The Biggest Data Breaches Of 2012 (So Far)3:00 PM EST Fri. Jul. 27, 2012
Data breaches happen all the time, frequently more often than we can report. From the large-scale exploits that have gone undetected for as many as 30 years to the attacks on (or by) high-profile players, we’ve taken a look at the biggest breaches that have hit the news throughout the first half of 2012, a list that demonstrates the number of problems that can ensue when security measures are inadequate, reminding us of the growing need for increased information security.
Credit card processor Global Payments at the end of March disclosed a breach that exposed 1.5 million consumers to fraud. The breach, which was under scrutiny by federal investigators, exposed credit card numbers, user PINs and other data but not credit card holders’ names, addresses or social security numbers. Global Payments has not released details on the cause of the breach or the results of a recently completed internal investigation, but it did disclose this week that the incident and its fallout have cost the company $84.4 million.
More than 400,000 plaintext passwords were lifted from Yahoo and subsequently posted on the Internet on July 11th. While most of the passwords seem to have been taken from the Yahoo voice services, various industry sources are recommending that everyone with a Yahoo account immediately change their passwords. A group called the D33DS Company has been attributed as the source of the breach. The hackers are believed to have used a Union-based SQL injection to collect the data, and posted the passwords as a high-profile way of making a point about Yahoo’s security, and the state of information security, in general.
If there were such thing as frequent flyer points for getting hacked, we'd hope Wyndham Hotels would be a member. After apparently storing data in plain text, the hotel chain was hacked three times in two years, leading to the theft of more than 600,000 credit card numbers and also some raised eyebrows from the U.S. Federal Trade Commission, which subsequently filed suit. The numbers were allegedly uploaded to some servers in Russia where they were reportedly used in more than $10.5 million in fraudulent transactions.
Finding love can be difficult for some of us. And for those of us in that category, why not pretend to be somebody else entirely? Our next stop in this cavalcade of password breaches involves dating site, eHarmony. Earlier this month, the company acknowledged that "a small fraction" of its user passwords had been compromised. In this case, the small fraction reportedly involved 1.5 million hashed passwords. But given the monster-size database that eHarmony must have, that might actually be a small fraction.
Hacks against colleges seemed to gain popularity during the first half of this year. Among the highlights, the University of Nebraska was targeted in the breach of as many as 650,000 current and former students going back nearly 30 years. Databases that were targeted apparently included social security numbers, addresses, financial aid information and even grades. The university says it took immediate action to shut down the breach, and worked with law enforcement agencies to identify the culprits. No word on whether they found some C students who somehow ended up with A's.
Social networking powerhouse, LinkedIn, was tapped for approximately 6.5 million unsalted SHA-1 hashed passwords posted to the Internet at the beginning of July. Because the passwords were hashed, there remained a bit of work to do in order to disclose the actual passwords, so the hackers published them publicly in order to use the buddy system. With over 160 million members worldwide, a mere 6.5 million is seemingly a drop in the bucket. But the breach stands as a testimonial to the need to adopt the latest encryption technologies.
Okay, obviously the hack on Mitt Romney's email in early June only impacted one guy. But we're giving this one added points for high profile. The email address had been published within an image that appeared in the Wall Street Journal. The hacker then tried to log into the account, reported the password as forgotten, and then correctly guessed that "Seamus," of strap-me-to-the-roof fame, was Romney's favorite pet. Romney's Dropbox account was also accessed in much the same fashion. The exploit called to mind a similar e-mail hack against former Alaska governor Sarah Palin during the 2008 presidential campaign.
Our runner-up at the college level is the University of North Carolina-Charlotte, where bank accounts and social security numbers for roughly 350,000 students, staff and faculty members were allegedly exposed, and some were exposed for nearly 15 years, due to misconfigured security settings. The mistakes were discovered very early in the year, and a forensics team was called in to figure out exactly what had happened. School officials say they have no evidence that any of the information was actually accessed, despite the exposure.
An April attack against Iranian banks allegedly netted roughly three million debit account numbers and PIN numbers that were then posted to the Internet. The exploit was attributed by some to be an act of political hacktivism. The incident was believed to be the act of a hacker who had apparently warned authorities about the vulnerability, which became clear to him while working in a network operations role. When the exposure was not taken seriously, the individual apparently decided to reinforce his claim by accessing the account numbers and posting them, himself.
How many people need to be affected before a breach is considered major? Maybe a million? Well, in the January situation involving Zappos, a million could be a rounding error. Information on as many as 24 million people was stolen from the online shoe and clothing retailer. Data is believed to have included names, email addresses, physical addresses, phone numbers, the last four digits of the customer card numbers and encrypted passwords. The company terminated existing passwords and required customers to create new ones. It also redeployed staff from its call center to its email response team in order to have a highly proactive response.