Paradise lost: a decade of data breaches

Do you think the moat around Australia extends around your business and hackers won’t target you? It doesn’t, and research says data breaches will be the elephant-in-the-conference-room at your next IT meet.

Australia has to date been sheltered from much of the painful data breach disclosure laws sweeping the world, and organisations here appear to have avoided the high-profile hacks that have plagued others over the last decade. But are we as lucky as it would appear?

No. For starters, the seas that girt Australia offer illusionary security, according to Gartner. Research vice-president, Rich Mogull said Australian organisations are being hacked and losing data. “It’s just hidden,” Mogull said. Moreover, he said, we are in a worse position than others because of our close proximity to Asian countries where data breaches are rife.

A recent investigation into 16 organisations by privacy and data protection research firm, the Ponemon Institute, revealed that the average cost of a data breach incident in Australia is $2 million, or $123 per lost record. It equates to more than 16,000 lost records per breach. The most expensive single local breach topped $4 million, the cheapest went for $410,000, with 3300 to 65,000 records pinched or lost each time. Hacking was behind almost half of the attacks.

In March, that the account details of 42,000 St George Bank customers were sent to the wrong clients thanks to a glitch by outsourcer, Salmat. The incident followed embarrassing admissions by Medicare to The Australian newspaper of 234 serious data privacy breaches by employees in 2007. Meanwhile, Federal Finance Minister, Lindsay Tanner, is preparing to review mandatory data breach disclosure laws as recommended by the Australian Law Reform Commission (ALRC) in its Privacy Act Review. The controversial changes are expected to be put on ice at least until the federal election has passed.

In the US, two-thirds of companies which suffered a major breach in 2009 had evidence of the intrusion in their logs, but failed to notice, according to a Verizon business risk team report of 500 forensic data breach investigations.

Only 564 convictions were secured for 800 arrests of consumer identity theft in 2007, from a total of 8835 criminal cases opened that year. Gartner puts “a conservative estimate” of the chance of an identity theft criminal being arrested and convicted is “much less than a half of 1 per cent”. Time for a career change? You wouldn’t; you’re the good guy.

Computerworld presents a list of some of the worst data breaches over the last decade.

Next page: The list ---pb--- January 2000: CD Universe breached by hackers. The company refuses to pay a $100,000 ransom for stolen credit card numbers, and news of the breach is leaked. Number of cards stolen: 350,000.

November 2000: Travelocity screws up Web-facing access controls and publicly exposes customer details. Number of records exposed: 51,000

March 2001: Amazon-owned service website, Bibliofind.com, is breached. Number of customer records compromised: 98,000

April 2001: US Web-hosting company ADDR.com breached by hackers. Number of personal customer records stolen: 46,000

February 2002: US financial services firm Prudential Insurance Company is robbed of client details by a ticked-off ex-staffer. Number of pinched client details that appeared for blackmarket auction: 60,000.

March 2003: Data Processors International is relieved of customer credit card numbers and expiry dates purportedly by a disgruntled employee. Number of full credit card details stolen: Five million.

24 February 2005:ChoicePoint sells Social Security numbers, credit reports and other customer data to an organised criminal gang masquerading as legitimate businesses. Triggers US Senate hearings on ID theft, and the company is slapped with a US$11 million fine, with orders to shell out $5 million to victims. Its total market capitalisation dropped by US$720 million immediately after the disclosure, and it was essentially driven out of business. Number of consumer records sold: 145,000.

25 February 2005: The next day, the Bank of America also loses Social Security numbers along with credit card numbers on unencrypted data tapes. Number of US citizen and senator records lost: 1.2 million.

June 200: AOL loses subscriber email addresses. Number of email addresses sold to spammers: 92 million.

June 2005: Credit card processing firm CardSystems is hacked. Number of credit card details stolen: 40 million.

May 2006: Details of US Army veterans are stolen by hackers. Number lost: 26.5 million

June 2006: Japanese telecom firm KDDI loses customer records: Number of details leaked: 4 million.

January 2007: Global conglomerate TJX Companies loses credit card details in a hack. Number of credit cards stolen: 45 million.

November 2007: UK HM Revenue & Customs loses detailed tax records in a lost CD. Number of taxpayer records lost: 25 million.

March 2008: The Bank of New York Mellon loses customer records on lost backup tapes. Number of records lost: 12.5 million.

September 2008: An oil refinery of GS Caltex throws out two CDs containing customer records. Number of files found in a Seoul scrapheap: 11 million.

January 2009: The whopper: Heartland Payment Systems loses credit card details in a complex hack by Albert Gonzalez and crew, who are subsequently busted and gaoled. Number of credit cards exposed: 130 million.

May 2009: Secret information on the Joint Strike Fighter and US President Barack Obama’s personal helicopter are leaked on Peer-to-Peer networks.

October 2009: US Defence hard drives are sent for repair, exposing the records of Army veterans: Number of details exposed: 76 million.

January 2010: AIG Medical Excess loses medical details of insured customers in a robbery. A 28 year-old man is goaled for two years for stealing a server and attempted extortion of $208,000. Number of records stolen: 900,000.

January 2010: BlueCross BlueShield loses customer health information including social security numbers and birth dates in another robbery. Bandits stole 57 hard drives from a leased facility. Number of records stolen: 301,000

IBRS security analyst James Turner makes some interesting observations in his research note, the Google Gambit, which references the Chinese-born cyberattacks that hit the IT giant in mid December. He says the first lesson from the Google hack is that sophisticated attacks are likely to be backed by organised crime or nation states. So if you’re hit, you can prevent further attacks by telling the world about it, which draws attention to the hacker. Secondly, realise that public notification of an attack does not mean you need to describe what information was compromised. Thirdly, band together with other victims: Google did it in its announcement, and as Turner says, to be attacked by organised criminals or a nation state can be seen as “a mark of honour” because you have something they value.

But importantly, get your shop in order. Yes, data loss prevention can’t prevent lost data, and encryption could be broken by various flavours of cold-boot attacks, so focus on security incident and event management capabilities. Turner offers good advice by recommending that you forge relationship with forensic investigators, who can get to know your systems ahead of a potential breach. “This is vital because they won’t have time to learn all about your sensitive data, workflows and the implications of a breach,” he says. “They need to be able to hit the ground running [but] talk to them before an attack is identified and establish what practices you need in place for your logs and records to be of any use”. Once you’ve done that, bring in the penetration testers and give them free reign.

He also recommends in the event of a breach that you have a well-trained media spokesperson to deal with the press: But, com’on, then what would you read?

Sophos contributed to the data breach list.

This story, "Paradise lost: a decade of data breaches" was originally published by Computerworld Australia .

Join the discussion
Be the first to comment on this article. Our Commenting Policies