The 10 Biggest Data Breaches Of 2017
Multiplying Threats
Data breach activity continued to skyrocket in the first 11 months of 2017, with the numbers of breaches jumping to 1,202, according to a report from the Identity Theft Resource Center and CyberScout. That's up 10 percent from the 1,093 breaches recording during the entirety of 2016.
Targets of the breach efforts have expanded beyond government agencies and Fortune 500 end customers to include third-party contractors and data aggregators, as well as security vendors and solution providers themselves. Attackers have gone after everything from credit card numbers and voter registration details to passwords and encryption keys.
This roundup also includes significant data exposures since 2017 has seen a rising number of security incidents due to misconfigured or poorly secured cloud servers where it's not clear whether the data had actually been breached.
From Equifax to Uber, here's a look at some of the biggest data breaches and security incidents since January.
Get more of CRN's 2017 tech year in review.
10. Carbon Black
Security solution provider DirectDefense said in August it had discovered a significant data leak in Carbon Black's endpoint detection and response (EDR) offering that was exposing thousands of files and critical data on the security vendor's customers.
The data leak problem centers around the third-party, cloud-based multi-scanner service Carbon Black uses to upload files to determine whether they are good or bad against multiple anti-virus engines, according to DirectDefense CEO Jim Broome.
Any files uploaded by the EDR offering and then forwarded to the cloud-based multi-scanner were available for sales to anyone that wants them and is willing to pay, according to DirectDefense. That involves the sale of the files submitted as samples of malware.
CarbonBlack called DirectDefense's report incorrect, saying that its optional data exfiltration feature is turned off by default, and allows customers to share information with external sources to better detect threats. DirectDefense is a top partner of Carbon Black competitor Cylance, advocating in many of its blog posts for the technology.
9. Accenture
The UpGuard Cyber Risk Team revealed in October that it had found multiple Amazon Web Services S3 storage buckets left unsecured by Accenture. The blog said the servers were configured for public access and were publicly downloadable.
At least four of those servers look to be related to software for the company's Accenture Cloud Platform. The data included information on the inner workings of the cloud platform and clients using the platform, the report said.
The unsecured server exposed secret API data, authentication credentials, certificates, decryption keys, customer information and data that could have been used to attack both Accenture and its clients, according to the report.
An Accenture spokesperson said there was no evidence that any client information was compromised since the company has other security protections in place that would prevent it.
8. Deloitte
A Guardian report in September said a Deloitte global email server was hacked, giving hackers access to emails to and from the company's staff as well as customer information on some of the company's top federal and private sector clients.
The report said the hackers could have accessed information such as usernames, passwords, IP addresses and architectural design diagrams. Deloitte discovered the attack in March, according to the report, with hackers having been in the company's systems dating back to October or November 2016.
Deloitte was not using two-factor authentication on the email server, which was hosted on the Azure cloud service, according to the report. The report said the server was compromised through an admin account.
Deloitte confirmed the hack, but said only a few clients were impacted by the attack. The company said it had engaged in a comprehensive security protocol investigation, and notified clients at risk.
7 . U.S. Securities and Exchange Commission
The U.S. Securities and Exchange Commission (SEC) in September disclosed a data breach that exploited a software vulnerability in its database filing application.
SEC Chairman Jay Clayton said the organization detected an intrusion by attackers in 2016, which "provided the basis for illicit gain through trading." The breach was the result of a software vulnerability in the test filing component of the EDGAR system, which allows users to access publicly filed financial regulatory documents, he said.
The SEC did not believe hackers stole any personally identifiable information or jeopardized any SEC operations, Clayton said, but was investigating whether hackers used the information to profit from market movements or place fake SEC filings on the site.
The SEC did not provide any information on what companies were affected by the breach or how extensive it was.
6. Cloudflare
A software bug found in February at Internet service provider Cloudflare led to the leakage of encryption keys, PII data, HTTP cookies, passwords, HTTP POST bodies, and HTTPS requests.
The leakage was caused by edge servers running past their buffer and returning memory containing the sensitive data, which was then cached by search engines.
The greatest period of impact from the bug was between Feb. 13 and Feb. 18, where around 1 in every 3.3 million requests could have been leaked, mounting to around 120,000 pages a day, Cloudflare said at the time. Customer SSL private keys were not leaked, and there is no evidence that hackers have exploited the data leakage, according to Cloudflare.
