Now that we’re a week into 2018, it’s an appropriate time to look back at the biggest information security breaches of 2017. Last year there was alarmingly high cybercrime activity, making information security a top priority for organizations. Experts such as Nick Savvides, CTO at Symantec, say that cyber threats such as the WannaCry ransomware attack are just a “warm-up” to more sophisticated hacks, cybercrimes and data breaches in 2018.
More and more, the public are holding corporate executives accountable for data breaches instead of scapegoating anonymous criminal hackers. Lawmakers are making companies more accountable for data breach reporting response times. For example, three Democratic senators introduced a data breach disclosure bill requiring companies to report on such an event within 30 days; attempting to hide details about a hack could result in incarceration for executives.
Most importantly, cybercriminals do not discriminate. Here’s our 2017 information security breach review.
Criminal hackers breached Equifax and compromised the data of 145.5 million people worldwide
One of the top three credit reporting agencies, Equifax, suffered a damaging blow when cyber criminals exploited a web portal app vulnerability and exposed millions of records. Experts say that Equifax may never recover from the identity theft, which included compromised Social Security numbers, birth dates, and driver’s license numbers. The private nature of the data means affected individuals will always be susceptible to risk online.
Fallout from the data breach has been tremendous. Just days after Equifax reported the breach, its stocks plunged $4 billion. The company has since been subject to senate hearings, and investigations by the Federal Trade Commission and the UK’s Financial Conduct Authority. Equifax knew about the breach in July, but waited until September to announce it to the public. The public has lost trust in the company following the breach and a series of other blunders:
- Three executives sold stocks just days before Equifax publicly disclosed the breach
- Equifax initially required consumers to agree not to join a class-action lawsuit against the company, but then removed the clause after facing harsh criticism from privacy advocates and the media
- Equifax accidentally tweeted links to a fake website created to show how insecure its consumer-facing data breach-related website, equifaxsecurity2017.com, was
New York State responded swiftly to the cybercrime by demanding an investigation. It then began tightening its cybersecurity laws to better protect consumers from credit reporting agencies.
GOP organization accidentally leaked personal data of nearly 200 million voters
One of three marketing analytics organizations contracted by the GOP exposed sensitive political information gathered on more than 198 million US citizens. It is the largest leak of US voter records to date. Deep Root Analytics, a conservative company that targets audiences for political ads, stored internal documents on a publicly accessible Amazon server. Deep Root aggregated the information from a variety of sources, such as numerous Super PACs and several subreddits (topic-specific Reddit groups).
The database contained more than a terabyte of data, including home addresses, birthdates, and phone numbers of individual voters. In addition, the server included sentiment analysis used to predict voter attitudes toward controversial topics including:
- Gun ownership
- Stem cell research
- The right to abortion
- Religious affiliation
- Ethnicity, plus other proprietary and publicly available information
The compromised headcount makes up approximately 61% of the entire US population. UpGuard cyber risk analyst Chris Vickery discovered the exposed sensitive data and is alarmed at how the data is being used.
More than 247,000 US DHS employee records compromised
The Department of Homeland Security during the first week of January about a DHS Office of Inspector General (OIG) possessing an unauthorized copy of its investigative case management system. The data, uncovered during an ongoing criminal investigation, contains the personally identifiable information (PII) of more than 247,000 DHS employees, plus PII from individuals under DHS–OIG investigation.
The DHS states no malicious cyber criminals were involved and that, to date, the data was not used for fraudulent intent. If you’re wondering why it took seven months for the DHS to notify affected persons, it was because of the extensive investigation, risk assessment, forensic analysis, and technical evaluation conducted by the agency and related authorities.
Yahoo increases victim headcount of its historic 2013 data breach
Yahoo was not a victim of a cyberattack in 2017 as far as we know, but the company – recently acquired by Verizon – revealed that in the 2013 breach, the number of accounts reported affected went from 1 billion to 3 billion. Names, email addresses, and passwords were compromised by criminal hackers, but no Social Security numbers or financial information were involved.
In March, the US Justice Department linked Russian intelligence to the breach, singling out FSB officers Dmitry Dokuchaev and Igor Sushchin. A third threat actor, Karim Baratov, who is Canadian, pleaded guilty to hacking 500 million Yahoo accounts recently.
