Published on January 18th, 2018 | by Joel Roy
2017 Breach of the Year
Throughout the year, every Friday the SS8 Twitter feed featured a notable breach, leak, or hack as our pick for the SS8 #breachoftheweek. At the end of every month, our engineers and Threat Researcher Team take a look at each of these ‘finalists’ and select one outstanding breach as our #BreachOfTheMonth pick. The start of 2018 is upon us. While there was no shortage of breaches in 2017, some of them are more noteworthy than others. Among these chosen few, one will be crowned the 2017 Breach of the Year. Which did we choose? Read below to find out. This breach threat analysis features the thoughts of SS8’s Threat Researcher Team.
January – Hello Kitty
Sanrio, Hello Kitty’s parent company, had 3.3 million user credentials compromised. The cause of this breach was most likely a MongoDB misconfiguration early in December of 2015. At that point, the company said that no data was exposed and everything was fixed. This was not the case. On January 8th of this year, LeakedSource, a breach notification service came across an identical set if data containing close to 3.3 million accounts, which Sanrio admitted was their compromised user credentials.
February – Citizens Memorial Hospital
Citizens Memorial Hospital was the victim of a data breach that led to the leak of all 2016 W2 tax forms for current as well as former employees. The cause of the breach was a phishing email masquerading as a legitimate looking internal hospital request.
March – CloudPets
CloudPets (a “Spiral Toys” brand) refers to a leak of the data from internet-connected toys for children. The affected toys’ messaging features allow family and friends to send and receive messages via the toy and an app that synchronizes to a cloud service.
Q1 Winner: Citizens Memorial Hospital
Unlike the other two breaches, this breach involved theft of PII (Personally Identifiable Information) since W2 forms contain SSNs and employee addresses.
April – Neiman Marcus
Nieman Marcus disclosed that a December 2015 data breach exposed Personally Identifiable Information (PII) like customer data, purchase history and last 4 digits of credit cards. The incident was said to have been investigated by external forensic experts.
May – Zomato
This popular restaurant review and food delivery website had the details of around 17 Million users compromised. These included User IDs, names, usernames, email addresses and hashed passwords. According to a post on a post on Zomato’s blog, no payment card information was compromised, and since 60% of users who had details compromised in the breach used their Google or Facebook accounts via OAuth to login, and no password hashes were stolen for these users.
June – Onelogin
OneLogin, a cloud based Single Sign On solution provider, was a victim of a security breach which led to unauthorized access of customer data such as users, apps and different kinds of keys. The attackers leveraged AWS API calls to create instances within OneLogin’s infrastructure which were then used to access resources.
Q2 Winner: OneLogin
OneLogin being a Single Sign-On provider, has the same set of dire consequences associated with it being breached as any other SSO provider. An attacker essentially has keys to the kingdom and can access any account that was previously accessible using OneLogin.
July – Verizon – NICE Systems
Another story from UpGuard’s Chris Vickery, and it is similar to the Dow Jones exposure. NICE Systems provides Verizon with the technology to analyze call-center traffic; the exposed data store was a collection of voice recognition logs, agent details and call queue timers, all compressed as a GZIP. Additionally, subscriber name, address, phone number and PIN (required for subscriber identification) were exposed.
August – Chicago Voters
There was a data leakage at ES&S, a company that sells voting machines and software. This exposed Personally Identifiable Information (PII) of 1.5 Million voters in Chicago. This includes both active and inactive voters. The Information exposed included voter names, dates-of-birth, phone numbers, driver license numbers, and last 4 digits of Social Security Numbers. The cause of this data exposure was a misconfigured Amazon S3 bucket that allowed the data to be downloaded publicly.
September – Equifax
One of the 3 major credit reporting agencies – Equifax, suffered a massive data breach that compromised the details of 143 million users. These details included most of the personal details that people provide during a credit check when applying for home loans, car loans, mortgage, credit cards. Some of the details include names, addresses, phone numbers and most importantly Social Security Numbers and driving information.
Q3 Winner: Equifax
Considering the winners for July and August, this one does not really need any explanation.
October – North Korean hackers steal US war plans
North Korean hackers have been held responsible for many cyber attacks on the United States over the years. October saw another such attack, where a large cache of classified military documents shared by US and South Korea were. The attack was successful because of an unintended connection to the internet within the premises of South Korean military intranet. The anatomy of the attack begins with North Korean based hackers, attacking an antivirus firm : Hauri Inc- which makes antivirus software installed onto computers used by South Korea’s military. The hackers were able to infiltrate into South Korea’s military servers after embedding the malware onto the antivirus software. Information about the attack was disclosed by south Korean lawmaker Rhee Cheol-heewho said that 235 GB of military documents were stolen and about 80% of them are yet to be identified.
