Lessons Learned From Recent Cybersecurity Breaches
The existence of hackers, or individuals trying to exploit others through digital or machine means, is not a new idea. As early as 1942, Rene Carmille (often called the first “ethical hacker”) sabotaged Nazi punchcard machines so that they wouldn’t return any census data on religion, thus protecting the identity of thousands of Jewish citizens.
Unfortunately, most hackers aren’t as well-intentioned as Carmille. As the world has become increasingly digitized and the number of people using computers has grown into the billions, cybercrime has become a much more lucrative proposition. In fact, cybercrime is estimated to cost the world $10.5 trillion by 2025, exceeding the total economic cost of all natural disasters and making it more profitable than the entire global drug trade combined. And not all of these are “hacks” in the traditional sense of the word. There are plenty of instances where simple user error is to blame.
With cybercrime near the forefront of every business’ major concerns, we decided to take a look back at some of the most significant hacks in recent years, how they happened, and what you can learn from them.
2004: AOL Leaks Customer Data
In 2004, a list of 92 million AOL screen names was sold to a third-party, who then used them to promote his online gambling company. Investigation revealed that the list was obtained by AOL employee Jason Smathers, who used another employee’s ID to gain access to the list of screen names, zip codes, telephone numbers, and credit card types.
You should also take precautions against allowing employees unfettered access to important information. Sharing login credentials should be strictly prohibited, and password managers can ensure that your employees only have access to the areas that you allow them.
It’s also worth noting that AOL should never have kept an easily accessible master list of customer information where it could be accessed at all. By isolating information and allowing it to be visible only to the people who need it, you can make it much more difficult for any malicious actor to gain access to large amounts of data.
2006: The Veteran’s Affair Department Breach
In 2006, the medical records and personal information of more than 25 million veterans and active duty personnel were lost, resulting in an eventual settlement of more than $20 million. How? A VA data analyst transferred some data onto a laptop, which was then either lost or stolen. The laptop was recovered with the data intact, but it’s impossible to say whether the data was copied in the interim.
Managing sensitive data on devices outside your office presents an entirely new set of challenges, which we’ve talked about before in reference to the rising work-from-home movement. Precautions like BIOS-level encryption and VPNs can help prevent the spread of sensitive data, but companies should seriously consider whether they can safely allow remote work at all.
2013: Target’s Credit Card Databases Hacked
In 2014, Target announced that the credit card information of anyone who had made a purchase between November 27 and December 15 of 2013 — some 40 million people — had been compromised.
Upon further digging, it appears that the breach was due to a simple network segmentation oversight. In early 2014, security blogger Brian Krebs reported that hackers had gained access to the Target network with credentials stolen from an HVAC contractor that does work at a number of Target locations. From there, they were able to install malware in the company’s point-of-sale systems.
The lesson here is to ensure that access to sensitive data is only granted to the people who need it and no one else. If Target had implemented the proper protocols to ensure that their HVAC contractors couldn’t access anything on the company network besides the temperature and fan data they needed for their installations, this hack would never have happened.
2017: The Equifax Data Breach
In one of the most damaging data breaches in history, Equifax — one of the “Big Three” credit monitoring companies in the U.S. — announced in 2017 that the personal information of more than 147 million people had been compromised. This information included names, birth dates, Social Security numbers, and addresses, putting nearly half the country at substantial risk for identity theft.
The Equifax breach was especially infuriating to many Americans because they had never entrusted their data to Equifax in the first place. Instead, credit monitoring companies get their relevant data from banks, landlords, and other lenders without the consent of the individuals involved.
The hack started when the United States Computer Emergency Readiness Team warned of a potential vulnerability on March 8, 2017. Naturally, once hackers became aware that such a vulnerability might exist, they began looking for instances of such weakness. They found one in Equifax’s dispute portal. From there, they were able to learn login credentials for three servers, which they then used to gain access to 48 additional servers.
Equifax didn’t notice that anything was wrong for more than two months.
There are a lot of lessons to be learned from Equifax’s mistakes. The first is to keep your software updated — Equifax knew about the server vulnerability and had a patch on hand for more than two months, but never bothered to install it. The second is to use unique passwords. If Equifax had used secure, unguessable passwords for each internal server, the hackers would only have gained access to three servers, not 51. Finally, Equifax had no system in place to recognize that their servers were being accessed in unusual ways or from unauthorized sources. With modern monitoring tools, you should be able to tell who’s logging in, when, and from where, so you can flag anything suspicious.
