[BreachExchange] What went down and what can be learned from the biggest data breaches of 2016
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Apr 7 13:55:55 EDT 2017
http://www.tgdaily.com/technology/what-went-down-and-
what-can-be-learned-from-the-biggest-data-breaches-of-2016
Some organizations are surprisingly good at setting a very bad example.
Especially when it comes to data breaches. Despite an untold number of
warnings, and despite staggering data breaches making the news regularly
for the last few years, some organizations still press on with subpar
security measures, contentedly sticking with the status quo until it’s
their millions of records being compromised and their company name grabbing
headlines for all the wrong reasons.
It’s unfortunate, but the very least the rest of us can do is learn from
the missteps of the following four organizations involved in some of the
biggest data breaches of 2016.
The Haven’t They Suffered Enough data breach
The facts: In March of 2016, 21st Century Oncology, a California company
providing cancer care services, announced they had suffered a data breach
that involved the personal information of 2.2 million patients being
compromised, including names, social security number, insurance information
and diagnosis and treatment information.
The folly: The company reportedly wasn’t even aware of the breach until the
FBI informed them roughly one month after the intrusion occurred. The
company then proceeded to not inform any of the patients affected nor the
Security and Exchange Commission for another three months. Twenty-first
Century is facing over 13 class action lawsuits for over 57 million dollars
for the careless handling of patient information, with many patients
alleging they have been the victims of identity theft.
The You Can Hear This Now data breach
The facts: Also in March of 2016, Verizon Enterprise Solutions suffered a
data breach that saw the information of 1.5 million customers stolen and
put up for sale in an underground cybercrime forum with a price tag of
$100,000.
The folly: Verizon Enterprise Solutions provides assistance to Fortune 500
companies for, wait for it, data breaches. According to cybersecurity
blogger Brian Krebs, who uncovered the sale of the data, it seemed as
though the hacker behind the breach found a way to force the Verizon
database platform to dump its contents. Verizon stated the company had
uncovered a security vulnerability on their enterprise client portal.
The Linked Way In data breach
The facts: In May of 2016 a Russian hacker going by the perhaps inaccurate
name of ‘Peace’ put up for sale the email and password combinations of a
whopping 117 million LinkedIn users. The asking price? Approximately $2,300.
The folly: Though the information went up for sale in 2016, it was actually
stolen in 2012 with a resultant class action lawsuit settled in 2015 for
1.25 million dollars. The hacked data search engine LeakedSource claimed to
have obtained the compromised information. Though the passwords had
reportedly been encrypted by LinkedIn using the SHA1 algorithm,
LeakedSource also claimed to have cracked 90% of the passwords in just 72
hours.
The Boohoo Yahoo! data breach
The facts: Like the LinkedIn breach, the Yahoo! breaches didn’t actually
happen in 2016, but that’s when they garnered attention. In September it
was announced that 500 million Yahoo! accounts had been compromised in
2014, with names, emails, birth dates and phone numbers stolen. If that
wasn’t bad enough, in December of 2016 Yahoo! announced another data
breach, this one from 2013, which had compromised 1 billion accounts. This
is the largest data breach in history.
The folly: Yahoo! has indicated they believe the breaches are related, and
that they are state-sponsored. The 2013 breach was reportedly tied to
forged cookies that allowed attackers to access accounts without the use of
a password. Yahoo! is being investigated by the Security and Exchange
Commission for the length of time it took them to report the intrusions and
is facing what will likely be record-setting class action lawsuits for
failing to protect consumers.
Lessons to learn
The year 2016 was a record-breaking one when it came to the number of data
breaches that occurred, and with that tremendous number of intrusions came
a few trends when it came to the failures of the organizations affected as
well as a few important lessons for other organizations.
The first one is the direst as well as the most obvious: most organizations
affected had database security that was just not up to the task of
protecting their consumers in the current attack-ridden cyber landscape.
Other organizations can avoid this devastating mistake by using
cybersecurity firm Imperva’s ‘10 Questions to Determine if Database
Security is a Priority’ to help assess the current security situation.
The second lesson that needs to be learned involves an organization’s
employees understanding how important security is and how much vigilance it
actually requires. Data breaches that affected organizations like Centene,
Seagate, Snapchat and Tidewater Community College resulted from either lost
hardware or employees falling for phishing scams. These missteps may be
indicative of a systemic issue within the company.
Lastly, organizations need to understand that if the worst-case scenario
occurs and data is compromised, best practices need to be followed when it
comes to reporting breaches to regulating bodies as well as affected users.
Yahoo!, 21st Century Oncology and a number of other organizations are
facing fines as well as inflated class action lawsuit settlements due to
their tardiness in reporting their very serious breaches.
It’s the responsibility of all organizations to protect their data, because
otherwise, the companies that have already been rocked by breaches will
have suffered for nothing. That’s on top of roughly 2,000 other reasons
organizations need to protect their data, of course, but every reason
counts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170407/7f1a8ba1/attachment.html>
More information about the BreachExchange
mailing list