Data breaches can affect any of us. Our lives are anchored into the digital world. Our identities, banking information, social networks, and personal communications are almost all accessed, stored, or controlled through devices, websites, and servers.
Any connected system is vulnerable to attack at some point.
Check out these 13 data breaches and learn that while your security is not always 100% in your hands, there is much you can do to mitigate the damage a data breach causes to your life.
Hollywood Presbyterian Held Ransom by Hackers
February 5, 2016
Story at CSO Online
The computers at Hollywood Presbyterian Medical Center were compromised and brought down for more than a week following a ransomware attack.
The attack brought down email communication and restricted access to some patient data, as well as some of the computers necessary for diagnostic work and pharmacy systems. In light of the compromised systems, some patients needed to be transferred to other facilities to continue receiving the care they needed, and forced providers on site to rely on phones and fax machines to deliver important data and provide care.
The Hospital confirmed that the requested ransom was 40 Bitcoins, at the time equivalent to $17,000, which they paid to facilitate a quick recovery of their systems, restoring their Medical Records and affected computers by February 15th.
Russian Hackers Penetrate the DNC
June 14, 2016
Story at The Washington Post
A Russian hacker broke into the Democratic National Party’s computer network and accessed their database of opposition research on Donald Trump.
The hackers also managed to access email and chat information.
The attack was part of a larger organized attack targeting American political groups, and had access to the DNC’s systems for a year before being locked back out in a sweep.
Luckily, no financial or donor information was compromised, which consulting firm CrowdStrike believed was likely government espionage rather than independent hackers.
In a followup, a single Russian hacker took credit for single-handedly compromising the DNC’s network, stating that he was glad that CrowdStrike “appreciated my skills so highly. But in fact, it was easy, very easy” to hack the DNC.
LinkedIn Passwords Posted Online
June 6, 2012
Back in 2012, LinkedIn was hacked, compromising 6.5 million passwords initially, and was not brought to light until the information was posted for sale online by a Russian hacker.
It turns out that 117 million accounts had, in fact, been compromised.
It’s still relevant today since the breach is still affecting user accounts across the web. Namely, it’s affecting users who use the same password across multiple accounts, allowing a breach in one account to be applicable across a wide variety of services, including email, online banking, and social media.
The scope of the data breach has influenced many service providers to offer two-step authentication, in which a confirmation SMS is sent to your phone before allowing an unknown login, to ward off further account breaches with the leaked information.
North Korea Nabs US Fighter Jet Blueprints
June 14, 2016
Story at Reuters
A 2014 scheme by North Korea to plant malware on 140,000 South Korean computers within 160 firms was detected in February of 2016 when documents were stolen by the North.
Among 40,000 defense-related documents stolen were blueprints for the wings of the United States’ F-15 fighter jets. The files were not classified, according to Korean Air Lines, the company targeted in the attack. The South Korean Defense Ministry stated that there were no actual security breaches in the years-long incident.
Ashley Madison Hack
July 20, 2015
Original Story on PC Mag
This particular hack is infamous, exposing 37 million account holders from the site Ashley Madison. It was a particularly alarming story for some due to the nature of the site, which purported to facilitate affairs for married individuals.
The hacker group called “The Impact Team” got into Ashley Madison’s databases and confiscated user data, including names, mailing addresses, search history, email addresses, and bank account information. They held it for ransom and threatened to release the information and publicly expose all registered users if the site was not shut down permanently.
Ashley Madison continued to operate and, one month later as threatened, The Impact Group did release the 25 gigabytes of information they had scraped from the server on July 21, 2015. A second information dump occurred on August 20, 2015 which included 12.7 gigabytes of corporate email.
The largest problem with all of this is that Ashley Madison actually charged money to “fully delete” all details of a user’s account and earned $1.7 million per year for the service. However, the hack proved that they had never deleted anyone’s information, regardless of payment.
Adobe Data Breach
October 3, 2013
Original article at Krebs On Security
On October 3, 2013, Adobe announced that hackers had claimed roughly 3 million encrypted credit card numbers from their servers. The hackers had also gotten login data for an unidentified number of users, as well, reports Krebs on Security.
On November 7, The Verge reported that the breach had affected 150 million user accounts and may have even ranked the as the worst hack in history to that point.
Even worse, Sophos Naked Security, a data security firm that tracked down the 10 Gigabyte dump of user information, found that Adobe didn’t properly protect the passwords, using outdated and flawed encryption techniques to store users’ data. Since modern security measures dictate that servers shouldn’t even store the original password with encryption, using broken encryption measures is even more damning.
On top of all of this, the breach contained the aforementioned credit card information, as well as personally identifiable information, both of which were noted by Adobe as having been “encrypted,” which inspired no confidence in its safety.
Adobe’s mistake even made it into a web comic at XKCD.com, where the conclusion was that “There’s only one group that comes out of this looking smart: Everyone who pirated Photoshop.”
HEI Hotels Hit by Point-of-Sale Malware
August 12, 2016
On August 12, HEI Hotels and Resorts issued a press release regarding some malware they had detected in their point-of-sale credit card processing setup. They state that the malware may have affected customers who swiped their credit or debit cards in person at a number of point-of-sale terminals at some of their properties.