November – Uber Breach
This month saw the disclosure of a data breach that affected 57 million user accounts of Uber customers. The company has admitted to discharging $100,000 to hackers so that the massive data breach is kept secret. CEO Dara Khosrowshahi made the public admission of the breach that took place in October 2016. The data leaked included names, email addresses and phone numbers of 50 million passengers and about 7 million drivers. The dubious facet of the incident is that Uber chose to pay $100,000 to hackers so that the data is “deleted” instead of informing the customers and regulators. The anatomy of the attack was pretty straightforward with hackers accessing data through Uber’s Github account that had credentials for customer data stored on an Amazon server.
December – Alteryx Data Leak
Close to 120 million American households had their details exposed on an AWS bucket belonging to marketing analytics company Alteryx. The exposed data had 248 different fields in its schema that included Addresses, phone numbers and detailed mortgage information. Alteryx removed public access to the data and one of its spokesperson mentioned that the exposed data contained no names or any other Personal Identifying Information (PII).
Q4 Winner: Uber Breach
This one was a close call but the Uber breach takes this one simply to highlight the fact that Uber tried to make up for their mistake of public credential leakage (leading to a major data breach) by committing an even bigger one. There is absolutely no guarantee that paying off hackers will lead to removal of compromised data.
And the winner for the 2017 Breach of the Year…..
Given its scale and impact, it is not surprising that Equifax was chosen as the breach of the year.
The breach happened mainly because Equifax failed to patch a critical vulnerability in the Apache Struts framework. However, it seemed that the details of around 143 million users getting compromised was not enough to jolt some sense into Equifax.
There were multiple instances of bad decisions and oversight demonstrated by Equifax’s handling of the breach:
- It took Equifax a whole six weeks to notify users of the breach. This is inexcusable since an organization like Equifax has a large amount of money and resources at its disposal.
- Equifax created a website where users could check if their details were compromised and optionally sign up for their credit monitoring service. The problem? The website was https://www.equifaxsecurity2017.com/ which seems like a phishing domain at first glance (but upon further inspection does in fact belong to Equifax). This makes it even easier for cyber criminals because they now have an extra domain to phish. In fact, it wouldn’t be surprising at all if someone clicked on a phishing link that says https://www.equifaxsecuritybreach.com/. It would have been better to have the webpage served over Equifax.com rather create a separate domain for it.
- Initially, Equifax made it so that anyone who signed up for their free credit monitoring service – Premier ID, could not sue them by participating in a class action lawsuit. Following a huge backlash, they removed the arbitration clause from their T&C but this whole issue could have been handled better.
- It was found that the 10-digit PIN provided by Equifax to freeze the credit file was quite predictable. In fact, it was nothing but the exact time at which freeze was requested with the format MMDDyyHHmm. As an example, if a freeze was requested on Oct 1st, 2017 at 05:05 PM, the pin would simply be 1001171705. After yet another uproar from users and social media, Equifax randomized these pins.
- Equifax had a web portal called Veraz that it’s employees in Argentina used to resolve any credit report related disputes over there. Hold Security LLC, a Milwaukee based incident response company discovered that this portal was protected with a username/password of admin/admin. Anyone that logged in to the portal using these credentials could add, modify or delete accounts at will.
- A week following the breach, the webpage set up by Equifax for users to sign up for fraud alerts was found to have a XSS (Cross Site Scripting) vulnerability. This could allow an attacker to arbitrarily execute code on the user’s system allowing malware infection or credential/personal information theft.
- A month after the breach, security researcher Randy Abrams found that com was serving malicious content. The cause of infection was a third party module used to collect analytics data for the website.
Even though 5, 6 and 7 may not be directly linked to the breach, they are a testament to Equifax’s bad security practices.
Any organization that stores large amounts of sensitive information must devise and enforce an extensive and thorough security policy that encompasses important security controls such as vulnerability and patch management, periodic penetration testing and user access controls.
As for consumers, they can greatly mitigate the risk of identity theft by freezing their credit reports at all the 3 credit bureaus. Opting for credit monitoring services is also a good idea but one must keep in mind that the alerts provided by these services only kick in when the damage has already been done. The most secure albeit expensive way is based on the concept of layered security – freezing accounts with all three credit bureaus and signing up for credit monitoring services after that.