Lessons Learned From Five Big Database Breaches In 2010
Second half of 2010 featured some major mess-ups that led to the exposure of sensitive data
The stream of database exposures remained steady in the second half of 2010: We saw organizations face the consequences of inept database account provisioning, bad encryption policies, poor choice of third-party vendors, and an overall indifference to security -- all of which continued to keep consumers on the watch for blips in their credit reports.
According to the recent Computing Technology Industry Association's (CompTIA's) 8th Annual Global Security Trends Study, only about half of IT professionals view security as a major priority. It's no surprise, then, that the survey found 63 percent of their companies have experienced some kind of breach this year.
In July, we explored some of the most glaring database breaches in the first half of 2010. Now we'll take a look at how we can learn from the incidents that have occurred since then.
1. Sheriff's Office in Mesa County, Colorado
Breach Details: The Sheriff's Office in Mesa County, Colo., potentially put people's lives at risk due to an IT snafu. The office exposed names, contact information, and Social Security numbers of drug informants when an IT staffer mistakenly put the extremely sensitive database containing this information onto an unsecure FTP site on a server owned by the county. The database contained 200,000 files. The county came to find out about the problem when an informant on the database saw the informants' names popping up on a Google search -- the search engine's crawler had been going through the FTP site.
Database Security Lessons Learned: This is a particularly egregious example of what can happen when organizations aren't mindful about where and how databases are stored. Organizations need to endeavor to have a better understanding of where their databases reside (including test databases) and how they're configured to better ensure the most top secret of information isn't mistakenly left online.
2. Ohio State University
Breach Details: A database server containing the personal information of more than 760,000 students, faculty, and alumni at Ohio State University was hacked in an attack the university says was likely not for the information itself. School officials say preliminary information shows the server was used to launch attacks on some unnamed business. Even though the school says it doesn't believe the information was accessed, OSU offered a year of free credit monitoring for all affected by the breach.
Database Security Lessons Learned: Universities are increasingly becoming the leading headliners in news of high-profile database breaches. The particulars of this attack are still forthcoming, however the university did say it had been ongoing for months before it was discovered. Better monitoring of the server and database itself could have potentially alerted officials earlier and provided better evidence about whether database records were improperly accessed.
3. Gawker
Breach Details: An embarrassing breach that exposed the log-in credentials of 1.3 million Gawker users was caused by hackers with a grudge against the site. By exploiting a vulnerability in the Gawker website source code and using that weakness to dig deeper into its main user database, attackers gained enough information to publicly shame Gawker and its poor security practices.
Database Security Lessons Learned: Gawker's security inadequacies offer good lessons for plenty of other organizations. The firm had little to no patch management procedures in place, mishandled sensitive information, and had no password policies in place for internal users. Most glaringly, it was using the extremely antiquated DES encryption method for user passwords stored within the database, making them easily crackable once the database was accessed.
4. Silverpop Systems
Breach Details: The ripple effects of a breach involving Atlanta-based Silverpop Systems are still being felt. An e-mail marketing firm with a long list of high-powered corporate clients, Silverpop singlehandedly exposed client lists owned by McDonald's, deviantART, and potentially others when a contractor's server containing the databases was breached by a hacker.
Database Security Lessons Learned: While details about the technological elements of the actual attack are still being kept under wraps pending an FBI investigation, one lesson is crystal clear. Blame for breaches caused by third-party bungling of sensitive databases ultimately will always be placed at the feet of the business to which the customer first entrusted its data. Organizations have to do a better job vetting their vendors about how they handle databases and sensitive information.
5. Triple-S Management
Breach Details: The account details of more than 400,000 customers Triple-S Management, a Puerto Rico-based managed healthcare company, were pored over by employees at a competitor organization, Medical Card System. These employees had somehow acquired active user ID and password combinations for Triple-S databases in order to gain unauthorized access.
Database Security Lessons Learned: Poor account provisioning and access management issues are an Achilles' heel for even those organizations that have put a lot of investment in detecting external attacks. After all, the attacker already has sanctioned entree into the database. Organizations need to do a better job eliminating shared passwords, closing accounts of former employees, and monitoring existing accounts for anomalous behavior.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like