Point-of-sale terminals include those at the front desk, restaurants, bars, spas, and lobby shops among others.
HEI Hotels and Resorts is the parent company of Westin, Marriott, Hyatt, and other hotel chains. The malware affected 20 hotels in the US. According to to Naked Security, HEI doesn’t store card information and cannot determine who was affected. This also means they can’t determine how many customers were affected by the malware, though a spokesman for HEI said that there were 12,800 transactions at one hotel in Tampa during that time frame.
In response, HEI shifted how their payment processing was completed and set up a toll free response number and an FAQ document to help customers mitigate their exposure.
December 15, 2013
In mid-December, 2013 Target found that it had been the victim of a large data collection hack. Millions of customers’ information was stolen between November 27 and December 15.
Target still maintains a page relating to the data breach, where it estimates that 70 million customers were compromised by the hack, including 40 million credit and debit cards. The information included the card number, cardholder’s name, the expiration date, and the security code. In addition to the stolen credit and debit card information, the names, addresses, phone numbers, and email addresses of many customers were also compromised. Social security numbers were not part of the data loss.
At the time, Target offered one year of free credit monitoring and identity theft protection for all guests who shopped at their stores.
Story at CNet.com
Sometime between late February and early March of 2014, eBay was the victim of a huge attack, affecting an unknown number of its 145 million accounts – possibly all of them.
eBay discovered the hack in early May and determined that hackers had gained access to an internal eBay corporate account and used it to monitor usernames, email addresses, physical addresses, phone numbers, and dates of birth. The hackers also gained access to passwords, though the passwords were encrypted, limiting access to them.
eBay had the foresight to store financial data and Paypal data separate from user data. There was no evidence that the hackers had accessed those data stores, nor was there an uptick in fraudulent activity or account access.
eBay took action after the attack, encouraging users to change their passwords and to use a unique password for their eBay account to prevent access to their other online accounts should these hackers, or future attacks, reveal users’ eBay passwords.
This particular hack clearly demonstrates the need to have strong password security and different passwords for each website. A password manager can be a big help in this.
U.S. Voter Database
191 million voters were exposed by an improperly configured database of registered voters in the U.S. The database was uncovered by Chris Vickery, an independent security researcher out of Austin, Texas.
The database, which took about a day to download, included names, addresses, birth dates, party affiliations, phone numbers, and email addresses of registered voters in all 50 states.
Though voter information is typically considered public record, it’s generally not consolidated for easy access by malicious hackers looking to scrape data on large groups. Vickery worked with federal authorities to find the owner of the database and remove it.
Regulations for voter information protection vary wildly between states, with some states allowing no restrictions at all. Some groups, like the Center for Digital Democracy, think that privacy regulations should be implemented to protect individuals’ political information.
What could be the largest credit card hack of all time (so far) occurred in 2012.
The victim was Global Payments, a payment processor that handles credit card transactions. According to Visa, this breach impacted all major credit card companies, releasing this statement:
Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands.
Visa later removed Global Payments from its list of credit card processing companies.
Later, it was revealed that the hack had started in January 2011, lasting a full 13 months. The breach had far-reaching implications: enabling prepaid debit card fraud and causing Global Payments a total loss of roughly 94 million dollars in expenses, lost business, and losses to fraud.
Original Story at the Wall Street Journal
On February 4, 2014, Anthem, Inc. reported that hackers had infiltrated their system and stolen over 37 million medical records from their servers. Later, they raised their estimate to nearly 80 million records. The attack only seemed to include birth dates and social security numbers rather than actual health history.
It came out that Anthem had not encrypted the sensitive medical data as there was no legislation in place guiding them to do so. Though encryption is a powerful tool to combat large-scale data breaches, rendering data unusable if accessed without the right key, former official from the department of Health and Human Services Adam Greene stated that encryption is not a cure-all:
“At some point, that information is going to be used in an unencrypted state and if a hacker has access to it at that point, the information could be exposed.”
Original Story at Wired
The same hacker who identified himself as “Peace” in the LinkedIn password leak claims to have 360 million emails and passwords of MySpace users, which would be one of the largest password breaches in history. Peace and LeakedSource, a paid search engine for hacked data, state that these passwords are from an older breach that has gone unreported.
Motherboard went so far as to confirm the validity of the hack by giving Peace and LeakedSource five emails of employees with MySpace pages. In every case, they were able to provide the correct password back to Motherboard.
LeakedSource was unable to confirm the original source of the data, or the timeframe for when the original hack occurred. Furthermore, the passwords at MySpace used the same weak encryption as the easy-to-crack passwords of the LinkedIn hack.
Even if you thought MySpace was defunct, it still receives 50 million unique visitors per month and still may open up significant problems with password re-use among users.
Change your passwords while you can – to MySpace and any more sensitive accounts you may have if you’ve ever used MySpace and you tend to reuse passwords. This data is for sale, and will eventually fall into the wrong hands and spread far and wide.