10 Biggest Data Breaches Of 2011 (So Far)
Half Over And Already A Big Year For Data Breaches
While barely half over, 2011 might easily be called the ’year of data breaches.’ Over the last six months, cyber criminals have rocked the security world with unprecedented attacks on industries previously thought to be impenetrable.
During 2011, global hacker groups such as Anonymous and LulzSec were catapulted into the spotlight with reams of public high-profile cyber assaults. And with attacks against gaming companies such as Sony and Sega, to multinational banks, highly protected government agencies, and a certain security fortress, no one seemed to be immune.
Here is a look at 10 of the biggest data breaches so far this year.
Sony PlayStation Network
You could have called it the mother of all breaches when Sony PlayStation Network and Qriosity services got hit with a massive external hack that compromised a total of 100 million customer accounts, forcing Sony to shut down its services for more than six weeks.
Sony issued an alert in April of the attack, which compromised around 77 million customer login credentials and personal information used to access user accounts. The company later confessed that hackers also managed to access information from an additional 24.6 million customer accounts from its Sony Online Entertainment [SOE].
Altogether, the stolen information included user names, passwords, online IDs, customer addresses, e-mail addresses, and birth dates, as well as customer profile data, including purchase history, billing addresses and answers to security questions.
RSA
RSA was brought to its knees when it fell victim to a sophisticated and targeted attack that compromised its SecureID two factor authentication tokens. Art Coviello, executive chairman of Bedford, Mass.-based RSA, the security arm of EMC, told customers that the company had identified an attack that included the use of an Advanced Persistent Threat (APT) that compromised seed code from the SecureID authentication products to weaken its security defenses.
After weeks of silence, executives disclosed that the the cyber attack began with spearphishing e-mail incorporating a malicious Excel file that exploited an Adobe Flash Player vulnerability. The emails -- sent to two small groups of employees during a two-day period -- tricked victims into opening the file, which contained a zero-day exploit that installed a backdoor via the Flash vulnerability. However, RSA remained mum on what the hackers took and how customers would be affected.
Lockheed Martin
Lockheed Martin publicly acknowledged in May that it had been the victim of a "significant and tenacious" cyber attack on its computer systems, most likely related to the security flaw in RSA SecureID tokens, used for two-factor authentication purposes by some of its employees.
Lockheed Martin said in a statement that the company's information security team had "detected the attack almost immediately, and took aggressive actions to protect all systems and data.’
News of the Lockheed breach publicly emerged after the global weapons manufacturer experienced a system disruption related to an external network intrusion. The Bethesda, Md.,-based company then required a password reset for its more than 120,000 employees on the network, and embarked on the process of re-issuing tokens for employees using RSA's Secure ID two-factor authentication tokens.
Epsilon
E-mail marketing firm Epsilon Data Management LLC, a division of Alliance Data Systems Corp., said in March that hackers had accessed a slew of customer names and email addresses in its systems, affecting at least 50 of the company’s 2,500 customers.
Epsilon disclosed March 30 that attackers had infiltrated corporate databases and stolen e-mail addresses for two percent of its customers, which included high profile customers such as Best Buy, Citibank, J.P Morgan Chase, TiVo and the Walt Disney Company, among others. Like many others, the breach was thought to have occurred via a spear phishing campaign.
While no personal customer data was stolen, the company warned users to expect spam and spearphishing attacks targeting users with the newly acquired e-mail addresses. Cyber risk and analytics firm CyberFactors said that the breach could cost Epsilon as much as $4 billion in damages, including $225 million in liabilities and $45 million in lost opportunities.
Google Gmail
Google pointed to China as the source of a sophisticated phishing attack targeting many high profile Gmail account holders, including senior U.S. government officials, Chinese political activists, officials in South Korea and other Asian countries, as well as military personnel and journalists. The accusation elicited strong backlash from Chinese officials, who denied any involvement in the attack.
Google said that the phishing campaign was executed by hackers who stole users' passwords in an effort to infiltrate their Gmail accounts and monitor their activity.
During the attack, victims were compelled to open an e-mail appearing to come from someone they knew. The e-mail message used social engineering techniques with highly personalized content to entice them to click on links that took them to malicious sites impersonating the Gmail login screen.
Citigroup
While once thought to be impenetrable, the banking industry joined the long list of cyber attack targets. In the spate of corporate hacks in 2011, miscreants launched a targeted cyber attack at Citigroup by compromising the accounts of more than 200,000 bank card holders. The attack, which Citigroup initially detected in early May but revealed in June, affected about 1 percent of its 21 million card holders.
Citigroup said it was working with law enforcement officials to determine details of the incident and planned to issue replacement credit cards to customers possibly affected by the breach.
Altogether, the compromised information included customer names, account numbers, and other contact information such as e-mail addresses. However, other personally identifying information, such as customer dates of birth, social security numbers, card expiration dates and CVV codes, were not compromised in the hack, Citi said.
International Monetary Fund
Hackers demonstrated that no one is immune to cyber crime after successfully executing a spear phishing attack aimed at the International Monetary Fund.
The cyber attack resulted in the theft of what the IMF called ’a large quantity’ of data, which allegedly included documents and e-mails. The attack prompted the IMF to temporarily disable its network connections with the World Bank and embark on an investigation.
Meanwhile, a BBC report suggested that hackers gained entry via a spear phishing attack, indicated by the presence of ’suspicious file transfers.’ The BBC reported that the IMF attack appeared to originate from a specific PC that was infected with data stealing malware.
Sega Pass
Video game maker Sega also reeled this month from a hack that exposed names, birth dates, e-mail addresses and encrypted passwords of 1.3 million Sega Pass online network customers.
Following the breach, Sega embarked on the process of notifying affected customers and resetting all passwords. The company also took Sega Pass offline.
As a cautionary measure, Sega advised users not to attempt to log into Sega Pass until the game was restored back online, and told users who relied on the same Sega Pass login credentials for other accounts to immediately change their passwords. The video game maker added that none of the stolen passwords were stored in plain text and that credit card numbers and other personal payment card data were not affected by the breach.
Details of the breach remain unclear. However, the hacker group LulzSec, thought to have been behind the attack, later denied it was involved.
Dropbox
An authentication bug in cloud storage provider Dropbox opened a gaping security hole that enabled any password to be used to gain entry into the accounts of its 25 million users.
The company said that the security bug occurred with a faulty code update affecting the authentication mechanism. Dropbox CTO Arash Ferdosi said in a blog post that the glitch went undetected for four hours before administrators issued a fix. Ferdosi said that that ’a very small number of users (much less than one percent)’ logged into their account during that window, adding ’some of whom could have logged into an account without the correct password.’
Ferdosi said that the company was in the process of conducting an investigation and ’scrutinizing controls’ to determine if any accounts were accessed without authorization, and said it would ’immediately notify’ account owners if any improper activity was detected.
Sony Pictures
As if Sony Corp. didn’t have a bad enough year, hackers continued to pour salt on the wound when they broke into the computer networks of Sony Pictures and exposed the personal information of more than one million customers.
Hacker group LulzSec, which claimed responsibility for the attack, said that they exploited security vulnerabilities on the Sony Pictures Web site with an easily executed SQL injection attack.
Altogether, the hackers said that they accessed personally identifying information, including passwords, e-mail addresses, home addresses, dates of birth and all Sony opt-in data associated with the accounts of more than one million users.
The LulzSec hackers also said that they compromised all admin details of Sony Pictures, as well as 75,000 "music codes" and 3.5 million music coupons, while breaking into other tables from Sony BMG in the Netherlands and Belgium.