Hackers revived what is largely perceived as a dormant social media site, stealing as many as 427 million customer records in 2016. Forrester reported that there was not another breach even close but it did say that 75 percent of customer records stolen belonged to just five incidents.
Hackers compromised 1 billion records in that 12-month period, with 95 percent of those belonging to the technology, government and retail industries. The research group explains that the Yahoo figures are not included in its report because the exact number of files breached hasn’t been determined.
The breach of Chinese eCommerce retailer Alibaba Group was the second biggest, with 99 million records stolen. Forrester says hackers carefully pick their victims, learn their processes, and test for vulnerabilities. When they successfully infiltrate a target, they often go undetected for weeks or months, which allows them to exfiltrate masses of sensitive data.
As reported in USA Today at the time of the Myspace breach, the data was limited to usernames, passwords and email addresses from the platform prior to June 11, 2013, when the site was relaunched with stronger account security.
Forrester said the affected users are likely not worried about digital vandalism on their Myspace pages (it’s no longer 2007); however, all affected users who still use those same credentials on other sites are now vulnerable to identity theft.
Here are a few of the bigger breaches of 2016:
Hackers obtained a database of 99 million usernames and passwords from a number of websites connected with Alibaba. The hackers used compromised accounts to fake orders on Taobao, according to Reuters. The breach of Taobao, a consumer-to-consumer online marketplace owned by The Alibaba Group, shows how attackers used those user names and passwords stolen from outside Taobao’s network in a brute-force attack that affected more than 20 million Taobao accounts. When logged in, hackers undermined the integrity of the marketplace by organizing fraudulent purchases that inflated seller ratings, Forrester noted.
Forrester cited the April breach of National Electoral Institute in Mexico with 93.4 million customer records compromised. Authorities lost the majority of these records because they misconfigured the databases to allow public access. Mexico’s Instituto Nacional Electoral (INE) filed a formal complaint about the misuse of voter registration data, citing that the data was illegally and insecurely hosted on an unprotected Amazon cloud server in the United States.
According to the International Business Times, Lorenzo Cordova Vianello, president of the Instituto Nacional Electoral (INE), said that under Mexican law his organization must share copies of the national voter list with political parties, which has raised suspicions one of them leaked the data.
In another incident, Tumblr had 65 million records compromised in May. The data is being sold on a Tor dark market website called TheRealDeal by a user named peace_of_mind who also sold 167 million user records stolen from LinkedIn.
In June, peer-to-peer service iMesh had 51 million records compromised. The breach is said to date back to September 2013. The records were later found for sale on the dark web.
The Commission on Elections in the Phillippines had 54.3 million records compromised in April. It was reported that millions of fingerprint records were taken from the site and reposted. A local hacker was eventually apprehended in Manila a few days later; he was thought to be the leader of a hacking network.
In June, VerticalScope had 45 million records tainted. A hacker stole member information in message forums. According to Network World’s Howard Wen: “This haul contained usernames, passwords and IP addresses -- the passwords had weak encryption. And many of these forums were running an old version of software with known security vulnerabilities that hackers can easily breach by using attack tools.”
Key lessons learned
Combat brute force with smarts. Credentials were the second most compromised data type and third most common attack vector reported by North American and European security pros who suffered a breach in 2016. Here are some tips from Forrester:
Establish login limits and provide customers with the option of two-factor authentication to prevent credential theft and the resulting fraud. Also, request that customers change their passwords regularly. The business may balk at requiring customers to reset their passwords, but a notification suggesting that they do so will demonstrate your firm’s diligence in protecting them.
Classify credentials and act accordingly. Customer activity levels should inform a firm’s approach to securing credentials. First, determine the frequency of activity that constitutes active versus inactive customers to your firm. That threshold will depend upon both business and regulatory requirements. Next, abstract active customers’ credentials via encryption, tokenization, masking, or other obfuscation techniques to make them less valuable to cybercriminals. Lastly, destroy inactive customers’ information. Their passwords and security questions have zero business value, so purge that data — you can request new security information from those customers when they return.
Protect your brand, not just your network. A secure network does not ensure immunity from external security threats. Risk professionals need to consider the brand implications of all security events, not just breaches. A resilient brand depends on customer trust in a particular experience and product and on systems integrity, and risk pros should evaluate their brand’s oversight, processes, technology, and people with that in mind.
Government authorities mishandle voter data
This was a landmark year for losing voter records, with more than 150 million records lost over the past 12 months. Authorities lost the majority of these records because they misconfigured the databases to allow public access. There is the Mexico example as well as the Iowa Republican Party in the U.S., which left 2 million voter records open to the public. Both of these data breaches were preventable, Forrester said.
Key lessons from these incidents include:
- Realize that data breaches don’t require threat actors. Something as simple as emailing personal information to the wrong person qualifies as a breach. In this case, Mexican political party Movimiento Ciudadano allowed public access to stored personal information for millions of voters.
- Audit third parties you share information with. Information sharing brings many benefits, and is even mandated in some industries, but it poses reputational risk.
- Reserve the right to audit third parties with whom you share information to guarantee that they have the requisite processes to protect both the data and your firm’s reputation.
- Establish vulnerability and configuration management in conjunction with DevOps. The first step to mitigating this type of vulnerability is to establish secure deployment guidelines for DevOps processes to ensure you have a secure and repeatable process for requisitioning systems. After this, use vulnerability and configuration management tools to ensure that you maintain your security baseline.
- Define a clear path of escalation for incident reporting. The personal information of nearly 75 percent of Mexico’s population was freely accessible on the internet, and there was no clear path for communicating this to the organization responsible for this data. Many organizations have no defined channels (even internally) for users to report suspicious activities.