02 Jan Data Security Breaches: Lessons from 2013
They say that those who fail to learn from history are doomed to repeat it, and 2013 provided many lessons for those wishing to avoid a data security breach. Let’s review some of 2013’s data security breaches so that they do not have to be repeated in 2014.
Target. During the peak of the 2013 holiday season, Target suffered what may be one of the largest data security breaches in U.S. retail history. Target’s breach involved the credit and debit card accounts of about 40 million customers. Though Target believes the data remains safe because it was strongly encrypted, it may be used to gain access to customers’ accounts. There are estimates that this breach may end up costing Target billions of dollars.
Adobe. Adobe Systems, Inc. suffered a data security breach that compromised nearly 3 million records. Hackers were able to access customers’ IDs, encrypted passwords, names, encrypted credit or debit card numbers, expiration dates and other information related to their orders.
Facebook. Facebook was targeted in a sophisticated attack when a handful of employees visited a website that was compromised. This website hosted an exploit which allowed malware to be installed on employee laptops, even though they were running up-to-date anti-virus software. Facebook analyzed the source of the attack and discovered a previously unseen way to bypass security measures and to install the malware.
Washington State Courts. The Washington State Administrative Office of the Courts suffered a security breach on its public website. Though no court records were altered and no personal financial information is maintained on the website, the breach may have exposed up to 160,000 social security numbers and 1 million driver license numbers.
Twitter. After detecting unusual access patterns, Twitter discovered unauthorized attempts to access user data. According to Twitter, approximately 250,000 users may have had their information accessed by the attackers, including their usernames, email addresses, session tokens and encrypted/salted versions of passwords. These users had their passwords reset and their session tokens revoked by Twitter.
New York Times. Chinese hackers infiltrated The New York Times’ computer systems and obtained corporate passwords for its reporters and other employees. According to The New York Times, over the course of three months, 45 pieces of custom malware were installed on their network and used to gain access to computers. To get rid of the hackers, The New York Times blocked the compromised outside computers, removed every back door into its network, changed every employee password and wrapped additional security around its systems.
Evernote. Evernote appears to have been the victim of a coordinated attempt to access secure areas of its network. Their investigation revealed that hackers were able to access user information, including usernames, email addresses and encrypted passwords. Though Evernote believes that the passwords remain protected by encryption, all users were required to reset their account passwords.
These incidents show that data security breaches can happen to any organization, and that they can be very costly. Every organization must be proactive in protecting against data security breaches. Though protective measures should cover everything from the wireless network to the copy machine, organizations should also consider protecting against data security breaches with insurance.
If you would like to learn more about insuring against data security breaches, contact us.
If you would like to learn more about preventing data security breaches, take our online course Information Risk Management: Strategies for Preventing and Mitigating Information Security Breaches.
If you would like to subscribe to our newsletters please click here.