data records?'" says eIQnetworks' John Linkous. He says it should remind those in IT security to identify and apply security controls consistently across their organizations. For customers, "Be careful whom you give your data to. It may not be worth the price to get access to online games or other virtual assets."
It is called South Korea's biggest theft of information in history, affecting a majority of the population. South Korean news outlets reported that attackers with Chinese IP addresses uploaded malware to a server used to update ESTsoft's ALZip compression application. Attackers were able to steal the names, user IDs, hashed passwords, birthdates, genders, telephone numbers, and street and email addresses contained in a database connected to the same network. ESTsoft CEO Kim Jang-joon issued an apology and promised to, "strengthen the security system of our programs."
Online forums and blogs are among the most popular targets of hackers. A group calling itself Gnosis claimed responsibility for the attack, saying it had been launched because of Gawker's "outright arrogance" toward the hacker community. "They're rarely secured to the same level as large, commercial websites," says the KNOS Project's Kevin McAleavey, who adds that the main problem was that Gawker stored passwords in a format that was very easy for hackers to understand. "Some users used the same passwords for email and Twitter, and it was only a matter of hours before hackers had hijacked their accounts and begun using them to send spam," says McAleavey.
In an act of industrial espionage, the Chinese government launched a massive and unprecedented attack on Google, Yahoo, and dozens of other Silicon Valley companies. The Chinese hackers exploited a weakness in an old version of Internet Explorer to gain access to Google's internal network. It was first announced that China was trying to gather information on Chinese human rights activists. It's not known exactly what data was stolen from the American companies, but Google admitted that some of its intellectual property had been stolen and that it would soon cease operations in China. For users, the urgent message is that those who haven't recently updated their web browser should do so immediately.
Security experts are unanimous in saying that the most troubling thing about the VeriSign breach, or breaches, in which hackers gained access to privileged systems and information, is the way the company handled it -- poorly. VeriSign never announced the attacks. The incidents did not become public until 2011, through a new SEC-mandated filing. "How many times were they breached?" asks eIQnetworks' John Linkous. "What attack vectors were used? The short answer is: we don't know. And the response to that is simply: we should." "Nearly everyone will be hacked eventually," says Jon Callas, CTO for Entrust, in a post earlier this month on Help Net Security. "The measure of a company is how they respond." VeriSign said no critical systems such as the DNS servers or the certificate servers were compromised, but did say that, "access was gained to information on a small portion of our computers and servers." It has yet to report what the information stolen was and what impact it could have on the company or its customers. Linkous says the company's "failure to disclose until legally required to do so is going to haunt VeriSign for some time."
Hackers broke into CardSystems' database using an SQL Trojan attack, which inserted code into the database via the browser page every four days, placing data into a zip file and sending it back through an FTP. Since the company never encrypted users' personal information, hackers gained access to names, accounts numbers, and verification codes to more than 40 million card holders. Visa spokeswoman Rosetta Jones told Wired News at the time that CSS received an audit certification in June 2004 that it was compliant with data storage standards, but an assessment after the breach showed it was not compliant. "Had they been following the rules and requirements, they would not have been compromised," Jones said. The company was acquired by Pay-by-touch at the end of 2005.
In January 2007, Business 2.0 Magazine ranked the release of the search data in among the "101 Dumbest Moments in Business." Michael Arrington, a lawyer and founder of the blog site TechCrunch, posted a comment on his blog saying, "The utter stupidity of this is staggering." AOL Research, headed by Dr. Abdur Chowdhury, released a compressed text file on one of its websites containing 20 million search keywords for more than 650,000 users over a three-month period. While it was intended for research purposes, it was mistakenly posted publicly. AOL pulled the file from public access by the next day, but not before it had been mirrored and distributed on the Internet. AOL itself did not identify users, but personally identifiable information was present in many of the queries, and as AOL attributed the queries to particular user accounts, identified numerically, an individual could be identified and matched to their account and search history by such information. The breach led to the resignation of AOL's CTO, Maureen Govern, on Aug. 21, 2006.
Hackers broke into the U.S. online recruitment site's password-protected resume library using credentials that Monster Worldwide Inc. said were stolen from its clients. Reuters reported that the attack was launched using two servers at a Web-hosting company in Ukraine and a group of personal computers that the hackers controlled after infecting them with a malicious software program. The company said the information stolen was limited to names, addresses, phone numbers and e-mail addresses, and no other details, including bank account numbers, were uploaded. But one problem was that Monster learned of the breach on Aug. 17, but didn't go public with it for five days. Another, reported by Symantec, was that the hackers sent out scam e-mails seeking personal financial data, including bank account numbers. They also asked users to click on links that could infect their PCs with malicious software. Once that information was stolen, hackers e-mailed the victims claiming to have infected their computers with a virus and threatening to delete files unless the victims met payment demands.
Network World reported that the theft was discovered in May 2007, and that a database administrator named William Sullivan, said to own a company called S&S Computer Services in Largo, Fla., had been fired. But the theft was not disclosed until July. Sullivan allegedly sold the data for an undisclosed amount to a data broker, who in turn sold it to various marketing firms. A class action lawsuit was filed against FIS and one of its subsidiaries, charging the companies with negligence in connection with the data breach. Sullivan agreed to plead guilty to federal fraud charges and was sentenced to four years and nine months in prison and ordered to pay a $3.2 million fine. On July 7, 2008, a class-action settlement entitled each person whose financial information was stolen to up to $20,000 for unreimbursed identity theft losses.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Other stories by Taylor Armerding