The Top 10 Security Breaches Of 201210:00 AM EST Fri. Dec. 21, 2012
The more tightly our businesses and personal lives become intertwined with technology, the more the bad guys raise their game in trying to steal sensitive data that can lead to a wealth of information and a wealth of, well, wealth. The good guys do their best to try and fend off those attacks, but they also face a variety of challenges, including tight budgets. Other times, things sometimes seem to be just a little bit lax. But in all cases, protecting sensitive information is a tough job. As the saying goes: "The good guys need to be right all the time. The bad guys just need to be right once."
The No. 10 spot in our countdown goes to Wyndham Hotels. All that technical mumbo-jumbo designed to protect credit card numbers was apparently not worthwhile. So when credit card data was stored in plain text, Wyndham might've been the only ones surprised when cyber thieves broke in and stole some of them. With faith in the premise that lightning never strikes twice, Wyndham apparently decided it had paid its proverbial dues. But, guess what. Wyndham got hit three times in two years. More than 600,000 credit card numbers fell into the wrong hands, and some $10.5 billion in fraudulent transactions was reported, gaining the hotel chain some much-needed attention from the Federal Trade Commission.
More than 400,000 plaintext Yahoo passwords were posted on the Internet on July 11th. While this is a lower number of victims than the Wyndham Hotels breaches, Yahoo gets bumped up a notch due to the "Tech-Company-Shoulda-Known-Better" factor. The hack appeared to have been focused on the voice services side of the house, but it was widely recommended that anyone with a Yahoo account reset their password immediately. The hackers are believed to have used Union-based SQL injection to collect the data, and they posted the passwords on the Internet as a means of embarrassing Yahoo and making a point about the oftentimes less-than-stellar state of information security.
The hacktivist group known as "AntiSec" released an archive of more than a million Apple Unique Device Identifiers (UDIDs) that were apparently snagged from an FBI computer. The group claims to have at least 11 million more UDIDs, but 11 million benefits of the doubt might be a bit much. It is believed that the group leveraged a Java vulnerability to access user names, devices names, cell phone numbers and addresses last spring. Some industry experts believe the exploit may have been driven by efforts to embarrass the Bureau, which was in the midst of investigating the hacktivist group Anonymous.
In late March, transaction processor Global Payments confirmed a network penetration resulting in the data theft of approximately 1.5 million credit cards. The theft included Track 2 data, which can be used to clone credit cards. Although credit card numbers were believed to have been taken, other information, such as names, addresses and social security numbers were apparently not breached. While it was initially believed that the breach had only impacted merchant applicants, the company later confirmed that it affected consumers, as well.
Hacktivist group "Team Ghostshell" announced on Dec. 10 that it had posted to Pastebin records from approximately 1.6 million government and contractor accounts involving aerospace, the defense industry, financial services and law enforcement. The stolen data included names, email addresses, passwords, phone numbers and various forms of administrator account information. The group, which titled the initiative ProjectWhiteFox, was also kind enough to announce that this would be their final hack for 2012. Their efforts are intended to attract support for freedom of information on the Internet.
It's one thing when retailers and other verticals screw up on their security. But, when it happens to companies that are highly technology-driven, the breach becomes more compelling. In early June, social networking pioneer LinkedIn was tapped for approximately 6.5 million passwords, which were comprised of unsalted SHA-1 hashes. But since there will be plenty of work to do to crack that many passwords, the bad guys started publishing them in various places on the Web so they could combine their efforts and make better headway. Team players, they are.
An attack on a network used by both the Nationwide Insurance Company and the Allied Insurance Companies breached personal information of an estimated 1.1 million customers and applicants. The Oct. 3 attack netted a wealth of information, including names, Social Security numbers, driver's license numbers, date of birth and possibly marital status, gender, occupation and employment information. Medical information and credit card numbers were not believed to have been breached. Although the number of breaches is far less than a number of the exploits placed lower on our countdown, the value of the information stolen raises this case to a higher level.
Approximately 3.8 million tax records and nearly 400,000 credit card numbers were stolen from the South Carolina Department of Revenue. Over 2 million incidents of information theft were also nabbed through the same spearphishing exploit that stole employee usernames and passwords to gain access to the sensitive data. Improper password policies and failure to encrypt social security numbers were key enablers of the operation, which also led to the resignation of the agency's director. It's believed to be the largest data theft from a state government.
A data breach is bad enough. But, what happened in January to customers of online shoe and clothing retailers Zappos was more like a data deluge! Personal details on as many as 24 million people were hacked and stolen. And, the thieves got a lot more than just isolated data points here and there. The bad guys walked away with names, home addresses, email addresses, phone numbers, the last four digits of credit card numbers, and passwords. Fortunately for the victims, however, those passwords were at least encrypted. Furthermore, the company stepped up with a highly proactive response that involved new passwords and increased numbers of call center folks to help victims navigate the situation. But, with a list of victims 24 million lines long, Zappos takes the runner-up position for the biggest breach of 2012.
Our top award for The Biggest Breach of 2012 goes to the government sector, which, according to Boston-based security vendor Rapid7, has reported 268 individual data breaches over a period of roughly three years. Yes, the South Carolina breach is called-out in our countdown, but the rest of the sector has plenty of room for improvement, too. In all, governments reportedly exposed more than 94 million records containing personally identifiable information. The data reveals that the number of breaches has continued to escalate each year since 2009. And, it's expected that the likely tally for 2012 will actually double the number from 2011. In addition to hacking incidents, the numbers include unintended disclosure, the loss or theft of portable devices and physical loss of devices.