Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Our partner program is designed with flexibility in mind for partners who are at various stages of their business lifecycle. With financial investment and dedicated resources, you will continue to grow with TuxCare.
Would you like to work with a leader in open source and Linux security that values innovation and partnerships?
Partners receive benefits that are designed to reward the commitment that they have made to the sale of our products and services.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
February 6, 2020
Data breaches happen all the time for all sorts of reasons. The ones that make the news have three things in common:
In this article we’re going to look at three famous companies each of which lost a lot of people’s data.
For hackers and cyber criminals, personal data, or Personally Identifiable Information (PII), is a kind of currency. (PII means things like dates of birth, credit card numbers, email addresses, anything that can be used to identify an individual.) Such data is valuable. Personal records can be sold to other criminals for up to $250 per individual. PII records can be used to obtain fraudulent funds by impersonating or blackmailing someone. If the data includes weakly-encrypted passwords, these can be decrypted and used to hack other accounts, because so many of us reuse the same password on multiple sites.
Data breaches are not a new problem. But the public’s reaction to large data breaches has changed. Many companies base their entire business models on monetizing their customer’s private personal data. When that data becomes public, customers flee, reputations crumble, and stock prices fall. It all amounts to economic damage for the company looking after the data.
There are many reasons for data breaches and many ways to classify them. The one most revealing is to group them into preventable and unpreventable. An example of an unpreventable data breach would be the exploitation of an unknown (zero-day) vulnerability in software.
A preventable data breach would be due to a server or database misconfiguration, the accidental sending or posting of credentials in plain text, or the most deplorable, the failure to update software. It is deplorable because it involves a failure to act rather than acting wrongly. It is the classic case where doing nothing leads to disaster.
Here’s some classic responses (and our interpretations) to industry surveys that ask companies why they don’t install software patches straight away.
It takes too long
It costs too much
Too many CVEs
Can’t afford a reboot
To illustrate further, here are the details of three famous data breaches.
Based in Atlanta, GA, Equifax is an S&P 500 consumer credit rating company. It employs 9,900 people, and serves 800 million customers and 88 million businesses.
It’s big, and that’s probably why it was targeted—one hack yields much data.
Equifax were victims of a known vulnerability in Apache Struts, an open-source framework that enterprises use to build Java web applications.
Events unfolded like this:
It wasn’t all down to human inaction, though. They had vulnerability scanner but it didn’t report the issue.
Headquartered in Maryland, this US hospitality firm lists in both the S&P 500 and the NASDAQ-100.
It employs around 177,000 people, and is most famous for its hotel chain, one of over 30 brands spread across over 7,000 sites in 130 countries. (If you don’t know the name, you need to get out more.)
The reservation system for their Starwood hotels group (a company previously acquired) was found to have been accessed illegally for up to 4 years before being detected. An internal security tool flagged a suspicious database query. Upon investigation, extracted data was found to have been encrypted prior to exfiltration. It took Marriott’s staff two months to decrypt the information. The cache of data contained passport and credit card numbers, among other PII.
Yahoo were hacked in 2013 and 2014, but the true scale of the data breaches wasn’t revealed until 2017, when it was announced that the data for every single Yahoo account holder had been stolen. (The latency in disclosure had a lot to do with Yahoo’s then-ongoing deal to be bought by Verizon, who eventually went ahead with a $350m discount.)
The data stolen included account holder’s names, dates of birth, telephone numbers and weakly-encrypted passwords. That last item meant that many users other accounts were hacked, as many people reuse the same password on multiple sites.
Personal data is the new oil, and it’s leaking everywhere. With it, companies build empires and governments glean intelligence. Hackers rake the remains, wringing more revenue using extortion, blackmail, and theft.
Automatic patching plugs one of the most preventable causes of data breaches: out of date software. KernelCare’s live patching solution secures Linux kernels. You can read more about how faster patch management enables compliance in our article based on RSA Conference speech of Igor Seletskiy, CEO of KernelCare.
Stay updated with the latest news and announcements from TuxCare.com