Data: our whole world runs on it in some form or fashion.
It defines our business decisions, it lets us buy anything we want, delivered the next day, and it even tells our sports teams who should bat next in the lineup.
The power of data is immense. And when that power falls into the wrong hands, it generates such enormous problems that it can take years to sort them out.
Data hacking is one of the biggest threats to websites and companies in the digital environment of the 21st century. Not only can it result in company’s proprietary information being stolen or made public, but it can also lead to personal records, credit card numbers and social security information being stolen or exposed. Companies have seen their net worth plummet as a result of data breaches and some have a hard time ever recovering.
For the companies and corporations hit the hardest, there’s the slightest of silver linings involved: a painful lesson of how the hackers got in and how to prevent it from happening again.
Here’s a closer look at five of the biggest data breaches in history and the lessons learned for the hosting companies involved.
Heartland Payment Systems (2008)
What Happened: In March of 2008, Heartland Payment Systems was processing roughly 100 million payment card transactions per month – about 39 per second for a whole month. In January of 2009, Heartland was warned by both Visa and Mastercard of suspicious transactions being recorded from accounts that Heartland had processed. Turns out the ghost had been in the machine since 2006. The hackers used an SQL injection, a technique that uses malicious code to access information from backend databases. In this case, the hackers install spyware into Heartland’s data systems to steal credit card and social security card numbers. At the time, it was the largest data breach ever. It got so bad that Heartland had to create a website, the now defunct Breach2008.com, just to handle public information requests. The lax security caused Heartland to be out of compliance with the Payment Card Industry Data Security Standard (PCI DSS), meaning that in addition to all the stolen information, it was ruled ineligible to process major credit card transactions until May of 2009. The company had to pay an estimated $145 million to compensate for all the fraudulent payments made.
What We Learned: Up to that point, the threat of SQL injection was a bit of a boogieman for a lot of companies. They had been educated on it and warned about the dangers by security experts, but plenty of firms had a reason not to do it: too much money, too much time involved, we’ll have to upgrade everything, etc. Heartland was the wake-up call that security isn’t something you need just every once in a while, it’s a 24/7/365 requirement.
What Happened: The lead-up to Christmas is generally a glorious time of year for a chain like Target, which has claimed the highly coveted niche among American shoppers of high quality and affordable merchandise. With toys and clothes and electronics and knick-knacks on every aisle, it’s the store for everyone around the holidays. Between November 27 and December 15 of 2013, hackers used stolen credentials from a third-party vendor to steal credit card information from 40 million Target customers who used credit and debit cards at the store’s brick-and-mortar locations. By the time the dust had cleared, Target’s CEO and CIO has both resigned and the company had lost $202 million. A multi-state investigation followed, with Target having to pay out an additional $18.5 million to settle claims from 47 states and Washington D.C. The settlement also required Target to employ comprehensive security measures to protect customer information, complete with a high-level executive whose sole purpose was to advise the company’s board and chief executive, along with an independent third party to review all of Target’s security measures and implement encryption methods so that if is stolen it will be useless.
What We Learned: Too many cooks spoil the soup. Forget the actual stealing of credentials; the horrifying fact is that Target was allowing third-party vendors access to its entire database of customer information, sort of like a bank and giving the guy who waters the plants the combination to the vault. At the expense of the jobs of two of the most powerful men in the company’s, Target learned that credentials must be as foolproof as possible and that every person or company you employ must have access only to the things they need to do their job, nothing more.
What Happened: It’s hard to imagine for those who have grown up in the Internet age, but there was a time when Google was a nonsense word and Yahoo ruled the world of personal email, search engine results, and pretty much everything else. But billions of people worldwide still had accounts with passwords, personal information and more when in 2016, some 200 million Yahoo passwords were found for sale on a darknet marketplace. Only when questioned by two media outlets did Yahoo state that it had knowledge of the hack and was investigating it. Yahoo went public with its findings in September of 2016, believing it to be a “state-sponsored” hack without naming the country they were accusing. Their initial estimate was that more than 500 million accounts had been hacked. What Yahoo failed to mention was that a similar hack had occurred in 2013, with more than 1 million accounts hacked. Having failed to keep up with Google and Facebook – Yahoo used to offer user profiles, chat rooms and instant messenger services as well – Yahoo was in the process of being sold to Verizon for $4.8 billion. That price was agreed upon before the attack. Verizon peeled $350 million off its offer and bought Yahoo for $4.48 billion instead. Despite the lower cost, it was Verizon who came out looking bad when it was revealed in 2017 that the 2013 hack actually affected all 3 billion Yahoo users. Four Russian men were eventually charged for the 2014 hack.
What We Learned: If you’re not constantly updating and reviewing your security, you will get eaten alive. This was no James Bond-villain type hack, but one that was cookie-based, allowing the hackers to authenticate a user ID without entering a password. The fact that Yahoo’s web security didn’t notice this happening 3 billion times in the same year is a testament to just how terrible its security was.
JP Morgan Chase (2014)
What Happened: JP Morgan was spending a quarter of a billion dollars a year on security by the time 2014 rolled around. For all the times we’ve blanched when we hear about usernames and passwords being exposed, our response goes to Defcon Level 1 when we hear that bank accounts getting hacked. And for JP Morgan it wasn’t just a one-time thing. The attack began when a single JP Morgan employee had their login credentials stolen by a hacker. That should not have been a big deal, since most large firms demand two-step authentication for logging in to any critical server. Unfortunately, JP Morgan had not upgraded all of its servers to that level of security, and the hackers strolled into the servers as leisurely as you would into your local branch to deposit a check. The hack lasted more than two months and was only discovered when a routine security check revealed the existence of malware in the system that was extracting gigabytes worth of data, including customer account information. In all, 83 million individuals and small businesses had their information compromised.
What We Learned: Spending a lot of money on security doesn’t mean a whole lot when the smallest of holes can cause the dam to break. JP Morgan was so spread out that its own internal security didn’t realize how many servers it had or that one of them had never been updated to meet industry standards. Nor was it following best practices with management of its internal credentials. At least 90 days passed between the initial theft and its discovery, with the same stolen password working the whole time. JP Morgan might be the country’s biggest bank, but it clearly wasn’t using the best security system. Hiring an outside firm with the expertise to do an independent review of every system is how you can avoid forgetting the little holes.
What Happened: What’s worse than your bank account information being compromised? Having your credit report is exposed. Equifax had one of the most sterling reputations around until last year, when hackers ripped the data of 145.5 million Americans from the credit report giant. Like the others on this list, the hack lasted for months; starting in May and not being discovered until July 29. The hackers exposed a web app vulnerability in the US. Even worse, the company set up a website called equifaxsecurity2017.com where customers could see if they had been affected, then accidentally tweeted it out as securityequifax2017.com, which was a phishing site. That the breach was discovered July 29, but not made public until September 7, didn’t help matters much either.
What We Learned: Every security patch and update is important. According the Apache Foundation, Equifax was made aware of a security vulnerability two months before the attack and did nothing about it, even when an industry fix was shared with the firm. The patch was made available in March of 2017. Equifax shares dropped 33% in the first week after the hack was announced. The investigation is ongoing as of January 2018, but if Equifax is found to have failed its customers by not upgrading security, it could spell the end of the credit report giant.
What Should You Do to Prevent a Data Breach?
Are you interested in protecting your mission-critical HIPAA-compliant servers from a breach? Contact Atlantic.Net today to find out how our robust managed services and security features can help protect your organization’s data.