On a regular basis, eSecurity Planet looks back at the data breaches we’ve covered over the past month, providing an admittedly unscientific but (we hope) interesting overview of the current breach landscape.
To get some perspective on the current range of threats and recent breaches, eSecurity Planet spoke with Jaime Blasco, director of AlienVault Labs.
First, Blasco says, it’s crucial to understand that prevention alone isn’t the answer. "You are going to be breached at some point," he says. "So companies should spend more resources and money on detection capabilities."
"We have been spending millions of dollars on prevention technologies such as anti-virus, intrusion prevention systems, firewalls, and so on – but by now we know that’s not enough," Blasco says. "So we should be spending our money right now on detection capabilities, on incident response and on people, because technology alone is not going to solve this problem."
Employee training, Blasco says, is key. "Every single employee right now should be able to detect suspicious activities, such as spear phishing campaigns," he says.
Blasco says the massive Target breach offers a particularly good example of that. "They had all the technology in place to detect the attack, and they had spent a huge amount of money on that technology, and they had the people," he says. "But the people were not well trained to use that technology and to understand what the attackers were doing. So it’s matter of training both your employees and your security experts."
Improving Threat Intelligence
It’s also crucial, Blasco says, to improve threat intelligence and data sharing. "A lot of companies in different industries are being compromised by the same people, using the same techniques, using the same infrastructure," he says. "So data sharing can make the detection process much easier for those companies, because they’ll have the information in advance, even before the attackers try to compromise them."
While some larger companies are already sharing data, Blasco says there’s a real need to broaden those efforts. "We need to encourage more and more companies to engage in these initiatives – because the bigger the data, the bigger the information about breaches and attackers we have, the better the information is," he says.
And that’s particularly true for smaller companies. "They’re the most exposed ones, because they have fewer resources, they have less technology, they have less knowledge and less people to protect against the same attackers," Blasco says. "Because, in the end, the same attackers are compromising big companies and small and medium companies."
That’s been particularly true, Blasco says, for the Heartbleed bug. "The companies that are most exposed and are still exposed to Heartbleed are small and medium companies that don’t have the knowledge and the resources to patch their systems on time – so they have to rely on bigger companies that can use their expertise to help them."
Among the data breaches that occurred in April:
The Social Security numbers of 500 employees of Florida’s Polk County School District were mistakenly made available online; the UK’s Penryn College sent a weekly summary of students’ commendations and behavioral incidents to more than 1,000 students by mistake; a former Snelling Staffing employee mistakenly exposed 9,757 people’s personal information; and a Willis North America health plan administrator mistakenly included a spreadsheet containing sensitive information in an email to company employees.
Third party vendors were also a source of such breaches – the personal and medical information of several clients of billing vendor Pracman may have been exposed when an IT subcontractor mistakenly copied and stored the data on an unsecured server; and an undisclosed number of NCO Financial Systems customers’ personal information may have been exposed when RevSpring, the company’s communications vendor, sent an email to loan customers that mistakenly included other customers’ loan statements.
Hackers: Heartbleed and More
Hackers accessed 3 million credit and debit card numbers that had been used to make purchases at Michaels Stores and Aaron Brothers locations; AOL announced that an unidentified individual had gained access to “a significant number” of AOL users’ account information; and hackers accessed the credit card or banking information of “an estimated fewer than 550,000” customers of the Texas liquor store chain Spec’s.
Hackers accessed tax information for as many as 27,000 employees of the University of Pittsburgh Medical Center; and the personal information of 80,000 employees of federal contractors may have been exposed when a hacker accessed research firm Deltek’s GovWin IQ system.
The personal information of 1,256 Midwest Orthopaedics at Rush patients may have been exposed when a physician’s personal email account was hacked; hackers stole more than 1,400 medical records from Texas’ Lubbock Cardiology Clinic; and hackers stole approximately $35,000 in Club Carlson Gold Points from about 650 customers of the Carlson Rezidor Hotel Group.
Hackers accessed data from approximately 480,000 initial inquiry forms submitted to the British plastic surgery provider the Harley Medical Group; a hacker accessed the personal information of 55,000 members of the U.S. Veterans of Foreign Wars (VFW); and five Iowa State University servers that held 29,780 students’ Social Security numbers were hacked, though the hackers appear to have breached the servers to mine Bitcoins, not to steal data.
Hacker ProbablyOnion published information on 36,802 users of the employment website BigMoneyJobs.com and 158,128 users of the Web TV service Boxee.tv, and hacker Zer0Pwn published more than 60,000 records stolen from the Syrian Web sites Job.sy and RealEstate.sy.
The Heartbleed bug was leveraged in several cases. British parenting website Mumsnet reset all of its 1.5 million users’ passwords after hackers leveraged the bug to access user passwords and personal messages, and a teenage hacker leveraged the flaw to steal 900 Canadian citizens' social insurance numbers from the website of the Canada Revenue Agency.
Tennessee’s University Urology notified 1,144 patients that an administrative assistant had provided their names and addresses to a competing provider; an undisclosed number of La Palma Intercommunity Hospital patients’ personal information may have been accessed inappropriately by a former employee; and a former employee of Parallon Business Solutions, a billing service used by the LewisGale Regional Health System, inappropriately accessed 40 LewisGale patients’ personal information, along with patient information from 13 different New Hampshire physician’s offices.
Laptop/Drive Theft or Loss
The protected health information of 1,079 University of Kentucky HealthCare (UK HealthCare) patients may have been exposed when a third-party vendor’s laptop was stolen; more than 5,000 Palomar Health patients’ personal and medical information may have been exposed when two unencrypted flash drives were stolen; and the personal information of 2,394 children and young adults may have been exposed when computers were stolen from the Austin, Texas office of EveryChild, Inc.
A laptop that may have held the personal and medical information of 733 Coordinated Health patients was stolen from an employee’s car; the Office of the Privacy Commissioner of Canada lost an unencrypted hard drive containing approximately 800 current and former employees’ salary information; and the Michigan Department of Community Health announced that 2,595 people’s personal information may have been exposed when a laptop and flash drive were stolen.
The Rosenthal Wine Shop notified an undisclosed number of customers that their payment card information may have been exposed when malware was installed on the computers used to process the shop’s credit card transactions; the Kaiser Permanente Northern California Division of Research notified 5,100 members that malware found on a server may have compromised their personal information; and LaCie notified an undisclosed number of customers that their personal information may have been exposed when malware was leveraged to steal transaction data from the company’s website.
The personal and medical information of an undisclosed number of Franciscan Medical Group (FMG) patients may have been exposed when several FMG employees’ email accounts were compromised by phishing attacks; and approximately $1.7 million was stolen from the UK's St. Aldhelm’s Academy after members of the finance staff were fooled by a phishing email.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at email@example.com.