Unless you’re living in a cave, you’ve provided data to a corporation, and a hacker has probably stolen it. Personal data today is one of the most valuable assets on the planet, which leads organizations to spend enormous resources to collect data. However, those same entities can lack the security to stop hackers from stealing said valuable personally identifiable information (PII). We will investigate three major data breaches in the past decade, how hackers stole the data, plus some Monday Night Quarterbacking on what information assurance practices could have prevented the breaches.
Target (December 2013)
Information Stolen: 40 million Customer credit card accounts and 110 million sets of PII (emails and phone numbers)
Target Spent: $100 million to upgrade their systems as well as $18.5 million in fines and to their affected customers
The Vector: Self-Checkout Terminal and Social Engineering attack on HVAC Vendor of Target
Attack Type: Password-stealing malware bot and malware designed to search for financial and personal information
How Hackers Stole the Data
Malware residing on the self-checkout terminal stole personal information and financial information from customers. The hacker or hackers started at one of Target HVAC contracting companies, Fazio Mechanical. The hacker(s) used a malware bot designed to steal login credentials via email phishing from Fazio. Fazio had access to multiple external systems designed for Target contracting companies, a billing system called Ariba, Partners Online (Target’s PM portal), and Property Development Zone portal. Target’s system administrators can access all these systems internally. It is unknown how the hacker(s) jumped from access to Fazio’s account on Targets external systems to Target’s internal systems. Once on the internal systems however, the hacker(s) injected malware designed to search for person and financial information onto an account designed to run a task on the checkout terminal called “Best1_user”.
What Information Assurance Practices Should Have Been in Place?
Fazio Mechanical reported that they complied with industry standards on security, however their anti-malware software at the time of the attack was the free version of Malwarebytes. The free version of Malwarebytes does not offer real-time scanning, which would have notified their security team of the malware. The free version requires manual scanning on individual computers. Additionally, the free version of Malwarebytes terms and conditions state that it is not made for cooperate use, only individual users.
On Target’s side at the time of the attack, they had no implementations of two-factor authentication or one-time tokens for venders like Fazio. Target did have extra security measures for vendors that had access to personal and financial information. However, Target did not segment this PII from vendors such as Fazio. This unsegmented access to Target’s systems is a strong candidate for how malware was injected into Target’s internal system.
Equifax (March 2017)
Information Stolen: Name and date of birth - 147 million, SSN - 146 million, Addresses - 99 million, Driver’s License, phone number and gender - 18-27 million, Payment cards – 209 thousand, TaxID - 98 thousand
Equifax Spent: $425 million to help those affected
The Vector: Web Application Framework, Apache Struts
How Hackers Stole the Data
Equifax was using a vulnerably web application framework called Apache Struts to run a tool for customers to report issues with their credit report. The United States Department of Homeland Security reported the vulnerability in March of 2017. Equifax reported that they knew about the vulnerability and took steps to patch affected systems, although multiple breaches occurred from May 13th to July 30th. The vulnerability allowed attackers to take full control of web servers that were using the unpatched version of Apache Struts. The hackers escalated and moved laterally from the web servers to find and steal data from Equifax’s customers.
What Information Assurance Practices Should Have Been in Place?
Equifax was aware of the vulnerability before the hackers breached their systems. Equifax should have understood the scope of the vulnerability and acted to properly patch their systems. This would have involved the security team taking down the systems that used Apache Struts and manually patching them as well as testing to make sure the system was secured before re-opening the systems.
Additional Information about the Equifax Breach
The data from the Equifax breach is yet to be seen. Following an attack, hackers usually attempt to sell data immediately, as newly stolen PII sells for much more than older information. There are currently two theories as to why the data has not been seen on the dark web for sale. The first is that the hacker (s) understand that the Equifax breach has more sensitive information than any other breaches and selling the information could lead to their arrest. Therefore, the hacker(s) could be waiting for the public to forget about the Equifax breach before selling. The second theory is more geopolitical. For instance, a nation state could have taken the data in order to process it for possible spies, people that are susceptible to bribery, or other vulnerabilities in the United States government.
Update on Equifax Data Breach - 2/10/20
The United States has blamed China for the Equifax breach as of February 10, 2020. Additionally, they have charged four Chinese military personnel. The US has reported that intellectual property was also stolen from Equifax. The United States has blamed China for breaches in the past. In 2014, four Chinese military hackers were charged with breaking into US corporations and stealing intellectual property.
Yahoo (August 2013 and Late 2014)
Information Stolen: 3 billion Yahoo accounts, including emails, addresses, phone number, passwords and security questions
Yahoo Spent: $117.5 million, including legal fees
The Vector: Spear-phishing attack (phishing tailored to each individual)
Attack type: Unauthorized access to database
How Hackers Stole the Data
The attacker sent a spear-phishing email to specific employees at Yahoo’s cooperate office in order to gain access to the Yahoo database containing customer information. Once the hacker gained access, they installed backdoor which gave them continues access to Yahoo’s database. The hacker than downloaded information from approximately 3 billion users. Much of the information was unencrypted, including passwords and security questions.
What Information Assurance Practices Should Have Been in Place?
Yahoo could have implemented many practices to prevent this data breach. For starters, Yahoo should have had a more robust system architecture so that the data was split up among multiple databases and secured separately. Additionally, Yahoo should have encrypted their data, especially security question answers and all user passwords. Finally, Yahoo could have utilized more robust system scans to search for vulnerabilities such as backdoors. Security scans have become more mainstream in recent years but a company that deals with the scope of data like Yahoo should have maintained secure infrastructure and procedures.
The Hack You Haven’t Heard of
The previous three data breaches are some of the most notable in the past decade. However, there are surely other breaches that the news has not picked up on because hackers have breached the company without their knowledge. Often, companies find out about a breach from hackers selling their information on the dark web. Also, there are nation states, hacking groups, and individuals that sit on data or use it personally. Meaning, companies and their customers are unaware. Therefore, all companies must be aware of their current security vulnerabilities and have proper procedures and infrastructure to keep their systems secure.
Jon is a Cybersecurity Marketing Intern. He attends Champlain College and will graduate in 2021.
Follow us on Social Media for more information:
Twitter facebook LinkedIn instagram
[hubspot type=form portal=9212203 id=78ed4f55-84a0-4cb8-bae7-8d92e16878ab]
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.
