12 famous (and infamous) IT security disasters

Arrogance and excessive pride may be the deadly sins of IT security

security disasters intro

Pride goeth before a fall

Start with failing to do the security basics. Add an unhealthy dose of laziness. Ignore the writing on the wall. And after you realize that your IT system has been attacked and your customers’ data has been compromised, don’t tell anyone about it for days, maybe longer. For extra measure, don’t thoroughly investigate what happened, because that might help you potentially avoid it in the future.

Boom, you’ve got the recipe for an IT security disaster. Here are 12 of the best-known IT security mishaps, dating back to 2011, in reverse chronological order.

2 equifax

Equifax (2017)

Welcome to the Museum of Disastrous Data Breaches, where Equifax deserves an entire wing. Marvel at how the credit reporting agency failed to patch an Apache Struts vulnerability disclosed in March 2017, which gave attackers access to vital data on 145 million Americans in a series of subsequent breaches. Additional missteps, which included insecure network design and ineffective breach detection mechanisms, are sure to set your pulse racing. But there’s more. The breach went unnoticed until July 29 and unannounced until Sept. 7. Equifax’s now retired CEO blamed a single IT technician for the catastrophe. And the story’s not over. New reports suggest Equifax was warned of massive security vulnerabilities as early as December 2016. Maybe Equifax’s 2017 data breach deserves its own museum.

Related: Biggest threat from the Equifax breach? Account takeovers

3 verizon

Verizon (2017)

How much do you trust the security of your business partners? That question comes to mind when examining the Verizon data breach of July 2017. Six million customer records had been compromised because of an unprotected Amazon S3 storage server. The server was controlled by a partner that facilitates Verizon customer service calls. The records included customer names, mobile numbers, account PINs, and home and email addresses—a veritable motherlode of data riches. Anyone who knew the server’s web address could have grabbed those files. Fortunately, the leak was plugged (within 10 days) and no loss or theft of customer information occurred, Verizon said.

4 friendfinder

FriendFinder (2016)

When hooking up with someone on the sly, it’s common sense to use protection. And when you’re looking for someone online to hook up with on the sly, it’s just as smart to use password protection. But did FriendFinder—a network of sites for people who are, cough cough, ‘looking for love’—offer reasonable password protection for users? Apparently not, as 99 percent of its user passwords (412 million accounts) were cracked in October 2016. Why? FriendFinder stored user passwords as plaintext or as hashes using the weak SHA-1 hashing algorithm, according to a LeakedSource analysis. Worse, FriendFinder reportedly converted all password letters to lowercase before hashing them, making them easier to crack. Even users who had deleted their accounts were affected, LeakedSource said.

Related: All you need to know about the move from SHA-1 to SHA-2

5 anthem

Anthem (2015)

Here’s something to make you feel sick: If Anthem was your health insurer prior to late 2014, you’ll need to remain vigilant against fraud for the rest of your life. That’s because the information stolen—names, birthdates, medical ID numbers, social security numbers and such—is catnip for identity thieves, who could keep the data for years before selling or using it. The breach, disclosed in February 2015, affected up to 80 million Anthem customers. Reportedly, a user at an Anthem subsidiary clicked a link in a phishing email, which enabled attackers to gain access to the healthcare provider’s IT system—and thus, its customers personal information. Apparently, Anthem’s customer data wasn’t encrypted, which some say showed a lax attitude toward security.

Related: 15 real-world phishing examples — and how to recognize them

6 opm

Office of Personnel Management (2015)

Want to know exactly how to protect sensitive data on people? Study the best practices of the federal government’s Office of Personnel Management (OPM). Then, do the opposite. Hackers, reportedly from China, gained access to OPM’s system in 2012—and weren’t detected for nearly two years. Amazingly, another hacker or group got into OPM’s system in May 2014 and wasn’t discovered for nearly a year. Despite the extremely sensitive nature of its data (which includes government employee security clearance details), OPM epically ignored early warnings about its lax security. The organization failed to take basic measures, including encrypting data; requiring two-factor authentication; and having an inventory of all servers and databases. The breach affected 22 million current and former federal employees—including former FBI Director James Comey.

Related: Two years after the OPM data breach: What government agencies must do now

7 yahoo

Yahoo (2014, 2013)

How catastrophic were the 2013 and 2014 Yahoo breaches? Collectively, all 3 billion of the former internet service company users were impacted—giving Verizon Communications, which later acquired it, a touch of buyer’s remorse. None less than Edward Snowden publicly identified Yahoo as a regular target of state-sponsored hackers in 2013, before the turmoil. Yet the company didn’t hire a chief security officer until a year later. Even then, CEO Marissa Mayer reportedly didn’t give the officer the funding needed to adequately bolster security. Yahoo didn’t alert users about the breaches until two or three years later. Plus, it’s believed Mayer resisted making users change their passwords, worried it would drive them away. Silver lining? Mayer’s bonuses were yanked and two Russian spies were indicted for the attack.