Cloudflare said it turned off email obfuscation, server-side excludes and automatic HTTPs rewrites to halt the leak. It also worked with Google and other search engines to remove cached HTTP responses.
5. Dun & Bradstreet
Approximately 33.7 million unique email addresses and pieces of contact information were exposed in March as part of a leak of a 52-gigabyte database owned by Dun & Bradstreet, according to a report in ZDNet.
The database also contains names, job titles, job functions, work email addresses and phone numbers, as well as general corporate information. It brings together information on corporations and their employees that can be sold in bulk or in part to marketers or other companies for targeted sales campaigns.
The leaked database includes information on tens of thousands of employees at AT&T, Boeing, Dell, FedEx, IBM and Xerox, the report said, as well as extensive records on more than 100,000 employees at the Department of Defense.
Dun & Bradstreet denied that any of its own systems were breached or compromised, and it is not immediately clear how the breach occurred. The database has been sold to thousands of companies, the report said, which could have then been compromised.
4. Republican National Committee Contractor
A massive leak on an Amazon Web Services server in June exposed voting data on nearly 200 million people.
The data repository owned by Republican National Convention-contracted marketing firm Deep Root Analytics was exposed by a misconfigured database stored on a publicly accessible cloud server, hosted on Amazon Web Services' Simple Storage Service (S3). The exposure was first reported by UpGuard's Cyber Risk Team.
The data exposed included personal information on more than 198 million American voters, including names, dates of birth, home addresses, phone numbers, and voter registration details.
The UpGuard report said anyone with an internet connection could navigate to the bucket and download the contents of the data warehouse. In addition to the 1.1 terabytes of exposed data, there were an additional 24 terabytes of data stored that had not been configured correctly, according to UpGuard.
3. Verizon
Personal data on more than 14 million Verizon customers was reportedly exposed in a July incident that highlights the importance of moving data protection practices to the cloud.
The security lapse involved technology supplier Nice Systems, which left Verizon customer data unprotected on an Amazon Web Services S3 storage instance, according to a ZDNet report. The data contained names, phone numbers and PINs that could be used to access their Verizon accounts.
Up to 14 million subscribers were affected, or about 10 percent of Verizon's 108 million total subscribers, according to the report. The subscribers affected were primarily those who called Verizon's customer services line in the last six months, the report said.
The report said the data was left exposed and easily accessible by guessing a simple URL that directed to the improperly configured drive, but didn't indicate if hackers had actually accessed the data. Verizon called the incident "overblown" and said there hadn't been any loss or theft of Verizon or Verizon customer information.
2. Uber
Uber disclosed in November that hackers had stolen information from up to 57 million rider and driver accounts last year in a massive data breach. The company paid the thieves $100,000 in October 2016 to delete the data and keep quiet about the breach, according to a Bloomberg News report.
The rider and driver information stolen by hackers included phone numbers, email addresses and names from a third-party server, according to Uber CEO Dara Khosrowshani. The deal in which Uber paid the data thieves was arranged by former Chief Security Officer Joe Sullivan, who Khosrowshani said was fired.
The deal had been arranged under the watch of former CEO Travis Kalanick, who left the company in August.
The incident did not breach Uber's corporate systems or infrastructure, according to Khosrowshani. He additionally said that Uber has not seen any indication that rider and driver trip location history, credit card numbers or Social Security numbers were downloaded.
1. Equifax
Equifax in September revealed a huge data breach that impacted 143 million customers of its credit and information services. The breach was first discovered on July 29 and was due to a vulnerability in a U.S. website application, which allowed hackers access to certain files.
The breach included information on names, birth dates, Social Security numbers, addresses, and some drivers license numbers. It also included more than 200,000 credit card numbers and nearly 200,000 other documents with personal identifying information.
Less than three weeks after the breach was revealed, the company announced that CEO Richard Smith would retire. The departure was effective immediately, though Smith remained as an unpaid advisor to the company.
Solution providers said Equifax's handling of the mega breach showed the need to show adequate public relations and breach notifications procedures in place. Specifically, partners said incident response needs to include the 'nontechnical' such as legal, regulatory and compliance, executive notifications, and breach notifications to customers.