Download the podcast "Data Privacy for the Non-Technical Person"
2012 was a big year; we survived an apocalypse, screamed our lungs out at the Olympics, and watched another big election year come and go. However, in the midst of all the hullabaloo people’s lives were being wrecked, computers stolen, and governments attacked. With each new cyber attack, security breach, and internet scam the world of tech got a bit more scary for all of us.
Below are five stories that I feel best capture the state of data security in 2012.
#1 - Apple+Amazon Personal Information Protocol
In the early part of August, Mat Honan, a well-known tech writer, released an article on Wired that detailed how in 1 hour his entire digital life was taken over and erased. His information was stolen through a hack, rather the two perpetrators tricked Apple and Amazon customer service representatives (CSR) into believing that they were Mr. Honan and then giving them access to his personal information. The thieves were then able to access, control, and wipe his iPhone, Macbook, and many of his online accounts. His tech and online life had been hijacked from just a few calls to two companies.
I won’t detail the specifics here, but I will point out that this was a relatively easy loophole to exploit. Honan explained that he was also able to do it multiple times with other peoples’ accounts (in a controlled environment).
With the publication of the story both Amazon and Apple have since changed how they handle phone access to personal information. Amazon CSRs will no longer be able to change the settings on credit cards and email addresses over the phone. Apple is now pointing customers to use its online ‘iforgot’ system to recover passwords. This system requires much more personal information than their previous solution.
In the end Honan was able to recover a majority of his personal data that had been erased
#2 - South Carolina Department of Revenue (DoR) Breach
On August 13th an employee at the South Carolina DoR opened and clicked a malicious phishing email. The link then executed malware that infected the employee’s computer giving the hacker access to their username and password. Two weeks later, the hacker entered the system remotely by using the credentials that they had previously obtained.
During the following month the hacker was able to access the entire DoR system without being detected. To do this the hacker used 4 legitimate username and passwords and 33 pieces of malicious code. The hacker, among other things, was able to access 44 DoR systems and create 7-zip files that contained 74.7 GB of uncompressed data. That data included almost 3.8 million Social Security numbers and 387,000 credit and debit card numbers.
When administration of South Carolina broke the news about the breach, they defended their actions by saying they were following industry standards and there was nothing they could have done to prevent the breach. This, however, was later proved to be a false claim. If the state had used proper encryption and key management practices, they could have most likely avoided the breach.
The total cost of the breach to the State is around $14 million (a $20 million bailout was approved to help the State cover additional costs). The total cost to taxpayers both directly and indirectly is yet unknown.
#3 - NASA’s Halloween Trick
Halloween is usually a night where kids can go around the neighborhood getting free candy at nearly every door. This past Halloween, however, a NASA employee received a nasty surprise in return; somebody had broken into his car in the night, and stole an unencrypted laptop containing personal information of at least 10,000 employees, contractors, and others. This was the second published breach in 2012 and the third known breach in the past two years.
The director of NASA has offered 1 year of credit monitoring and identity protection to all affected persons. On top of that he has mandated that all laptops containing personal information must be encrypted by December 21, 2012.
#4 - Nortel’s Hacking Demise
In February a news report was released by the Wall Street Journal detailing how hackers gained access to (the now defunct Canadian corporation) Nortel top-level executives’ usernames and passwords in early 2000. The hackers had access to business reports, internal communications, and employee information. The hacks didn’t go unnoticed by employees. In 2004, one employee noticed monthly downloads being made using China IP addresses and the credentials of an executive. He made numerous recommendations regarding Nortel’s database security, but a decision was later made to only change the compromised passwords.
In 2009 Nortel went bankrupt, and sold off its assets to various other companies. When the report was released in early 2012 the former CEO of Nortel insisted that the vulnerabilities could not have been passed onto those other companies.
A former senior security advisor at Nortel, Brian Shields, said that he was certain that being hacked played a role in the demise of the company, “When they see what your business plans are, that's a huge advantage. It's unfair business practices that really bring down a company of this size."
#5 - Lieberman, Collins Cybersecurity Bill Shutdown
On November 14, 2012 a piece of cybersecurity legislation was rejected by the Senate in a vote of 51-47. This was the second piece of cybersecurity legislation rejected in 2012. Senator Lieberman and Senator Collins proposed the bill to the Senate because of the increasing number of attacks on critical infrastructure in the United States (i.e. banks, utilities, transportation).
Lieberman wrote an op-ed comparing the the threat of cyber attacks on America to the surprise attack on Pearl Harbor in 1941. In his article he quoted defense secretary Leon Panetta saying, “The collective result of these kinds of attacks could be a cyber-Pearl Harbor, an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation.”
Such attacks have already taken place in the US. Early last year a Texas water pump was hacked and taken over remotely in 10 minutes. Several websites of major banks were barraged by a denial of service attack that either knocked them off-line or crippled their performance. These attacks aren’t exclusive to the US either; a Saudi Arabian oil company had 30,000 of its computers hacked, hindering the company’s operations.
With this latest cybersecurity bill being rejected by the Senate, the US government is shirking implementing security measures to prevent widespread attacks.
Data security breaches affect all of us whether we are the Average Joe or a C-Suite level executive. What can be done individually, as a company, or as a government agency to make sure that 2013 won’t be like 2012 for personal information?
For more information on data privacy, download our podcast Data Privacy for the Non-Technical Person. Patrick Townsend, our Founder & CTO, discusses what PII (personally identifiable information) is, what the most effective methods for protecting PII, as well as the first steps your company should take towards establishing a data privacy strategy.