In my last post, I wrote about Verizon’s impressive annual Data Breach Investigations Report. The DBIR has enough eye-opening data analysis and stats to educate even the savviest IT security guru. While we’re waiting for the 2013 report to be released, a good source for real-time breach activity can be found at the Identity Theft Resource Center. Their weekly report and statistical summary of verified data exposures is another way to gain additional insights into current IT security practices and the attacker’s hack-craft.
In the last few months, Global Payments and Zappos’s breaches along with rest of the top 5 have received the lion’s share of press attention. Using ITRC’s lists as a guide, I decided to look beyond the more heavily publicized attacks to see what I could learn.
My first stop was the case involving lost data cartridges belonging to one state’s child services department. The backed-up data contained the names of hundreds of thousands of adults and children. Officials explained that the cartridges were misplaced by their vendors, IBM and Iron Mountain.
On a similar theme, I also learned of another incident in which a US bank lost backup tapes containing—you guessed it—customer names, addresses, social security numbers, and credit card numbers.
What’s going on with backups? Anyway, these two examples serve as reminders that controls and procedures to guard against internal staff errors—with backups apparently requiring special attention—shouldn’t be neglected as you battle against external threats.
Then there was the transfer of almost one million Medicaid claim records hacked from another state’s servers. Medicaid data typically contains social security numbers, patient names, and addresses, along with physician names and tax identifiers. The state’s health department was ultimately alerted of this medical information theft.
The attackers involved in the Medicaid job were thought to be part of an Eastern European criminal gang. In this exploit, they were able to, in the words of an official, “circumvent the server’s multi-layered security system.”
From what I could piece together, it seems that a new server was put on-line without privileged passwords being reset. No surprises here. This is a valuable object lesson for IT: damaging but preventable data break-ins are often due more to sys admin oversights than to clever hackers or sophisticated malware.
As the Verizon DBIR notes, and I will re-emphasize, it’s a good idea to monitor unusual file activity from privileged users in order to catch this very common password mishap.
Finally, there was the October hack of one small college’s servers, wherein the personal data of hundreds of thousands students and employees were snatched up. In this caper, the exposed information included student names, social security numbers, and birth days, in addition to employee direct deposit routing and bank account numbers.
Where did the hackers find this data treasure trove? The college president announced that hackers gained access to a folder containing several files of student records. The attack appears to have occurred earlier in the year, and by time the breach was finally discovered, 50 employees, including the president and faculty members, reported incidents of identity theft.
One way this particular data removal could have been prevented or at least minimized is if IT had procedures in place to hunt down files containing text-based personal data identifiers. If your own IT group has better things to do than search for social security numbers among thousand or tens of thousands of files, this Varonis blogger has a suggestion.
Varonis’ IDU Classification Framework has powerful automated capabilities to perform regular expression searches based on configurable patterns and then notify IT admins when, say, a social security number or bank routing number appears in loosely protected files.
Back to ITRC. After looking at several more exploits in the ITRC summaries, it was becoming clearer to me that the hackers’ modus operandi was similar to what we’ve seen in cases involving better known victims.
The bigger data hauls make the news, but the lessons are still the same.
Image credit: Fry1989