[BreachExchange] Learning Lessons From The 5 Biggest Data Breaches Of 2017

Audrey McNeil audrey at riskbasedsecurity.com
Fri Feb 23 10:20:24 EST 2018


With the threat landscape constantly evolving and cyber-criminals looking
for new ways to breach organisations’ defences, maintaining the integrity
of the business network and the data that resides there is a growing
challenge. By and large, organisations are just about coping with the array
of potential threats they are facing, but the growing number of threats can
be overwhelming.

In 2017, we witnessed some of the most high-profile and effective breaches
ever seen, highlighting that significant breaches have equally significant
consequences, ranging from reputational damage to legal investigation.
Perhaps this is why more organisations than ever before have a clear
understanding of the potential impacts of a data breach.

So, with organisations becoming increasingly cyber-security aware, what can
we learn from the top five breaches of 2017 as businesses look to enhance
their security posture for 2018 and beyond?


2017 was a turbulent year in cybersecurity for the NHS, not only was it hit
by the WannaCry ransomware, but it was also revealed that 26 million
patients’ medical records had been breached.

Based on knowledge in the public domain, we believe the root cause of the
vulnerability relates to an ‘enhanced data sharing’ option. If enabled,
that data can be accessed by hundreds of thousands of other users of the
same system. This is a common oversight, as organisations tend to focus on
their web application testing and security, but fail to extend this
security to their desktop applications.

We regularly find vulnerabilities like this when we’re auditing desktop
applications and the communication mechanisms that support them. By
extending the same care to both web and desktop applications, these
vulnerabilities can be minimised.


In September 2017, Credit Reference Agency Equifax revealed it had suffered
a massive global data breach that affected 143 million consumers in the USA
and up to 400,000 in the UK. Hackers accessed sensitive information
including names, addresses, dates of birth and credit card numbers.

While all the details of the breach have not been disclosed, based on
public information it appears that the initial point of compromise came
from an affected web server. The critical vulnerability in question had
been publicly disclosed, and a patch released, months before the breach

This breach highlights how critically important it is for all organisations
to be on top of their vulnerability management processes, ensuring that
critical patches for software and systems are applied as soon as possible.

Regular penetration testing and vulnerability scanning feed into a central
vulnerability management system within the wider Governance, Risk and
Compliance (GRC) processes. They’re fundamental to help mitigate the risk
of these kinds of breaches occurring. After all, if you’re not aware of
your vulnerabilities and risks, you can’t treat them.


Shortly after the Equifax breach was announced, Yahoo revealed that in
2013, every Yahoo account that existed had been hacked. In total, three
billion accounts for Yahoo’s email, Tumblr, Fantasy and Flickr services had
been compromised, and the exfiltrated data was made available for sale on
the dark web.

Yahoo has never confirmed or released details about how the information was
compromised. However, these types of breaches usually originate from an
exploited website vulnerability. Preventing such a hack starts with using
controls that identify vulnerabilities. However, it’s also critical that
incident response processes are in place to identify attacks in progress.


In November 2017, ride hailing service Uber revealed that the personal
information of 57 million Uber customers and drivers worldwide had been
stolen. According to The Guardian, Uber had previously concealed the breach
and paid hackers $100,000 to delete the data and keep quiet.

We believe the breach resulted from credentials left in a Git repository,
which the attackers accessed by compromising a developer’s account. Code
repositories should be adequately protected. Ensure credentials are never
left in code or in repositories, and make sure that all users are taking
advantage of multi-factor authentication and are using unique passwords for
every system and service.

In addition, it’s vital that those repositories are audited before being
made public. Any sensitive information, such as passwords and SSH private
keys, must be cleaned from the code. Too often, comments are left in the
code that reveal sensitive information. Permissions should also be checked
frequently and audited to ensure security – including private repositories.

Beyond securing vulnerable information, communication is key. Uber tried to
brush the breach under the carpet, but making your customers aware of a
breach as soon as possible is the best response. This will be critical when
the General Data Protection Regulation becomes enforceable. Under the
regulation, organisations must notify of the breach to the relevant
supervisory authorities and affected parties within 72 hours of it
discovery, as failure to do so could result in fines up to €20m or 4% of
world-wide revenue, whichever is greater.


In the last major breach of the year, a cyber risk researcher revealed that
data analytics software company Alteryx, had left a 36-gigabyte database
exposed in an Amazon Web Services storage bucket. Alteryx’s unsecured
database was discovered during a routine search of Amazon Web Services
storage buckets, with the breach affecting 123 million households in the

Configuration related vulnerabilities like this are common, and AWS storage
buckets that have not been protected correctly with the right controls are
frequently discovered. According to The Register, information from
Accenture, Verizon, Viacom, and the US military had been inadvertently left
online due to incorrect configuration.

When storing sensitive information in the public cloud, it’s vital to
implement best practice security measures. All storage buckets must be
configured correctly, with procedures, checks and balances in place to make
sure that systems can’t go live without being properly audited. Each
configuration must be checked against potential vulnerabilities, and it is
best practice to ensure that the configuration is peer reviewed before the
system goes live.

With 2017 now in the rear-view mirror, organisations are focused on
ensuring that they’re well protected against the threats that 2018 will
undoubtedly have to offer. But looking back at the lessons of 2017 will
help to avoid repeating the mistakes of the past.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180223/eeddc454/attachment.html>

More information about the BreachExchange mailing list