This year's award for "Biggest Security SNAFU" can only go to the National Security Agency. Since June, NSA officials have winced as former NSA contractor Edward Snowden began dispensing secrets to the media about how NSA carries out massive surveillance around the world using advanced technology.
The NSA wasn’t using enough security technology internally to even begin to stop Snowden from roaming through its super-secret networks to fish out what’s now believed to be many thousands of sensitive documents related not only to NSA’s massive data collection practices across the Internet but also traditional spy vs. spy operations, much of which has not yet gone public.
Credit: REUTERS/Tobias Schwarz
The signature on the letter of fugitive former U.S. spy agency contractor Edward Snowden is pictured during a news conference in Berlin, November 1, 2013.
The Snowden revelations so far have generated a backlash against the intelligence agency from privacy advocates everywhere as well as the U.S. high-tech industry, which has to cooperate with the NSA under U.S. law. And foreign leaders of countries considered friends to the U.S are enraged their private calls and data were intercepted for years. There’s no reason to think that there won’t be more on this score.
There have been plenty of “security SNAFUs” to go around this year. The media, too, were on the receiving end as the New York Times, Wall Sreet Journal, CNN, Washington Post and others all reported that networks used by their employees had been hacked by attackers from China, likely for cyber-espionage, or the Syrian Electronic Army, out of political anger. Also, the stability and security of a key part of the financial system, the electronic stock exchanges, was sometimes shaky.
+ MORE ON NETWORK WORLD The biggest security SNAFUs of 2013…so far +
There are so many SNAFUs, in fact, we listed details about the ones occurring the first half of 2013 in our June story. From there, we now pick up the trail of data breaches, cyber-espionage, cyber-extortion and infrastructure collapse. And sometimes it was simply just plain cyber-stupidity.
The U.S. Department of Commerce’s Economic Development Administration (EDA) destroyed about $170,000 worth of IT equipment including computers, printers, keyboards and computer mice last year on the mistaken belief that the systems were irreparably compromised by malware. According to the Commerce Department’s Inspector General that looked into what happened, the bureau was poised to destroy an additional $3 million worth of IT equipment but was prevented from doing so by a lack of funding for the effort. EDA, whose computer network had been infected by viruses, thought it was under an intense cyber-attack, and employees there spent months without e-mail of access to Internet servers and databases as they sought to build a new network. The Inspector General, however, said the disruption was simply due to a common malware infection on six computers that could have been erased with anti-malware tools and other steps.
The Michigan Department of Community Health notified more than 49,000 individuals that a server was hacked, exposing their names, birth dates, Social Security numbers, cancer-screening test results and testing data.
New York State’s Office of the Medicaid Inspector General announced that an employee there sent 17,743 records of Medicaid recipients to a personal e-mail account, an action wholly unauthorized by supervisors.
The University of Delaware said its investigation into a cyberattack determined that confidential information on more than 74,000 individuals was stolen by attacks exploiting a website vulnerability. The data breach is expected to cost the university millions of dollars.
St. Mary’s Bank, a credit union in New Hampshire, disclosed that malware discovered on an employee computer may have spread to two dozen other computers there. The malware was designed to capture information. The credit union notified 115,775 customers their personal information may have been exposed.
The U.S. Internal Revenue Service mistakenly posted tens of thousands of names, addresses and Social Security numbers — perhaps as many as 100,000 — on a government website, a discovery made by a group called Public.Resource.org.
Game maker Ubisoft disclosed that an account database was breached, revealing user’s personal information.
The U.S. military blocked access to the Guardian’s website for troops in Afghanistan, the Middle East and South Asia because the Guardian was filled with new stories about the NSA disclosures from Snowden. By way of explanation why it was doing this, US Army Lt. Col. Steve Wollman told the Guardian, “U.S. Central Command is among the DoD organizations that routinely take preventative measures to safeguard the chance of spillage of classified information on to unclassified computer networks, even if the source of the information is itself unclassified. One of the purposes for preventing this spillage is to protect Centcom personnel from inadvertently amplifying disclosed but classified information. Classified information is prohibited from specific unclassified networks, even if the information has already been published in unclassified media that are available to the general public, such as online news organizations.”
WellPoint agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential violation of HIPAA data security rules related to a data breach involving personal information on more than 612,000 policyholders that occurred three years ago.
Canonical, which maintains the online Ubuntu Forums for the Ubuntu operating system, acknowledged a data breach in which about 1.82 million logins and e-mail addresses were stolen.
Credit: REUTERS/Robert Galbraith
The Yerba Buena Centre hosts an Apple event in San Francisco, California October 22, 2013.
Apple announced an intruder broke into its developer website and downloaded the personal information of users registered at Developer Center, prompting a shutdown of the site for a week while Apple made security changes. An independent security researcher, Ibrahim Balic, claimed responsibility for the security breach incident in which it appears he gained access to about 100,000 Apple Developer center accounts but said “this is definitely not a hack attack; I have reported all the bugs. I am not a hacker, I do security research.”
The U.S. Marshalls Service, a federal government agency, lost track of at least 2,000 encrypted two-way radios and other communications devices valued at millions of dollars, according to an investigative report by the Wall Street Journal.
