The biggest, headline-grabbing cyber attacks tend to hit the biggest companies. After all, they have the most data.
But even the largest attacks have lessons for every business.
Here are the biggest data breaches and cyber attacks reported in 2017, and what they can teach your small business about network security.
Equifax Data Breach – 145.5 Million Accounts
Credit reporting agency Equifax aggregates financial data on more than 800 million consumers and 88 million businesses worldwide.
On July 29, 2017, the company detected and blocked suspicious network activity associated with a web portal used by U.S. consumers to file disputes.
Later analysis revealed the portal’s application framework, Apache Struts, was outdated and had a severe security vulnerability.
Equifax hired cybersecurity firm Mandiant to conduct a forensic analysis, which revealed a massive data breach affecting 143 million U.S. consumers.
Further investigation later increased the number to 145.5 million – or about 45% of the U.S. population.
Severe Vulnerability Overlooked
Equifax was first alerted to the Apache Struts vulnerability (CVE-2017-5638) on March 8, 2017, more than two months before the breach started, according to testimony to a U.S. House subcommittee by former Equifax CEO Richard Smith.
Equifax failed to act on the alert and apply the available patch. Seven days later, the company also performed vulnerability scans that failed to identify the flaw, said Smith.
Hackers launched the attack exploiting the vulnerability about two months later, on May 13, 2017.
By the time the breach was discovered in late July, hackers had accessed dozens of databases and created more than 30 backdoors into Equifax’s systems.
- Know your systems – Equifax failed to realize an alert for a critical vulnerability applied to one of its web portals. A flaw that should have been patched within 48 hours went unpatched for months.
- Scans Aren’t Enough – Equifax’s vulnerability scans, performed seven days after the Apache Struts flaw was public knowledge, did not identify the weakness in its web portal. This is why it’s important to perform multiple scans with different tools, and never rely on a tool to “handle” your security.
Uber Data Breach – 57 Million Records
Uber’s CEO revealed on Nov. 21, 2017, that the ride-hailing service failed to disclose a massive data breach last year.
In Oct. 2016, hackers accessed a server containing personal information for more than 57 million Uber drivers and riders. They demanded a $100,000 ransom to delete their copy of the data, which Uber paid.
The attackers allegedly first accessed a private GitHub repository used by Uber’s developers. The repository contained code with login credentials for other Uber systems, which ultimately provided access to the stolen data.
Uber later identified the hackers and pushed them to sign nondisclosure agreements. It also disguised the ransom payment as part of a bug bounty program, according to the New York Times.
Lawsuits are now raining down on Uber from attorneys general across the U.S.
The Uber data breach may prove to be an example of when the cover-up is worse than the crime. The breach undoubtedly harmed the company’s brand, but the damage caused by hiding the attack has only begun.
And the lawsuits haven’t even started.
The lesson is to know the data breach notification laws and rules that apply at your local, state, and federal level, and those that apply to your industry.
Also, when in doubt, err on the side of transparency. Thousands of companies have been breached. Most customers will forgive you (but some won’t).
WannaCry Cyber Attack – 300,000 Systems
What some have called “the worse ransomware attack ever” struck in May 2017, infecting an estimated 300,000 computer systems just four days.
WannaCry was similar to many ransomware attacks, i.e. it encrypted files and demanded a Bitcoin payment to decrypt them.
However, it differed in one major way: worm tactics.
Once WannaCry infected a machine, it scanned the connected LANs and WANs to find and attack other vulnerable hosts. The subsequent infections occurred automatically without user interaction.
This allowed WannaCry to seize entire networks and even hop to others, rapidly sparking a flash epidemic worldwide.
The National Health Service in the U.K. was hit particularly hard, with at least one-third of health trusts (i.e. healthcare offices and services) disrupted and over 19,000 appointments canceled, including surgeries.
Stolen NSA Cyber Weapons
WannaCry spread via EternalBlue, an exploit for Windows Server Message Block version 1 (SMBv1), a legacy network file-sharing protocol present in every version of Windows released in the last 15 years (and maybe more).
The exploit is allegedly from a cache of cyber weapons stolen from the U.S. National Security Administration (NSA) and released publicly on April 14, 2017.
