On the last day of 2013, I thought I would reprise my annual column of the top ten biggest information security breaches or exploits. Nowadays, with news of million-plus caches of credit cards and identities being stolen almost a daily occurrence, one can get numb to these announcements. However, there were a few that, due to their size, newsworthiness or political importance, stood out above the rest. So, without further ado, my top ten “Oops” moments of information security in 2013, in David Letterman-esque, reverse order listing:
#10 Yahoo Japan: Yahoo’s Japan site was hacked in 2013 and over 22 million users IDs and associated information was taken. These attacks will only continue to grow as foreign user bases and revenues increase past the once dominant US Internet presence.
#9 UbiSoft: In other non-US news, this major French gaming company announced in July of 2013 that its systems had been breached and attackers made off with an unknown number of user credentials. Details on the attack were limited and the company refused to provide much information on what was stolen other than no payment information was taken and the passwords were encrypted. Still, it made all its users reset their passwords so we are forced to assume that it could have involved their entire user base which is estimated at 50 million registered users. This shows that hackers will continue to hit users where they live and spend, which is increasingly on gaming networks. In addition to taking payment information when they hit these sites, they can also steal gaming profiles and characters which can often be sold on the black market.
#8 Evernote: Users of this popular note taking app were asked to reset their passwords in response to a hacking attempt that may or may not have been successful.Over 50 million users were affected.The hyper growth of some apps can mean that their security processes and protections can often be outstripped by user bases that can exceed 100% monthly growth rates.The security that is appropriate for a few thousand beta users is vastly different than that needed to protect millions.Once your user base reaches these heights, it becomes a lucrative target for professional hacking gangs that are far more sophisticated than the script kiddies that bother smaller sites.This is a cautionary tale for young Turks dreaming of being app millionaires (or billionaires).Have a growth-oriented security plan early on, or you’ll be doing some explaining to your V.C.s and backers later on.
#7 Federal Reserve: In the early days of 2013, The Federal Reserve announced it was hacked, possibly by the group Anonymous, and that IDs and other information on over 4000 top level banking executives was stolen. While they claimed this was a minor internal system and no critical money handling systems were touched, this is troubling. Consider that the Federal Reserve manages the entire US monetary system and also handles most wire transfers of dollars in the United States. Access to those systems would definitely be the holy grail of professional cyber thieves.
#6 Living Social: While the bloom is off this once high flying coupon site, millions still use it every month to get discounts on everything from restaurant meals to yoga lessons. Over 50 million user names, passwords and other personal information were taken from the site’s servers in an April hacking incident.No financial information was taken according to the company, but the user base information could be useful to pre-texters and social engineers, not to mention other less reputable discounting sites.
#5 Adobe: In one of the biggest commercial hacks of the year, Adobe was breached and over 38 million users had their information stolen, including credit card data.Some estimates put the numbers as high as 150 Million. Due to the lack of a strong password policy (common to most Internet sites), users were able to use simple dictionary passwords which were easily recoverable, in spite of being encrypted.Sooner or later, companies are going to have to start forcing their customers to pick complex passwords for their accounts if we are going to trust them with our financial information. It would be nice to see a couple of large e-commerce companies take the lead on this and set an example for smaller sites.
#4 Major retailers: In some good news, US authorities broke up and charged a major Russian based hacking gang with breaking into and stealing over 160 million credit and debit cards from major companies such as J.C. Penny, 7-Eleven and Jet Blue over eight years. The bad news:Poor security at merchants and payment processors such as Heartland Payment systems will allow this to continue to happen. The roll-out of stronger and mandatory PCI standards this year should help but until there are major consequences for firms not complying, they will continue to ignore security, hoping to get lucky in the crap shoot of Internet security, using your identities as their antes.
#3 National Security Agency: While the information stolen wasn’t user’s identities or credit cards, the information taken and later revealed by famous NSA leaker Edward Snowden garnered far more news attention and international intrigue than any cyber breach this year. Whether you agree with his methods and actions, the fact remains this was a simple case of a bad apple, making it through what should have been a rigorous background check process and having access to far more than he needed to do his job. News inquiries after the fact show that even a moderately earnest effort on the front end would have saved the NSA and the US government a whole lot of embarrassment and bad world press. It also proves that no amount of technology, policies and procedures can save you if you hire the wrong people. And this includes contractors, vendors and other partners (Snowden was an employee of a contractor for the NSA), who can do as much damage as an internal employee if they have access to your systems. Vet your people AND your business partners, before they get access or suffer the consequences.
#2 Obamacare/Affordable Care Act: Whether you hate or love this policy or just don’t care, there is no doubt that the website roll-out was a major disaster on every possible level.And while the general dysfunction of the site got most of the news; according to official testimony in front of Congress, little or no security was built into the site. Expect more news on this in 2014, as the fixes and additions to the site after the flawed rollout are sure to have more security holes in them, given the speed at which they were coded and the intense pressure to make the site functional. Tight deadlines and a “get it up at any cost” attitude almost never result in a more secure site.
#1 Target: The last of our “Oops” moments, and possibly the most significant, coming at the height of the Christmas shopping rush to a major retailer goes to Target. Having to announce during this all important period that they had allowed over 40 Million of their shopper’s credit and debit cards to be stolen is hardly good for business. In addition to likely class action law suits from users, states attorney generals and banks who had to reissue credit cards, Target suffered a dip in sales, during a period when their peers were experiencing gains. The exact amount is unclear but it is sure to leave a dent in Targets 2013 financial performance and perhaps for years to come. The only silver lining in this cloud is that due to the high visibility and wide effect, it might wake up consumers and corporate boards to what has been a mostly lax attitude towards information security amongst retailers and other companies that serve the public.
What stands out in this list is the number of incidents involving government or its initiatives. In the past, hacking government sites was only useful as a publicity stunt or to make a political statement. Now that governments of all sizes, federal, state and local are increasing online and taking payments for all types of fees and services, you can be assured that the cybercriminal element will follow the money and stake out its turf there. The mantra for 2014 is to be aware of the sites you visit and use and don’t assume just because it has the imprimatur of Uncle Sam (or whatever government mascot you have), that it is safe. And on that note, I wish everyone a happy , safe and “Oops”-free New Year’s Eve and 2014!