Battling Big Breaches: Are We Getting Better?Bad News, Based on the 5 Biggest Breaches in the Past 5 Years
Tempting thought: What if organizations' information security practices, policies and procedures are continuing to get better, repelling cybercriminals and nation-state attackers alike?
But at the risk of suffering a devastating existential crisis, what if we're instead all stuck in a perpetual cat-and-mouse game where attackers continue to improve enough to punch holes in defenders' security defenses, however less imperfect they might be?
"If history can teach us anything, it will be that new and novel attacks will come to light."
Here's what is certain: Some of the biggest breaches in recent years show that the lag between attackers accessing a corporate system and the organization discovering the full extent of the intrusion can be months or years.
Massive breaches can also result from even relatively small security missteps, says incident response expert David Stubley, who heads Edinburgh, Scotland-based security testing firm and consultancy 7 Elements. "If history can teach us anything, it will be that new and novel attacks will come to light," he tells me (see: Salesforce Security Alert: API Error Exposed Marketing Data).
What other lessons might be learned? Here's a review of the top five breaches in the past five years, including takeaways such as how many accounts were compromised and how attackers broke in.
1) Yahoo: 3 Billion Accounts (2013)
Details: Search giant Yahoo's entire user base of 3 billion accounts was compromised in an August 2013 data breach. Yahoo in December 2016 estimated that 1 billion accounts had been compromised, before revising that estimate to 3 billion in October 2017. The breach exposed names, email addresses, phone numbers, birthdates and in some cases, unencrypted versions of security questions and answers that were used to recover account access were also stolen. Passwords hashed using the MD5 algorithm - considered an unsafe password-handling practice even in 2013 - were also exposed.
Cause: Yahoo has said only that "an unauthorized party stole data associated with certain user accounts."
2) Yahoo: 500 Million Accounts (2014)
Details: Yahoo in 2014 suffered a separate series of breaches that began in 2014 and resulted in 500 million users' accounts being compromised. The company failed to disclose the breaches until September 2016. Yahoo's board has concluded that CEO Marissa Mayer, other senior executives and the company's legal team failed to properly comprehend or investigate the attack when it came to light in 2014 (see: Yahoo CEO Loses Bonus Over Security Lapses).
Cause: Yahoo has blamed a "state-sponsored entity" and said forged cookies were used to access some accounts. The Department of Justice has filed charges against four men, including three Russians, two of whom are allegedly officers in the FSB, Russia's federal security service. The fourth man, a Canadian citizen named Karim Baratov who acted as a "hacker for hire," was extradited to the U.S., pleaded guilty and last year received a five-year prison sentence. Boratov admitted to hacking 11,000 webmail accounts on behalf of his employers. Prosecutors accused the attackers of using forged cookies to access 6,500 Yahoo accounts.
3) Marriott: 383 Million Accounts (2014 to 2018)
Details: In November 2018, Marriott disclosed that the reservation database used by its Starwood Hotels & Resorts Worldwide unit had been breached in 2014. Marriott acquired Starwood in September 2016 for $13 billion. Marriott initially estimated that 500 million accounts were breached, but subsequently revised that assessment (see: Marriott Mega-Breach: Victim Count Drops to 383 Million).
Exposed information included customers' "name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ('SPG') account information, date of birth, gender, arrival and departure information, reservation date and communication preferences." Also exposed: 8.6 million encrypted payment cards and 25.6 million passport numbers, of which 5.25 million were unencrypted.
Cause: Unstated, although Marriott's investigation continues. Some reports have suggested that Chinese-language malware - or perhaps backdoors - have been recovered by investigators, but that remains speculative and doesn't suggest how attackers may have broken in.
4) Adult Friend Finder: 412 million accounts (2016)
Details: Friend Finder - aka FriendFinder Networks, which runs thousands of adult-themed sites in what it describes as a "thriving sex community," was hacked in October 2016, leading to 20 years of data being exposed for 412 million users, breach information site LeakedSource reported. Friend Finder had previously been breached in May 2015 (see: Dating Website Breach Spills Secrets).
Affected Friend Finder sites reportedly included Adultfriendfinder.com (340 million accounts), Cams.com (63 million accounts), Penthouse.com (7 million accounts), Stripshow.com (1 million accounts), iCams.com (1 million accounts) and "Free Live Sex Cams" (35,000 accounts).
Cause: Local file inclusion, according to LeakedSource, which linked to a CSO report showing that there was an exploitable LFI flaw AdultFriendFinder. Such vulnerabilities allow an attacker to supply input to a web application. In the worst-case scenario, this input can be used to remotely execute arbitrary code on the server.
Note: Last year, police in Canada arrested Jordan Evan Bloom of Ontario after he allegedly earned $247,000 by administering LeakedSource and selling personal data. Security experts said LeakedSource was a suspiciously fast source of breached data and speculated that the site might be paying hackers for data troves, although that has never been confirmed (see: LeakedSource Operator Busted by Canadian Police).
5) Equifax: 161 Million Consumers (2017)
Details: In March 2017, attackers gained access to Equifax's network, exfiltrating personally identifying information for at least 145.5 million U.S. consumers, 15.2 million U.K. consumers and 8,000 Canadian consumers from 51 databases over 76 days. Equifax didn't spot the attack until four months later, and it issued its first public data breach notification in August 2017.
Cause: Attackers exploited a flaw in Apache Struts five days after Apache issued an emergency patch. Equifax failed to install the patch for four months, as part of a cavalcade of information security errors, including failing to renew a digital certificate in a security device that would have allowed it to inspect network traffic. Once the certificate was renewed and the device began working again, Equifax spotted attackers exfiltrating sensitive data that they had first encrypted (see: Postmortem: Multiple Failures Behind the Equifax Breach).
Risk: Cybersecurity Inertia
While the above list is a small sample size, it's notable for showing how attackers can take advantage of small problems to deliver major fallout. Detecting intrusions is also a slow process, sometimes due to poor security controls, organizational inertia or both - even at organizations such as Equifax, which should be among the most well-resourced in the world.
Lessons can obviously be learned from these five breaches. Unfortunately, there would be more lessons to learn if organizations were more forthcoming about what exactly went wrong.
Unwelcome: 'Unauthorized Access'
The Identity Theft Resource Center, a nonprofit U.S. organization that helps data breach victims, tracks public data breach notifications. In its review of all disclosed 2018 data breaches, it found that many organizations failed to disclose how many records were exposed or exactly what went missing. Many more failed to say how they'd been hacked, often listing the cause simply as "unauthorized access." As ITRC notes, this "is not an accurate reflection of the true method of intrusion" (see: Fewer Breaches in 2018, But More Sensitive Data Spilled).
Consumers are at risk if they don't know what was stolen. In terms of the greater good, other potentially hacked organizations will also have a harder time learning lessons from the breach if the cause is not revealed. They could get targeted in the same way by the same gang.
"Companies need to be more transparent and granular with their disclosures," ITRC says.