Top 10 Security Breaches Of 2013

Hackers Influence Innovative Cybersecurity Defenses

Innovative cybersecurity products solve significant problems at businesses, but there are many factors that influence their creation. Businesses can help guide product development decisions. Compliance mandates also consistently have driven adoption of new technology. White-hat hackers who produce research and uncover flaws and cybercriminal hackers who threaten to undermine defenses both contribute to the product life cycle.

In 2013, hackers developed new methods to bypass security restrictions. They unleashed powerful denial-of-service attacks that mimic legitimate traffic better than ever before. They created new malware strains that easily bypass traditional security defenses. They honed their social engineering tactics, designing ever more believable phishing attacks to steal their account credentials. Drive-by attacks targeted groups of employees, stealthily infecting their systems with malware when they visited a legitimate website.

CRN brought together the top data breaches of 2013 to illustrate how attackers are combining many well-established methods with some wherewithal to successfully infiltrate businesses. The fallout could significantly influence adoption of new security technologies and the creation of new ways designed to make attacks more costly to carry out.

10. Zendesk Breach

Zendesk, which provides a customer support portal for a variety of online firms, announced a breach that exposed thousands of email addresses and support messages from users of Twitter, Tumblr and Pinterest.

The breach, which took place in February and was caused by a lapse at a third-party provider, had a cascading effect, causing firms to alert their users to the potential exposure of their email addresses and some personal details. Security experts say the data could be used by attackers to craft phishing campaigns that are difficult to discern.

9. CorporateCarOnline Limo Breach

CorporateCarOnline, a maker of limousine transportation reservation software, suffered a massive breach of its systems, which leaked the personal details of more than 850,000 clients in September. The breach exposed thousands of credit cards, including those of some celebrities, that had no limits. The incident also highlighted the sensitive nature of some unstructured data, exposing the notes left for the chauffeur about their clients' personal behaviors and routines.

The attackers exploited an Adobe ColdFusion vulnerability to gain access to the data. The breach underscored the risks of contracting with a third party to handle sensitive data and the need to keep systems maintained and updated with the latest security patches.

8. Facebook Breach

In June, Facebook disclosed that approximately six million users inadvertently exposed email addresses and telephone numbers they shared with others due to a software vulnerability. The company said the data was exposed for up to a year before the software coding error was fixed.

Facebook users who downloaded contact data for their list of friends received additional information that they were not supposed to have, the company said. Once alerted to the flaw, the company fixed it within 24 hours.

The company also dealt with other internal security incidents. Facebook detected a malware infection on the laptops of several employees in February, following a string of drive-by attacks aimed at software developers who visited a compromised mobile developer website.

7. Drupal.Org Breach

The popular open-source content management system Drupal reset the passwords of users of its site following a data security breach of its servers. Drupal is the platform behind hundreds of thousands of blogs and websites.

The attackers targeted a vulnerability in the third-party software installed on the server infrastructure, the company said. Exposed data included usernames, email addresses, country information and hashed passwords. The breach was announced in May and possibly could have impacted nearly a million account holders. The company said it updated its security measures and hardened its Apache Web servers following the breach.

6. LivingSocial Breach

LivingSocial, an e-commerce startup, announced a data breach in April that impacted 50 million of its users. The attackers gained access to usernames, passwords, email addresses and the date of birth of account holders.

The LivingSocial breach highlighted a common theme among cash-strapped startups, say security experts. Most firms focus on the core product, then put money into marketing, and finally address any gaps or other weaknesses in security. Fortunately, the company maintained PCI compliance, maintaining a segmented network with separate payment-processing systems that handled credit-card data.

5. Evernote Breach

Mobile data storage firm Evernote reset the passwords of 50 million of its users after detecting that its systems had been breached in March. The firm also implemented support for two-factor authentication, giving users a mechanism to validate their identity in addition to using a strong password.

The company said that the attack its team detected was a coordinated attempt to access its restricted corporate network. Security experts said that Evernote's strong incident response indicated that it had been preparing for an eventual breach. Fortunately, Evernote protected its passwords with one-way encryption, hashing and salting them as part of a process that makes them more difficult to crack.

Security experts warn that the public should expect more password breaches and encourage users to adopt strong passwords and consider using a password management program.

4. MongoHQ Breach

The MongoHQ data security breach impacted hundreds, and potentially thousands, of cloud users. The company sells database as a platform service for MongoDB NoSQL database management system appliances. The exposed data included email addresses, hashed password data and other customer-account information.

But at the core of the breach was the attackers' ability to hack victims' Amazon Web Services S3 storage accounts, gaining access to several of MongoHQ's client databases. The breach was detected at the end of October and stemmed from a lapse in security controls around the company's internal support application. An employee used a password to a compromised personal account for the support tool, the firm said. Security experts repeatedly warn about misconfigured security appliances and basic security lapses that could result in a serious breach.

3. Target Corp. Credit Card Breach

Investigators are still determining the scope of the Target Corp. credit card breach. The systems breach exposed at least 40 million credit and debit cards. The attackers struck at the start of the holiday shopping season. It serves as a reminder of previous credit-card breaches, including the TJX breach in 2007 and the millions of cards stolen at Heartland Payment Systems and the Hannaford Bros. supermarket chain. At the core of all of the breaches were fundamental security lapses that were exploited by attackers.

While few details are known about how the attackers gained access, the breach once again places attention on the payment card industry and its Data Security Standards. Security experts have pointed out that PCI-DSS has become a model for how an industry can effectively regulate itself. The standard highlights a set of minimum steps merchants must take to protect sensitive payment systems. It is enforced in various ways by each of the payment brands. Whether the breach will attract lawmakers into considering stronger standards and stiffer penalties has yet to be seen.

2. New York Times Breach

Hackers gained and maintained access to the internal systems of The New York Timesfor months before reporters were tipped off that a potential problem existed. Computer forensics investigators told CRN that the cybercriminals used custom tools to carry out their attack. Most of the attention focused on two reporters who were working on a story critical of the Chinese government.

The breach shined a light on government-sponsored cyberespionage attacks and the sophistication that can be wrought when a hacking group has resources behind it. It also helped direct attention to some critical security best practices, including the need for proactive network monitoring, the importance of strong passwords and the value in segmenting systems containing sensitive data. The attackers used dozens of custom malware in the campaign, enabling them to move throughout the network to a domain controller containing the database of hashed passwords of every Times employee.

1. Booz Allen Hamilton -- The National Security Agency Breach

Security experts say that Edward Snowden, the former government contractor who leaked information on the National Security Agency's surveillance programs, illustrated how important it is to properly vet employees charged with maintaining critical systems and processes. Snowden was one of nearly 500,000 contractors who were granted a top-secret security clearance. Despite some resume discrepancies, he was hired by Booz Allen Hamilton. He worked as a contractor for the NSA in Hawaii with an annual salary of $122,000.

The NSA breach was reportedly carried out using flash drives and account credentials from other employees to gain access to critical systems. Snowden reportedly stole hundreds of thousands of files. He then leaked the documents to reporters uncovering a broad domestic and foreign surveillance campaign that sought to analyze broad swaths of Internet communications and cell phone records. Snowden helped foster a conversation about how far the government's reach should be when conducting intelligence-gathering activities. In addition to shining light on potential encryption weaknesses and implementation lapses, Snowden helped foster interest in insider threat prevention. His actions also drew attention to the apparent collaborative effort between U.S. technology providers and the government. The data breach could have a dramatic impact on the integrity and resiliency of the underlying systems behind Internet communications and the mechanisms used to provide a level of privacy for its users.