2021: The SolarWinds Attack
In early 2020, hackers managed to breach the software system of SolarWinds, whose software is used by more than 30,000 enterprise customers to manage their IT resources. When SolarWinds pushed software updates to its customers (like any software company does), the malicious code installed by the hackers was spread to every customer in the supply chain. This software created a backdoor to those customers’ IT systems, which hackers then used to install even more malware. Since SolarWinds’ clients include government organizations and Fortune 500 companies, the implications of such a breach are potentially massive.
More concerning is the fact that no one in a government cybersecurity role noticed the hack until a private company named FireEye called attention to it. FireEye became aware of the hack when it flagged suspicious access to its servers, specifically from strange time zones and at odd times of day. Without FireEye’s algorithms to recognize unorthodox logins, the breach might still be unnoticed.
The SolarWinds attack is part of a relatively recent class of cybercrime known as “supply chain attacks,” which use one piece of software in a company’s tech stack to access the company’s internal data. Unfortunately, as organizations begin to rely more and more on third-party services, they open themselves up to new avenues of attack.
The primary takeaway is the importance of paying close attention to how much access you’re granting to any third-party service that you integrate into your workflows. Read their terms and conditions closely and keep an eye out for unauthorized activity.
2021: Parler’s Data Breach
Parler rose to prominence as a bastion of uncensored free speech, a direct response to perceived censorship of right-wing views by major social media platforms. After Donald Trump’s removal from Twitter, Parler’s popularity skyrocketed.
This stratospheric rise brought some unwanted attention, culminating in a data breach in which a hacking group announced that they had successfully downloaded and archived “99 percent” of the site’s public data, including personal information and incriminating evidence of people who had participated in the January 6 Capitol raid.
While initial rumors indicated the hack had been carried out by exploiting a bug that allowed hackers to create millions of admin accounts, the truth was far simpler: Parler had failed to implement even the most basic security measures. For example:
- Parler used an insecure direct object reference (IDOR), a flaw wherein a hacker can simply guess the pattern that a program uses to store data. In this case, Parler simply numbered its posts in order, meaning that any user could simply increase the value of the number in a Parler url by one and see the next post on the site.
Twitter also uses url sequencing. If you look at any given tweet, you’ll see a 19-digit number, but that number is randomized. You can’t simply enter a different number and see another tweet.
- Parler allowed anyone to see public posts without authentication like a Captcha and didn’t use “rate-limiting” tools to limit the number of posts a user can see, meaning any very simple bot written with a few lines of code could download every single public post, in order, as fast as the computer could run the code.
- Parler failed to scrub metadata from uploaded photos and videos, allowing any user to see where a photo was taken and when. To emphasize the gravity of this mistake, Kyle McDonald created an interactive map showing the exact locations of every photo and video leaked from Parler, often associated with the user’s real name.
Parler did almost everything wrong. As one cyber expert put it, “This is like a Computer Science 101 bad homework assignment, the kind of stuff that you would do when you’re first learning how web servers work. I wouldn’t even call it a rookie mistake because, as a professional, you would never write something like this.”
But while Parler isn’t the most sympathetic victim, the fact that so many people’s personal information — even the location of their homes — was so easy to access is a lesson worth learning. Exercise skepticism about the security claims of any software or platform to which you entrust your information, and don’t share anything that’s not completely necessary.
Talk to the Experts
The world of cybersecurity is complicated, and it’s getting more complicated every day. In addition to malicious hackers, you need to worry about accidental publication, inside jobs, lost or stolen hardware, poorly configured systems, poor security in third-party vendors, and more.
It’s implausible to keep track of the shifting landscape of cybersecurity while simultaneously running a business, which is why you need the help of an expert technology consultancy like Madison Taylor Technology. We’ll examine every aspect of your company’s cybersecurity profile from internal procedures to third-party integrations to help you find vulnerabilities and opportunities to improve. If you’re ready to start taking your company’s cybersecurity seriously, talk to Madison Taylor Technology today.
Begin a Conversation
Have a question? Want to connect about a problem? Interested in getting started? Whatever it is, we’re here when you need us.