Each month, eSecurity Planet looks back at the data breaches we’ve covered over the past 30 days or so, providing an admittedly unscientific but potentially interesting overview of the current breach landscape.
To get some perspective on the current range of threats, eSecurity Planet spoke with ESET senior security researcher Stephen Cobb.
A leading cause of data breaches for the past several months has been the theft or loss of unencrypted laptops and USB drives. "If there’s a difference between a laptop theft today and 10 years ago, it’s that it’s probably got saleable data on it," Cobb says. "Something that we see in talking to organizations is that a lot of people are not yet fully aware that data about people has a value in a very structured black market."
Thus a stolen laptop is far more likely to lead to a data breach today than it was a decade ago. "Whether or not, in a particular instance, a thief was looking for the data on the machine, the fact that there is this market in name, address, Social Security number, phone number, credit card data and so on, makes the loss of a device which has got that data on it all the more potentially damaging," Cobb says.
Rethinking the Thumb Drive
While the same is true of USB drives, they’re generally treated with far less care than laptops.
"You can buy a 16GB thumb drive at the drugstore for $12, and you can put information on it, the loss of which would cost you a million dollars," Cobb says. "Not enough people are looking at it like that. For $80, you can buy one that’s encrypted automatically, but they look at the difference in price and they say it’s not worth it. But when you look at the million-dollar impact, it’s a different calculation."
A second leading cause of breaches is employee error. One of the key drivers behind such breaches, Cobb says, is the fact that newer areas of data handling often get neglected in terms of corporate policy. "Policies and procedures often lag behind the systems that they’re supposed to protect," he says.
The start of a new year, he says, is a great time to make sure your policies and procedures are keeping up with newer systems. "What new data are you handling and what new systems are you managing now as opposed to last year – and do you have the policies and procedures in place?"
It’s also worth revisiting established policies to ensure that they’ve been made clear.
"If I were to fault anybody in the employee error side of things, it would be upper management for not realizing the importance of keeping people up to date on these things," Cobb says. "I’m an opponent of the stupid user theory. Yes, some people do dumb things, and there will always be that element, but an employee isn’t stupid if they haven’t been told what they should and shouldn’t do. And an organization which doesn’t have checks and balances in its processes is more stupid than the employee who makes a mistake and there’s nobody around to catch it."
Lessons from Target Breach, Snowden Affair
On the more malicious side of things, most people are far more aware of the threat of insider breaches now than they used to be. "One of the big revelations around the Snowden affair is the fact that trusted insiders are a problem if they go bad," Cobb says.
There’s a personal aspect to managing that threat: Monitor your employees’ attitudes and watch for employees who seem to be unhappy, particularly if they have privileged access. "That goes back to well-established practices in managing the security of systems – keeping an eye on your employees, only allowing access as needed, and monitoring for escalation of privileges," Cobb says.
Finally, last month’s Target breach made the threat from hackers particularly clear.
"The big lesson out of December is that what you might call cybercrime incorporated, the industrialized exploitation of vulnerabilities turning access to data into cash, is big, well organized and very efficient," Cobb says. "There’s an industry out there that works at this, it’s got highly specialized skill sets, division of labor, and it’s very efficient in getting into systems, getting valuable data, and squeezing the money out of that data."
Most of the people involved in that process, Cobb says, are making money with very little risk. "The people who got the data from the Target systems are selling it and cashing out," he says. "And we may find out who they are, and they may get prosecuted, but the person who wrote the code for them is a couple of levels down in this process."
Still, one good thing has come out of all of this: The Target breach has vastly increased public understanding of cyber threats.
"Providing security awareness to employees is much easier now, because people are more interested," Cobb says. "I was doing security awareness programs 15 years ago, when it was really hard to get people interested in protecting the company computers, because they didn’t know much about computers and it didn’t relate to their own life. Now everybody in society is a computer user."
December 2013 Data Breaches
Device Loss or Theft: The personal data of 18,800 current and former State of Colorado employees may have been exposed when a state employee lost a USB drive. Two unencrypted laptops containing the personal information of 840,000 Horizon Blue Cross Blue Shield of New Jersey subscribers were stolen from the company's headquarters. Approximately 1,300 Houston Methodist Hospital transplant patients' personal information may have been been exposed when an encrypted laptop and paper files were stolen. A computer containing patient information was stolen from an unsecured filing room at New Jersey's Inspira Medical Center Vineland.
A laptop containing the personal and medical information of 1,891 SIU HealthCare patients was stolen from a former SIU surgeon's office. A laptop containing 8,900 patient records was stolen from the home of California orthopedic surgeon Dr. Stephen T. Imrie.
Employee or Vendor Error: The health information of 2,000 Chicago Public Schools students, including their names, birthdates and diagnoses, was made available online by mistake. The personal information of 32,755 patients of California's Cottage Health System was exposed when a third-party vendor mistakenly removed security protections from a server. Files containing the personal information of more than 6,000 vendors, students and employees of the University of North Carolina at Chapel Hill were mistakenly made available online.
Hackers: The credit card information of between 280,000 and 300,000 Affinity Gaming customers was exposed when hackers breached the system used to process credit cards for its casinos. Hackers breached the phone system for Texas' Bell County and placed a series of international calls, racking up more than $27,000 in charges in a single day. An attacker leveraged a security flaw at Bitcointalk.org's registrar to intercept and modify forum transmissions, possibly intercepting user passwords. Hackers accessed credit card information at several Bojangles' locations, possibly via the restaurants' Wi-Fi networks.
The Briar Group's payment systems were breached, exposing thousands of credit card numbers belonging to customers of the company's 10 Boston-area bars and restaurants. Hackers leveraged a security flaw at Chinese hotel Wi-Fi provider CNWisdom to access a database of approximately 20 million hotel reservations. A computer used to operate the website for footwear manufacturer Danner was compromised, exposing customers' credit card information. Hackers accessed an undisclosed number of EZYield hotel reservation customers' names and credit card information, though it's not clear which travel websites were affected.
The personal information of 465,000 users of JPMorgan Chase's UCARD prepaid cash cards was accessed by hackers. An undisclosed amount of customer data for four clients of Mannix Marketing may have been exposed when the company's servers were hacked. Hackers accessed the Los Angeles Gay & Lesbian Center's servers, potentially compromising 59,000 current and former clients' personal information.
Hackers stole the personal information of 2.4 million students and employees of Arizona's Maricopa County Community College District and offered the data for sale. The credit card transaction system for MadeInOregon.com was accessethough it's not clear how the access occurred. The data center used by the Bitcoin-only poker site Seals with Clubs permitted unauthorized access to a database server, exposing user names and encrypted passwords. The Brazilian forum for voice communication company TeamSpeak was compromised and redirected traffic to a DotCache exploit kit landing page.
Hackers accessed credit card information for tens of millions of Target customers nationwide, though online purchases don't appear to have been affected.
Hackers breached TechMedia Network's systems and may have accessed an undisclosed number of customers' names, contact information and credit card data. Hacker Maxney breached and defaced the official site for Vodafone Iceland and published 77,000 users' information online. Hackers breached servers at the Washington Post and accessed employee user names and encrypted passwords.
Insider Breach: A cashier at a New York Bed Bath & Beyond store stole an undisclosed number of customers' credit card information. An HSBC employee who was authorized to access customer account information, including names and Social Security numbers, did so with the intention of misusing the data. A UConn Health Center employee inappropriately accessed 164 patients' medical records, including their names, addresses, birthdates, diagnoses and Social Security numbers. A former W.J. Bradley Mortgage Capital loan officer took clients' personal data, including credit reports, bank account information and Social Security numbers, to a different company.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.