Microsoft issued a patch for the vulnerability on March 14, 2017. When the attack began, every Windows system that had not been patched within eight weeks was vulnerable.
The importance of patching cannot be overstated. When WannaCry struck, administrators with freshly patched Windows machines had little to fear.
You must keep systems updated with the most current versions of operating systems and software.
Also, plan for disaster. This attack targeted a vulnerability in millions of Windows systems. A patch had been available for only about two months.
Another attack of this scale is inevitable. When it hits, will you be ready? Will you recover?
Yahoo! Makes History, Again – 3 Billion Accounts
Yahoo!’s record-busting data breach in 2013 may seem like old news, but 2017 revealed it was far worse than reported.
After acquiring Yahoo! in June 2017, Verizon said the 2013 breach affected every one of Yahoo!’s customer accounts – 3 billion accounts in total.
This mind-boggling number is three-times greater than the 1 billion affected accounts reported by Yahoo! when first disclosing the breach in Dec. 2016. It’s almost 10-times greater than the U.S. population.
Since the hack was not discovered until Nov. 2016, the attackers had free access to billions of email accounts for about three years.
More than 150,000 of the accounts were owned by current and former U.S. government and military employees. They included the accounts of White House staff members, U.S. congressmen, and members of the FBI, NSA, and CIA.
Were you affected by the attack? Were your employees?
Given the never-ending stream of data breaches, and the growing tactic known as business email compromise (BEC), you should not trust the emails sent by your employee’s personal accounts.
When in doubt, call the sender to confirm the information.
You also should also not permit personal accounts to be used for company business – such as sending company files or scheduling company meetings – as the data can be exposed.
The flood of data breaches shows no signs of ebbing, and accounts that are not secured and managed by your organization cannot be trusted.
Deep Root Analytics Data Breach – 198 Million U.S. Voters
Personal information for nearly 200 million U.S. voters was discovered on June 12, 2017, in an unsecured cloud server operated by the political data firm Deep Root Analytics.
Anyone with the subdomain “dra-dw” (i.e. “Deep Root Analytics data warehouse”) could access the trove of data.
Takeaway: use secure configurations for cloud storage.
Rasputin Attacks – 60 Universities and Federal Agencies
Rasputin, alleged to be a lone hacker, successfully breached databases hosted by dozens of universities and government agencies beginning in late 2016 and continuing into 2017.
The victims include:
- Cornell University
- University of Cambridge
- S. Postal Regulatory Commission
- S. Department of Housing and Urban Development
- Rhode Island Department of Education
- And the list goes on…
SQLi attacks are used to “inject” database commands into web applications. When successful, they can reveal and/or modify information stored in the application’s database.
Harden your web applications.
Check this list of SQLi resources from the Open Web Application Security Project (OWASP), which explains how to avoid SQLi vulnerabilities and how to test for them.
Other Notable Data Breaches in 2017
Taringa – 28 Million Accounts
The Argentina-based social network Taringa was alerted in Sept. 2017 to a leak of about 28 million user records. The database is believed to have been stolen around Aug. 1, 2017
Passwords in the database were encrypted with the MD5, a notoriously weak algorithm. A breach notification service claimed to crack nearly 27 million of the passwords within a few days. u
Takeaway: encrypt your data, and use strong encryption.
Verizon – 14 Million Accounts
The name, mobile number, and account PIN for 14 million Verizon customers were discovered unsecured online in June 2017. The leak was due to a server misconfiguration by a third-party vendor.
Takeaway: ensure your vendors – and anyone handling sensitive customer data – keeps it secure.
InterContinental Hotels Group – 1,200 Locations
Point-of-sale malware infected about 1,200 properties owned by UK-based InterContinental Hotels Group, which includes brands such as Holiday Inn and Kimpton Hotels.
The breach spanned three months in 2016 and was acknowledged by IHG in Feb. 2017.
The company claimed only a dozen properties were affected at the time, which later increased to more than 1,000. The number of customers affected was not reported.
Reports indicate the malware captured customers’ unencrypted credit card data as it passed through servers. Hotels that adopted a secure payment system, which allegedly kept credit card data encrypted at all times, were said to be unaffected by the attack.
Takeaway: keep customer credit card data encrypted.