I began 2013 with a blog post that chronicled the “worst of the worst” data breaches in the previous 12 months. 2012’s two most notable were breaches at Zappos and LinkedIn. In the case of Zappos, the company had encrypted the data, but not in a comprehensive way. In LinkedIn’s data breach, customer passwords were stolen because they had been hashed instead of encrypted.
As the holidays present a time for reflection, I thought I’d take a look at 2013’s highest visibility data breaches. All I can say is, what a year this has been! The LivingSocial breach, the Adobe hack, the MongoHQ breach and, most notably, the on-going series of revelations from Edward Snowden have made 2012’s data breaches seem trivial.
Let’s start with my favorite: the Snowden affair. No matter which side of the argument you take, the Snowden saga highlighted the risk presented by privileged users and their ability to see data in the clear. This on-going series of high-profile revelations shows that government organizations and enterprises alike that they must protect their data from not just outsiders, but insiders like system administrators as well. System administrators don’t need to see the data to do their jobs, and keeping the infrastructure blind to the data has the added advantage of thwarting adversaries who try to impersonate system administrators using stolen credentials.
Next on my list: the LivingSocial breach. LivingSocial was hit hard by hackers in a data breach that affected some 50 million users. Unfortunately, the company did not learn from LinkedIn’s mistakes; LivingSocial had only salted and hashed the passwords. While the hackers were unable to access credit card information, they were able to access consumer data, an exceedingly valuable asset to companies like LivingSocial.
In my blog post, October – the Month in #DataBreach, I talked at length about Adobe’s data breach. Initially, Adobe thought its data breach had affected only three million users, but the company was off by an order of magnitude. It turns out that the Adobe breach affected a startlingly 38 million users. Through a flaw identified in compromised Adobe source code, the attackers gained access to users’ customer IDs, names, encrypted passwords, encrypted debit and credit card numbers and other personal information. Moreover, this breach affected not only customer information, it also exposed Adobe’s “secret sauce.”
Finally, cloud-based hosting service MongoHQ made news headlines when it suffered a data breach due to a lapse in the security controls around the company’s internal support application. Hackers were able to gain access to MongoHQ’s database because an employee with a compromised personal account was using a shared password to access the internal support application.
This breach was especially devastating because MongoHQ not only stores its customers’ data, it also stores data for the customers of their customers as well. Big data repositories that are not using a multi-layered approach and encrypting the data itself are walking around with a huge “kick me” sign. With proper controls in place, Big Data does not have to mean big risk.
The evidence continues to pile up - Organizations of all kinds need to realize what’s at risk and add enhance their current security posture with data-centric security to protect their valuable data, including their IP, their customer information, and their financial information. And they also have to make sure that privileged users aren’t either intentionally or unwittingly accessing or stealing sensitive data. To avoid making data breach headlines in 2014, it is critical to safeguard the data at the source.
How do you protect your sensitive data?