The 10 Biggest Data Breaches Of 2013 (So Far)4:00 PM EST Wed. Jul. 31, 2013
The biggest data breaches in the first half of 2013 demonstrate that despite all the security technologies in place, attackers will find a way to penetrate defenses and access systems containing sensitive data. Security experts have told CRN that it's often a lapse in basic security measures that trip up businesses the most. Attackers take the easiest pathway into a corporate network to steal data and get out. Breaches are often carried out through a phishing email containing a link to an attack website or a malicious file that exploits a vulnerability on the end user's system. From password and third-party breaches to insider threats and nation-state driven attacks, here's a look at some of the biggest data breaches so far this year, showing that no organization is immune.
Twitter recently rolled out support for two-factor authentication to bolster the security of its user base. The company made the move following the announcement of a data breach in February that exposed the usernames, email addresses and encrypted passwords of 250,000 users. The company announced that it detected unusual network activity. "We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information," wrote Bob Lord, director of information security at Twitter. "This attack was not the work of amateurs, and we do not believe it was an isolated incident."
Despite all the technologies in place at organizations to protect user data, sometimes a third-party breach exposes information. Zendesk, which provides customer support messages to users of Twitter, Tumblr and Pinterest, announced a data breach in February that impacted its clients. The breach exposed thousands of email addresses and support messages from users of the services. Security experts said the email addresses were valuable to attackers because they could be used in well-designed phishing attacks to bait victims for more information.
In January, a highly sophisticated attack targeted reporters at the New York Times in a breach that lasted months on the newspaper giant's systems. Once inside, the attackers used the valid credentials to remain stealthy on the systems, slipping past corporate antivirus and other security systems. The attackers used 45 pieces of custom malware and accessed the computers of 53 Times employees. Once inside, the attackers moved to a domain controller containing the database of hashed passwords of every Times employee. For all intents and purposes, they had the keys to the kingdom, security experts said.
The credit card data of more than 2 million customers of Schnucks Markets, a St. Louis area grocery store chain, was stolen by cybercriminals. In its breach announcement, the company said that the data was stolen from cards used at 79 of its stores. Malware on the company's system was designed to sniff network packets, stealing the credit card data before it was encrypted on the company's processing system. The company said it was notified of suspicious activity on March 15. By March 30, the company said it had contained the breach and purged its systems of the malware.
A security vulnerability exposed the email addresses and telephone numbers of an estimated 6 million Facebook users in June. The bug, uncovered through the company's white hat hacker "Responsible Disclosure" program, was found in a component of a user's contact list and address book on the social network. In its announcement of the problem, Facebook said the issue stemmed from the way it generated friend recommendations based on contact information uploaded to the social network. The company said no other information was exposed on users.
Mobile data storage firm Evernote reset passwords for an estimated 50 million of its users after detecting that its systems were infiltrated by attackers. The data breach was detected in March. The company said that its security team found suspicious activity on its network that appeared to be a coordinated attempt to access its restricted corporate network. The passwords were protected by one-way encryption, meaning that they were hashed and salted, a process that makes it more difficult for an attacker to crack, Evernote said.
The LivingSocial data breach in April also impacted an estimated 50 million people. The e-commerce startup said the breach exposed names, email addresses and the date of birth of its users. The company did not disclose how it detected the attack. Credit card data was stored in separate payment processing systems that were segmented from the rest of the company's network, the company said.
As many as 160,000 Social Security numbers were exposed after hackers infiltrated the website of the Washington State Administrative Office of the Courts (AOC). In a breach announcement posted in May, the state agency said the breach included 1 million driver's license numbers. In addition to the seriousness of the data that was stolen, the information was potentially embarrassing and damaging to victim reputations, security experts said. The data was from people who were booked into a city or county jail in 2011 and 2012 or received a DUI citation between 1989 and 2012, the agency said. The agency discovered the lapse in March.
Third-party software used to process background checks on Department of Homeland Security employees contained a vulnerability that exposed names, Social Security numbers and dates of birth of potentially thousands of employees. The agency began notifying employees in May. In an announcement on its website, the DHS said the flaw existed since 2009, but so far there is no evidence that any of the data has been used fraudulently. "The Department is also working with the vendor on notification requirements for current contractors, inactive applicants, and former employees and contractors," the agency said.
Edward Snowden, the high-profile Booz Allan government contractor, is receiving widespread headlines for releasing data on the National Security Agency's surveillance program as part of its counter terrorism activities. Security experts told CRN that the breach is an example of the internal threats posed to organizations. Snowden was with Booz Allan for only three months, assigned to a team in Hawaii. Snowden had access to top-secret data and over time used a thumb drive to take thousands of confidential documents, damaging to the NSA. He remains in Moscow where he has sought political asylum.