Related: Inside the Russian hack of Yahoo: How they did it

8 ebay

eBay (2014)

A phishing email targeted at eBay employees likely started the ball rolling on the company’s massive data breach, disclosed in May 2014. In the attack, 145 million user account records (including names, dates of birth and encrypted passwords) were compromised. Attackers had total access to eBay’s network for 229 days before the intrusion was detected. Of course, such attacks can happen at any company, especially if a cleverly constructed phishing email is involved. But eBay’s response was criticized as being “more embarrassing than the attack itself,” according to The Motley Fool, noting that “it took eBay three months to notice the data breach, after which it waited two weeks to make an announcement.” Ebay asked users to change their passwords and said credit card numbers were not compromised.

9 target

Target (2013)

Shades of eBay: The huge 2013 attack against Target started with a phishing email, too. Criminals used that all-too-common tactic to infect the retailer’s HVAC vendor Fazio Mechanical Services with malware. That malware, called Citadel, enabled cyber crooks to steal Fazio’s credentials—and from there, gain access to Target’s web services for vendors. Eventually, attackers obtained the personal information of 70 million Target customers and data related to 40 million credit and debit cards. (A CIO.com article describes all the steps attackers took.) Despite having the same security system as the Pentagon, a critical feature wasn’t turned on at the time of the attack because Target’s security people didn’t fully trust it, Bloomberg Businessweek reported.

10 linkedin

LinkedIn (2012)

Pass the salt! That’s what someone at LinkedIn should have said prior to its extensive data breach. In the June 2012 attack, some 6.5 million LinkedIn passwords were thought to have been stolen. Internet security experts said LinkedIn didn’t adequately protect user passwords because they weren’t ‘salted.’ (Cryptographic salts make it much more difficult for hackers to unscramble passwords.) A year before the attack, a security researcher warned that “LinkedIn had flaws that make users’ accounts vulnerable,” according to Reuters. Immediately following the breach, LinkedIn apologized and asked users to change their passwords. The FBI has accused a Russian citizen Yevgeniy Nikulin of the LinkedIn and Dropbox breaches. In 2016, LinkedIn acknowledged that 100 million more users were affected by the 2012 breach than previously believed.

11 eharmony

eharmony (2012)

Pass the salt, part deux. Eharmony calls itself the “trusted online dating site for singles.” But in 2012, eharmony’s security practices proved the opposite of trustworthy when 1.5 million passwords were stolen and later released in a forum of a Russian password-cracking website. A SpiderLabs security analyst, in the spirit of research, cracked 80% of the passwords within 72 hours, Network World reported. The passwords were hashed but not salted and stored in case-insensitive mode, which dramatically cut the time needed to crack the passwords. Another security expert said that web application scanning tools could have identified and plugged eharmony’s vulnerabilities. 

12 dropbox

Dropbox (2012)

In the July 2012 Dropbox breach, someone made the sort of bad security decision that is made somewhere every day: reusing a password. At the time, Dropbox disclosed that usernames and passwords stolen from other sites were used to log into “a small number” of Dropbox accounts. Some potentially affected users were required to change their passwords. But the breach’s depth wasn’t clear until four years later, when it was discovered that the email and hashed and salted passwords of nearly 69 million Dropbox users were for sale on the dark web. Dropbox initiated a massive user password reset. Security researchers said the company had done a good job making these passwords hard to crack. So this time at least, disaster was averted. But check back with us in another four years.

Relate: Is your data being sold on the dark web?

13 sony playstation
Thinkstock/Sony PlayStation Network

Sony PlayStation Network (2011)

In spring 2011, it was temporarily ‘game over’ for Sony’s PlayStation Network (PSN). Sony took the entire network offline worldwide for more than three weeks to rebuild it in the aftermath of a major hack. The attack had exposed the login credentials, user names, birthdays, email addresses and other information of about 77 million PlayStation Network users—a tally that later rose by nearly 25 million after further investigation. While it’s impossible to completely block unauthorized access to a system, it’s relatively simple to encrypt user data. To the surprise of some security experts, PSN passwords had been stored in unencrypted form (though Sony said they had been hashed). In the aftermath of what was then considered history’s largest data security breach, Sony estimated its losses at $171 million.   

Copyright © 2017 IDG Communications, Inc.

Related Slideshows