Security

Lessons learned from 4 major data breaches in 2013

Breach stats are declining, but data is still at risk from poorly protected databases, applications, and endpoints

In many respects the breach trends of 2013 have borne out some good news for the security industry. Unlike the past four to five years, this one has not been awash with mega database breaches of tens of millions of records containing personally identifiable information (PII). And according to statistics compiled by the Privacy Rights Clearinghouse, both the number of breaches publicly reported and the volume of records breached have declined. Last year at this time, the running count already totaled approximately 27.8 million records compromised and 637 breaches reported. This year, that tally so far equals about 10.6 million records compromised and 483 breaches reported. It's a testament to the progress the industry has made in the fundamentals of compliance and security best practices. But this year's record is clearly far from perfect.

When comparing year-to-date numbers, the volume of records breached went down a drastic 61.7 percent, while the number of reported breaches was only reduced by about 24.2 percent. This shows that breaches are still occurring at a fast clip -- it's just now the distribution of theft and compromise has spread out. Breaches are smaller, and according to security insiders, they're far more targeted. And frequently the theft is of IP or other digital property that could be even more damaging than customer records when stolen, but which are more difficult to quantify and don't make the statistical headlines.

Delving deeper into the specifics of breaches occurring this year, it is evident there's still work to do. As evidenced by the 2013 track record, valuable databases are still left unprotected and unencrypted, applications are still riddled with vulnerabilities, and users are still allowed to download huge quantities of information from sensitive databases and store them on poorly protected endpoints. To plead our case, Dark Reading has cherry-picked a few helpful examples and offered up some valuable lessons the industry can learn from these incidents.

Company Compromised: CorporateCarOnline.com
Breach Stats: 850,000 records stolen
The Details: Personal details, credit card numbers, and other PII from some of the biggest American names in professional sports, entertainment, Fortune 500 business, and politics were all stolen in this juicy heist of a plain text archive held by this company that develops a SaaS database solution for limo services across the country. Some of the big names on the list include Tom Hanks, Sen. Tom Daschle, and Donald Trump.

Lessons Learned: A key lesson is how the ingenuity of attackers knows no bounds when the most valuable financial and social-engineering-fueling information is at stake. According to KrebsOnSecurity.com, a quarter of the compromised card numbers were high- or no-limit American Express cards, and other information would prove a treasure trove for corporate spies or tabloid media players. Meanwhile, the company at hand paid absolutely no regard to the security of the information, without even trying to take the most basic of cryptographic measures to protect it.

Company Compromised: Adobe
Breach Stats: Nearly 3 million PII records, more than 150 million username/password combos, and source code from Adobe Acrobat, ColdFusion, ColdFusion Builder and other unspecified products were stolen.
The Details: This is the breach that just keeps unraveling as the hits keep coming more than a month after the compromise was first disclosed. Originally just though a compromise of 3 million PII records, it's now clear that Adobe is contending with the loss of a vast trove of login credentials, and, more startlingly, its source code.

Lessons Learned: Not only is the still-unfolding Adobe story a good teaching moment for how thoroughly a company can be owned by attackers once they've established a foothold in a corporate network, it's also a lesson on how dependent the entire enterprise ecosystem is on the security of its software supply chain. The potential ramifications could ripple out for a long while yet as a result of this breach.

Company Compromised: U.S. Department Of Energy
Breach Stats: PII stolen for 53,000 former and current DOE employees 
The Details: Attackers targeted DOEInfo, the agency's outdated, publicly accessible system built on ColdFusion for the office of its CFO. DOE officials say the breach was limited to PII about employees.

Lessons Learned: There were two big lessons here. First, patching always has been and always will be paramount. Second, organizations must think about reducing their attack surfaces by reconsidering which systems connected to sensitive databases should be left open on publicly facing websites.

Company Compromised: Advocate Medical Group
Breach Stats: 4 million patient records stolen
The Details: The theft of four computers from offices owned by this medical company exposed more than 4 million patient records in what officials are calling the second-largest loss of unsecured health information since notification to the Department of Health and Human Services became mandatory in 2009.

Lessons Learned: Health-care breaches are dominating the 2013 breach disclosure list thus far, but this one in particular is the most egregious. With patient records dating back to the 1990s compromised from a physical computer theft, it is clear that the basics in physical security, endpoint security, encryption, and data protection were all deficient. In particular, endpoint theft and loss in health-care issues seems to come up time and time again. It may be time for these organizations to reconsider how much data an endpoint is allowed to download and store from centralized databases.

About Author

Ericka Chickowski

Ericka Chickowski is an experienced business and technology journalist who specializes in coverage of IT security, regulatory compliance, business alignment, project management and IT employment.

In addition to her work for Dark Reading and InformationWeek, Chickowski’s perspectives on technology have appeared in a number of trade and consumer magazines, including CIO Insight, Baseline, Entrepreneur and Consumers Digest. She has covered the IT security industry extensively over the last six years, gaining particular insight and expertise while working as the West Coast bureau chief for SC Magazine. Chickowski graduated with a B.A. in English from the University of Washington and currently resides in San Diego. Readers may contact her at ericka@chickowski.com.

comments powered by Disqus

Subscribe for Newsletter

Stay connected to the best business technology content every week. Subscribe to our daily newsletter now!

Slide Shows

Upcoming Webcast

Turning the Tables on Cyber Attacks

Join Trend Micro for this upcoming webcast as it will delve deeper on the cause and effects of these responses against cyber attacks. The Speakers will tackle existing real-world developments showing how market forces, private companies, and law enforcement agencies react to the ever-changing threat landscape. They will also discuss how these trends will settle into the global and local market and how cybercriminals are likely to exploit them. Speakers: Macky Cruz, Security Focus Lead, TrendLabs, and Paul Oliveria, Security Focus Lead, TrendLabs. Date & Time: September 4, 2014, 3:00pm India Time