French web hosting firm OVH disclosed that a hacker compromised the company’s European customer database and gained access to an installation server in Canada. OVH said the attacker gained access to a system administrator’s e-mail account, and from there used that account to gain access to another employee’s VPN credentials, and kept moving through the internal network.
Microsoft apologized after a three-day outage of Outlook.com, saying the issues stemmed from a failure in caching service of Exchange ActiveSync. Microsoft had other troubles this month, too, having to withdraw an Exchange Server security patch because it was buggy, admitting it had failed to adequately test the patch.
Facebook founder Mark Zuckerberg had his Facebook page hacked by an irate security researcher who was frustrated in trying to report a security flaw to Facebook and got mad and used the flaw to hack Zuckerberg’s Facebook wall instead.
Missouri Attorney General Chris Koster warned consumers in that state to be on the alert for fraud because computer problems that were identified at the Missouri Credit Union exposed personal information online. The credit union itself notified 39,000 members and former members about the data breach.
Ferris State University in Michigan disclosed that names and addresses for about 39,000 individuals — mainly current, former and prospective students and employees alike — were inadvertently accessible “after an authorized person evaded network security.”
An unencrypted laptop was stolen from a Republic Services’ employee’s home which had personal information on about 82,160 current and former employees at the Phoenix-based waste management company.
Healthcare provider Cogent Healthcare disclosed in August that information related to about 32,000 patients seen by its doctor groups had been compromised after a security lapse by vendor M2ComSy related to its firewall allowed this patient data to be exposed to the Internet and even indexed by Google.
Aircraft manufacturer Northrop Grumman disclosed an unauthorized access to a database containing personal information occurred between November of last year to May of this year. Separately, the company’s retiree health plan reported 4,305 enrollees were impacted in a paper-records data breach involving CVS Caremark.
Virginia Polytechnic Institute and State University had a server in the human resources department illegally accessed, which held information on 114,963 individuals who had applied for jobs there. Associate vice president for university relations, Larry Hinckler, said, “The issue is someone on our staff goofed.”
The U.S. Department of Energy told its employees that hackers had gained personal information, including Social Security numbers on about 14,000 current and former employees. The DoE earlier in the year said computer systems were hacked to steal information on contractors.
In late August, China was hit by what was described as the “biggest cyberattack in its history,” according to the China Internet Network Information Center, the state agency managing the country’s .cn domain. The large-scale distributed denial-of-service attacks were said to be so substantial they slowed down Internet response time noticeably for the country’s Internet users accessing some targeted websites with the .cn domain.
Texas television station KXAN investigated and reported how Texas-based homebuilder D.R. Horton had dumped a large amount of documents related to loans, copies of checks, purchase orders and site plans into large dumpsters on school campuses. After the TV station’s report, D.R. Horton said it simply wanted to help the school’s re-cycling program which gets paid for each ton of paper it collects. The company eventually went back to retrieve the outdated D.R. Horton files.
The Los Angeles school system was providing Apple iPads to students at Westchester and Roosevelt high schools but decided to take them back after students there managed to skirt security measures that were intended to block free browsing of the Internet. Students explained they simply wanted to get to social networks and music streaming sites.
Credit: REUTERS/Jim Urquhart
Some of Bitcoin enthusiast Mike Caldwell's coins in this photo illustration at his office in Sandy, Utah, September 17, 2013.
Bitcoin, the crypto-based electronic currency that surged in value this year, saw a growing number of thieves managing to make off with stolen BitCoin, which exists digitally and generally only password-protected. A popular Bitcoin forum, Bitcointalk.org was hit by a cyberattack in which attackers calling themselves “The Hole Seekers” left a video followed by the message, “Hello friend, Bitcoin has been seized by the FBI for being illegal. Thanks, bye.” The hack occurred just after the FBI seized $3.6 million worth of the digital currency as part of its shutdown and arrest of the alleged operator of the Silk Road, an online market of mostly illicit goods.
U.S. officials said Iran hacked unclassified Navy computers as part of an escalating cyber-espionage operation, according to a Wall Street Journal article based on unnamed sources.
Some NSA workers abused their surveillance privileges by electronically spying on spouses, girlfriends and boyfriends at least 12 times over the last decade, according to the NSA’s own Inspector General.
A 19-year-old man, Jared James Abrahams, of Temecula, Calif., was charged with hacking webcams at the home of Miss Teen USA, Cassidy Wolf, and other women to extort nude photos and videos from them. According to the FBI affidavit, Abrahams used malicious code to remotely operate webcams of at least seven women as they changed clothes. Some he knew personally and others he found by hacking Facebook pages. Abrahams, a college freshman majoring in computer science, allegedly threatened to post the photos on hacked social media accounts unless they sent him nude photos or logged into Skype video and followed his orders for five minutes. Some under-age girls complied. The Abrahams case follows similar recent cases, including that of Karen “Gary” Kazaryan who pled guilty in July to hacking into hundreds of social media and e-mail accounts to get women to pose naked for him.
A seven-month investigation by security reporter Brian Krebs revealed that an organization calling itself SSNDOB compromised networks associated with Dun & Bradstreet, LexisNexis and Kroll Background America which all aggregate personally-identifiable information on people for purposes that include credit reporting.
In its announcement about shutting down, Nirvanix, the now-defunct cloud storage company, gave its customers two weeks to get their data out of the cloud.