Bad News In Tech: 2016's biggest data breach fails (so far...)
- 17 December, 2016 00:57
For the year that brought you the deaths of David Bowie, Alan Rickman, and Lemmy Kilmister, plus the catastrophic political bonus balls of Brexit and the election of Donald Trump, these technology disasters might seem like they pale in comparison. Nonetheless, there's a strong mixture of misery to sift through this year.
Barely a day goes by without some high-level data breach putting customers at risk and 2016 was no exception. Here are just some of the worst.
In September this year, Yahoo disclosed that a "copy of certain user account information" had been compromised in 2014 - to the tune of 500 million user accounts.
New-ish Yahoo CISO Bob Lord said at the time in a statement that the business believed the compromise was linked to a "state-sponsored actor" and could have included everything from names to email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.
The announcement came less than a year after a blustering interview in which Lord described the creation of a new team called the Paranoids, who would work tirelessly to protect Yahoo's billion users.
Senators were quick to criticise Yahoo for its apparent reluctance to disclose the hack.
"Millions of Americans' data may have been compromised for two years," they said. "This is unacceptable." Yahoo responded at the time by claiming to have only discovered the extent of the attack in an unrelated security audit following a separate incident.
Most recently, Yahoo admitted in a securities filing that some employees were aware of the attack in 2014, however, the timeline remains unclear - and the company did not say if this was communicated to senior management.
According to the New York Times, 23 lawsuits have been filed against Yahoo, both in the US and elsewhere.
Database and cloud supremo Oracle disclosed that its Micros payment subsidiary had been compromised by a Russian criminal group, and commentators suggested that the attack was likely linked to a series of cash-grabs and online fraud.
Independent infosec journalist Brian Krebs unearthed the evidence, and noted that when Oracle acquired Micros in 2014, the latter was in use at more than 200,000 food and drink outlets, 30,000 hotels, and at least 100,000 retail stores - providing wide scope for financial gain.
Krebs' source believed that the breach probably began with one infected system in Oracle's network - which was then used to gain access to others. The attackers were also believed to have installed malware on the Micros support forum which was then used to steal Micros customer usernames and passwords.
The company that operates the largest network of 'casual dating' adult websites in the world - previously Penthouse and including AdultFriendfinder.com and Penthouse.com - was subject to an enormous compromise of 412 million accounts in November this year.
Perhaps worse still, the business seemed to have been storing the details of deleted users - their original email with the suffix @deleted1.com. According to LeakedSource, which discovered the data, the passwords had been stored in either a plain visible format or SHA1 hashed, but as the website notes, neither are considered secure.
Not only is the leak at a tremendous scale, the highly confidential nature of the websites opened customers up to the potential of blackmail. Of course, some of the users did not help themselves, with the top six most common passwords used being some variation of 123456789 in numerical order. The next most popular password was 'password'.
The chief executive of Tesco Bank was forced to admit it had been subject to a "systematic, sophisticated attack" that saw some of the 20,000 compromised users lose money from their accounts. According to CEO Benny Higgins, 40,000 accounts registered suspicious transactions, and half of these had money removed.
The attack saw Tesco Bank suspend all online banking until the problems were resolved. It promised to refund users who had money stolen from their accounts - however, many claimed that they were left out of pocket at the time.
Worse still, rival banks accused Tesco of issuing sequential debit card numbers. Critics say that this means it's easier to conduct fraud undetected because all of the card numbers would have been genuine. Tesco has avoided commenting on exactly how the attacks took place because it is an "ongoing investigation", but did claim that no customer data was lost, and that the system itself was not breached.
The banking wing of the supermarket giant is in the process of paying back £2.5 million to customers who had their accounts compromised.
Way back in 2012, LinkedIn disclosed a major breach of 6.5 million user passwords, which it alleged was the work of Russian cyber criminals. But four years later it emerged that the hack was much more severe than initially thought - with 167 million user details up for grabs in exchange for Bitcoin on the dark web. A hacker who called himself Peace told Motherboard at the time that the data was available on darknet market The Real Deal for roughly $2,200 - and paid hacked data website LeakedSource also said it had the data.
LinkedIn began to invalidate passwords for all accounts that were created before the 2012 breach that hadn't been updated since, and alerting users to reset their passwords. In a statement, LinkedIn's CISO Cory Scott told users to create strong passwords and enable two-step verification to keep their accounts safe.
But LinkedIn came under fire for failing to 'salt' the passwords, which were originally hashed with SHA1. Salting a password amounts to placing random digits at the end of hashes, to make them more difficult to crack.
LinkedIn said that although the breach was much larger than first thought, the compromised usernames and passwords were not as a result of a new security breach.
A suspect, Russian citizen Yevgeny Nikulin, 29, was arrested in Prague and now faces extradition to the United States.