In October, Yahoo and Equifax executives convened with the Senate Committee on Commerce, Science, and Transportation. Jointly, the companies informed Congress that they are helpless when it comes to defending against sophisticated cyberattacks. The well-funded nature of state-sponsored actors privately working against their interests makes them difficult to stop by known traditional means. Yahoo and Equifax then requested increased cooperation with US intelligence agencies.
Uber rife with controversy over privacy and cybersecurity tactics
Uber disrupted the taxicab industry by empowering anyone to become chauffeurs. Complete with GPS pickup and a POS system, any person with a car and driver’s license can drive for Uber without medallions (licenses that grant taxicab drivers the right to operate). But the company is plagued with cybersecurity and privacy scandals.
This month, Uber will settle a lawsuit alleging that it obtained the medical records of a rape victim unlawfully. The company has been accused by a former employee of illegal surveillance, trade secret theft, and infiltrating anti-Uber activist groups outside of the US. In 2016, Uber was the victim of cyber theft when criminal hackers stole the personal data of 57 million drivers and riders.
The company paid $100,000 to a 20-year-old hacker to keep silent after he obtained the personal data of affected users. However, the method by which Uber raised the money places the whole scheme in a gray area. Reuters reported in December that it used a bug bounty program, whereby hackers-turned-researchers exposed software vulnerabilities for a payout.
However, it should be noted that bug ransoms are typically not that high and range in the $1k – $10k range. Two Uber executives were fired over the questionable payment, including CSO Joe Sullivan. Uber currently faces multiple lawsuits because of the breach.
New York cosmetic company spills information of 2 million customers online
In October, researchers at Kromtech Security Center discovered a publicly accessible website containing the private information of Tarte Cosmetics customers. Tarte is a popular makeup brand and the MongoDB distributed database contained data for 1,891,928 customers in the US and worldwide. The data appears to be of customers who shopped on the Tarte online store between 2008 and 2017.
Researchers uncovered the incident when someone at Tarte configured a MongoDB server without proper security measures, rendering the security setting public. Things get grim from there:
- Researchers found at least two misconfigured MongoDB databases, 3.8 and 4.9 GB in size, allowing public access
- Both databases were indexed by Shodan, an IoT search engine
- Ransomware group Cru3lty accessed the database and left a ransom note inside, demanding 0.2 bitcoins to recover the database once it has been compromised, i.e. deleted or encrypted
By Friday, October 20, all Tarte databases were secured, but not before the public had access to customer names, addresses, emails, and purchase history, and customers’ last four credit card digits. In addition to ransomware, leaked information could be used in phishing emails or cross-referenced with other leaked databases to complete the information needed to conduct fraud.
Customer data for car-tracking company leaked
On September 18, Kromtech discovered a publicly accessible Amazon S3 bucket containing SVR Tracking data on about 540,000 accounts, including email addresses, passwords, license plates, and vehicle identification numbers (VIN). In some cases, multiple records were tied to a single record.
SVR Tracking develops and manufactures car and truck surveillance solutions to help customers track their vehicle in the event of car tow or theft. To achieve live, continuous vehicle tracking – every two minutes when moving and with a four-hour window when stopped – SVR uses a tracking device. It is attached to a discreet location within the vehicle. Customers can access car whereabouts info by inputting login credentials.
SVR passwords were encrypted using the antiquated cryptographic hash function SHA-1. Upon notification on September 20, SVR Tracking secured the data under lockdown.
Kromtech was also responsible for finding 560 million exposed login credentials in a ‘leaky’ database linked to 10 popular online services, including Adobe, Tumblr, and Dropbox. Approximately 98% came from previous breaches that targeted Last.fm, Myspace, and others. Someone may have been aggregating login credentials for a while before Kromtech spotted it.
IT Governance can help your organization meet its cybersecurity obligations
Cybersecurity around the globe is a controversial topic because the personal data of individuals is at stake. Some organizations are required to implement an information security management system (ISMS) that protects consumer data, or else face potential legal, monetary, and reputational consequences. An ISMS sets out the policies, procedures, processes, and systems to mitigate information risks, such as cyberattacks, data leaks, or theft.
ISO 27001 is the international standard describing the requirements of an ISMS. Obtaining accredited certification to ISO/IEC 27001 demonstrates an organization has defined and put in place best-practice information security processes. It is the only auditable standard that will help to ensure you have an adequate ISMS in place. IT Governance offers training and other consultancies to help your organization achieve ISO 27001 certification. Download your copy of our ISO 27001 consultancy brochure.