Three Big-Name Data Breaches

Data breaches happen all the time for all sorts of reasons. The ones that make the news have three things in common:

1. The data affects you and me, the public, everyday people.
2. The data affects many of us, millions, even billions.
3. The companies looking after the data are household names.

In this article we’re going to look at three famous companies each of which lost a lot of people’s data.

The Value of Data

For hackers and cyber criminals, personal data, or Personally Identifiable Information (PII), is a kind of currency. (PII means things like dates of birth, credit card numbers, email addresses, anything that can be used to identify an individual.) Such data is valuable. Personal records can be sold to other criminals for up to $250 per individual. PII records can be used to obtain fraudulent funds by impersonating or blackmailing someone. If the data includes weakly-encrypted passwords, these can be decrypted and used to hack other accounts, because so many of us reuse the same password on multiple sites.

Data breaches are not a new problem. But the public’s reaction to large data breaches has changed. Many companies base their entire business models on monetizing their customer’s private personal data. When that data becomes public, customers flee, reputations crumble, and stock prices fall. It all amounts to economic damage for the company looking after the data.

How Data Breaches Happen

There are many reasons for data breaches and many ways to classify them. The one most revealing is to group them into preventable and unpreventable. An example of an unpreventable data breach would be the exploitation of an unknown (zero-day) vulnerability in software.

A preventable data breach would be due to a server or database misconfiguration, the accidental sending or posting of credentials in plain text, or the most deplorable, the failure to update software. It is deplorable because it involves a failure to act rather than acting wrongly. It is the classic case where doing nothing leads to disaster.

Why We Avoid Patching Software

Here’s some classic responses (and our interpretations) to industry surveys that ask companies why they don’t install software patches straight away.

To illustrate further, here are the details of three famous data breaches.

1. Equifax (2017)

• The personal records of 148 million people were stolen.
• Hackers exploited a known vulnerability unpatched for 2–5 months.

Based in Atlanta, GA, Equifax is an S&P 500 consumer credit rating company. It employs 9,900 people, and serves 800 million customers and 88 million businesses.

It’s big, and that’s probably why it was targeted—one hack yields much data.

Equifax were victims of a known vulnerability in Apache Struts, an open-source framework that enterprises use to build Java web applications.

Events unfolded like this:

• March 7, 2017: Vulnerability reported and patched.
• July, 2017: Equifax hacked.
• July 29, 2017: Data breach detected.
• September 7, 2017: Data breach disclosed.

It wasn’t all down to human inaction, though. They had vulnerability scanner but it didn’t report the issue.

Lessons

• Don’t delay patching.
• Scanners can’t detect unknown vulnerabilities.

2. Marriott (2018)

• The personal records of 327/383/500 million people were stolen (estimates vary).

Headquartered in Maryland, this US hospitality firm lists in both the S&P 500 and the NASDAQ-100.

It employs around 177,000 people, and is most famous for its hotel chain, one of over 30 brands spread across over 7,000 sites in 130 countries. (If you don’t know the name, you need to get out more.)

The reservation system for their Starwood hotels group (a company previously acquired) was found to have been accessed illegally for up to 4 years before being detected. An internal security tool flagged a suspicious database query. Upon investigation, extracted data was found to have been encrypted prior to exfiltration. It took Marriott’s staff two months to decrypt the information. The cache of data contained passport and credit card numbers, among other PII.

• September 8, 2018: Data breach detected.
• November 19, 2018: Data breach investigated.
• November 30, 2018: Data breach disclosed.

Lessons

• When you buy a company, you’re also buying its data, and taking responsibility for it.

3. Yahoo (2013–2014)

• The personal records of 3 billion people were stolen.

Yahoo were hacked in 2013 and 2014, but the true scale of the data breaches wasn’t revealed until 2017, when it was announced that the data for every single Yahoo account holder had been stolen. (The latency in disclosure had a lot to do with Yahoo’s then-ongoing deal to be bought by Verizon, who eventually went ahead with a $350m discount.)

The data stolen included account holder’s names, dates of birth, telephone numbers and weakly-encrypted passwords. That last item meant that many users other accounts were hacked, as many people reuse the same password on multiple sites.

Lessons

• The bigger you are, the more attractive your data is.

Personal data is the new oil, and it’s leaking everywhere. With it, companies build empires and governments glean intelligence. Hackers rake the remains, wringing more revenue using extortion, blackmail, and theft.

Automatic patching plugs one of the most preventable causes of data breaches: out of date software. KernelCare’s live patching solution secures Linux kernels. You can read more about how faster patch management enables compliance in our article based on RSA Conference speech of Igor Seletskiy, CEO of KernelCare.