Notorious Security Mishaps and How To Avoid Them
In the technology sector, information security is rapidly becoming one of the most important investments a company can make.
Data breaches cost UK companies an average of £3.56 million per event in 2013. Some estimates have placed it much higher. Additionally, 2013 was the worst year in history for information security: approximately three times as much personal data was stolen last year than during any previous year.
Both small and large companies have been targeted by hackers and opportunists who misuse sensitive data. While establishing and maintaining data security is a comprehensive, challenging task, in many cases these security mishaps could have been prevented.
Here are four such incidents.
The records of approximately 27,000 customers were stolen from Barclays and sold in February 2014. The uproar was immediate and damning: politicians labeled it ‘catastrophic’ and called for the prosecution and investigation of the bank.
Investigators discovered that the stolen records were obtained from a database whose security was left unenhanced and out of date. Therefore, Barclay’s received a £37.7 million fine more than six months after the breach occurred.
After initial speculation that a malicious insider had obtained and sold the records, probes into the incident revealed that inaccuracies in account naming and account data left customer data records exposed. The records stolen came from a financial planning program that Barclay’s disbanded in 2011.
The persons responsible for the breach have still not been discovered.
This was partially due to the level of specificity in the stolen records. Reports indicated that customers’ medical records, insurance information, and passport numbers had been stolen and sold to illicit traders who value the data to help target vulnerable customers and gain an unfair advantage in the market.
This should serve as a stern warning not just to banks, but to all organizations with years’ worth of customer data to secure: Older data must be secured and protected with the same vigilance as new data. Often, hackers pursue information that has been poorly protected by out-of-date systems. Failing to secure such information could leave you exposed to criminals who are prepared to detect such weaknesses.
Estimates place the number of credit card records stolen from Target by hackers anywhere between 40 and 70 million. Either way, it constituted the single largest retail security breach in United States history.
Here’s how it worked: hackers gained access to Target’s payment system by using the credentials of one of Target’s vendors. Then, just before Thanksgiving 2013, they introduced malware that infiltrated all of Target’s 1,797 stores in the United States. Each time customers swiped their credit card in the checkout line, their information was sent to and stored in a server that the hackers had overtaken.
Crucially, Target’s antagonists were not especially creative or inventive in their methodology. The hackers’ success was a more a result of shocking inattention on Target’s part than skill on theirs.
For Target, it was a financial nightmare: in the quarter after the breach occurred, the retail giant reported a profit 46 percent lower than the same quarter a year prior. Share forecasts fell as much as $.30 per share. Target spent more than $60 million in response efforts during the three months that followed. To top it all off, Target now faces years of federal probes and investigations about the breach.
Some of the most important information to emerge from the incident revealed that Target missed crucial vulnerabilities in the months leading up to the attack, which occurred during the 2013 holiday season.
Investigations also uncovered that Target’s security systems had detected the hack when it first occurred. It was then reported to Target’s cybersecurity headquarters, but no one at Target responded for weeks. In other words, the hacks were detected. They just weren’t acted upon.
Target did not make a move until December 12, when federal investigators informed them of something suspicious. It was not until December 15th that Target was able to remove the offending malware.
Target didn’t need to be especially sharp to guard themselves against the attack—they just needed to respond to the information they received. They didn’t fail to prepare for an attack; they merely failed to act upon the information they received.
That may sound incredible. However, retail companies are able to detect and eliminate threats to their own security just five percent of the time.
The Target incident proves that setting up the right system isn’t enough. Proper protocol and diligent, dutiful data management is necessary. Target suffered almost as much from the news that they bungled their own security as it did from the breach itself.
Sony lost around $171 million when its systems were hacked in 2011. A series of data breaches compromised the records of over 100 million PlayStation customers and users.
Included in the list of victims were customers located in Germany, Austria, the Netherlands, Spain, the United Kingdom and the U.S.
Experts suggest that hackers may have used a basic injection of malicious SQL code to mine the data of Sony’s millions of customers. That hasn’t been confirmed, though. Others have pointed to firmware named ‘Rebug’ which allows PlayStation owners to use the console to access an internal PlayStation development network. Once they got into the internal network, hackers had already bypassed many of the security mechanisms Sony had set up.
Much of the data stolen from Sony was entirely unencrypted, making it an unbelievably easy target for data thieves.
The lesson? Guard your sensitive information against hackers from around the globe.
Data is global and business is global; therefore, threats to information security are global. Companies that fail to adopt a global strategy for data security and encryption leave themselves at risk.
29 of 2013’s breaches were identified as “global breaches that impact European targets.” Over 415 million records that were hacked globally affected people in Europe. In an increasingly globalized marketplace, data is often left exposed for attackers around the world to mine and steal.
Turkish Government, 2011
Governments are not immune to security breaches; actually, the information technology systems set up by local and federal governments are often behind schedule in terms of their effectiveness at preventing breaches..
One of the most serious breaches of government cybersecurity came at the expense of the Turkish government.
Turkey’s vulnerability was exposed by the infamous ‘hacktivist’ group Anonymous in 2011. Working in conjunction with RedHack, a Turkish hacker group, Anonymous took advantage of weak encryption in the publishing program Plesk. Hackers used vulnerabilities in website code to gain access to servers used by the Turkish federal government. By utilizing an international network of hackers, Anonymous was able to quickly bypass security structures and gain access to the private records of hospitals, police agencies and government organizations.
In all, over 350 websites were believed to have been affected by this hack. Here, the Turkish government needed to realize that sensitive data requires special attention. Along each step of the way, handlers of important data must prioritize security. That means common publishing platforms must either be beefed up or eschewed in favor of better-encrypted publishing solutions.
Data breaches are on the rise, and preventing them is simultaneously becoming much more difficult and much more important.
That is a toxic combination for businesses as well as customers, who rely on corporations to keep their personal information secure. Indeed, corporations are targeted most frequently in cyber attacks, a full 51 percent of the time. To compound that, 89 percent of the records stolen in security breaches were accessed through corporate security networks.
Network security systems, however, can only do so much. As evidenced by the case studies above, people are just as important to security efforts as the systems they maintain. Involving educated, proactive individuals in the protection of your company’s data is the first step towards achieving reliable data security.