When it comes to the high-profile security breaches of 2014, we immediately think of Sony, Home Depot, JP Morgan, etc. However, there were also countless lesser-known security breaches; some might have been low-profile because of their smaller scale, but just as many lessons can be learned from studying breaches that are less widely-known. As you will see in the examples below, cyber attackers don't just go for your average retailer, large-scale bank, or major entertainment corporation. You might also notice that compromised data covers more than just credit cards and email addresses; it can also include social security numbers and medical information. Long story short: Any information held by any company of any size could be a potential target.
Healthcare Industry
What happened?
In August of 2014, Community Health Systems, a company that operates 206 hospitals across 28 states in the U.S., reported that in April and June it was hacked by an "Advanced Persistent Threat" group in China. Attackers exploited the infamous Heartbleed vulnerability, gaining access to a user's credentials from a Juniper device on their network. From there, the credentials were used to login to the company's VPN. Although Juniper issued updates for all of their devices within three days of discovering the vulnerability, organizations still had to apply patches in order to be protected. It was not clear when and if CHS applied patches to their devices. Their official public statement can be found here.
What was taken?
Personally Identifiable Information (PII) for 4.5 million patients including names, social security numbers, telephone numbers, birthdays, and email addresses.
Why should I care?
If your social security numbers have been stolen, there can be major consequences. Identity thieves perform lots of illegal activities such as obtaining employment under your name, applying for credit cards against your credit, taking out personal or business loans, posing as you, and in some cases even receiving your income tax refunds. For this reason, you should keep your social security number secret in order to avoid possible identity fraud. In more severe cases, hackers may even steal data such as medical records. Medical records hold highly sensitive data that should be kept confidential. How would you feel knowing that your entire medical history (diagnoses, treatments, vaccinations) had been posted online, or even sold to insurance companies?
What happened?
In February of 2014, St. Joseph Health, a Texas-based health-care provider, reported that an unknown attacker operating from IP addresses in China gained unauthorized access to one of their servers. The attacked lasted for about 48 hours. Once the threat was detected, the server was taken offline.
What was taken?
The PII and Personal Health Information (PHI) of 405,000 patients: names, social security numbers, telephone numbers, birthdays, medical information and email addresses. Information for 2,000 employees was also stolen, including banking information!
Why should I care?
Although St. Joseph Health reported that the information was limited to medical lab tests, this opens up a conversation about the implications as if it were a full medical record. In this case, both medical and banking information were taken. Cyber criminals can do a number of harmful activities once they have access to your banking information such as opening an account or credit line under your name. Just like a social security number, personal banking information should be kept private.
Government
What happened?
In April of 2014, Veterans of Foreign Wars, an organization that assists those who served in the military, claimed that attackers in China had used a remote access Trojan and malicious code to gain access to a VFW web server. The official report from the attack can be found here.
What was taken?
The personal information of 55,000 veterans: names, social security numbers, and addresses.
Why should I care?
As mentioned above, the names and social security numbers of 55,000 veterans were stolen, leading to major identity theft implications. Generally speaking, breaches that occur overseas can have more severe consequences. For example, IT security analysts theorized that China may not have been looking for social security numbers, instead trying to steal military-related information such as plans, contracts, etc. Classified military tactics and strategies in the hands of hackers could result in major security implications for the United States.
What happened?
USPS had two-dozen servers hacked by an unknown organization (although analysts speculate the group to be from China).
What was taken?
The information of 800,000 workers and 2.9 million customers: names, birth dates, and social security numbers.
Why should I care?
Compared to the attack on the Veterans of Foreign Wars, the attack orchestrated on USPS might seem minor, especially for those who stopped sending "snail" mail and adopted email. But, If you look at the bigger picture, you will see that the attack on USPS was just as harmful. Hackers can learn a lot about systems by just poking around. A group can potentially learn about U.S. government computer networks and exposure vulnerabilities through these "low-value" attacks, perhaps in order to prepare for a much larger attack in the future. USPS moves billions of letters each year and understanding that information flow and network could hold potential value for attackers.
Utilities
What happened?
In May 2014, an (unnamed) U.S. public utility company had its control system network compromised. By implementing a classic "brute force" attack on its password mechanism, hackers accessed the companies' Internet portal that led to the control systems. Once the unauthorized access was identified, a response team was able to prevent further infiltrations.
What was taken?
Fortunately, there was no impact to the utility's operations.
Why should I care?
Utility companies (gas, electric and water) are crucial to the infrastructure of any country. If an attack on a utility company takes place, it can have a significant impact on the operations of businesses, educational institutions and even the government. Consumers may take utilities, such as electricity for granted until they are shut off due to an attack. Remember how you felt the last time you experienced a blackout?
Hackers can learn more about a system each time they attempt an attack. For example, as attackers attempt to gain access to a system they can discover potential vulnerabilities to exploit in the future. For this utility company, it was concerning that all it took to hack their control systems was a classic "brute force" attack.
What can I do?
For consumers, frequently monitoring your credit will make you aware if there is any suspicious activity tied to your cards. According to the Fair Credit Reporting Act (FCRA), each of the three major credit reporting agencies (Equifax, Experian, and TransUnion) are required by law to provide you a free copy of your credit report once every 12 months, all you need to do is request it. There are other reputable resources such as Credit Karma that will give you your credit report along with your credit scores. If you ever do come across any unusual activity, you can put a freeze on your credit.
For IT professionals, ensure your organization's IT infrastructure is kept up-to-date with the latest software patches. Make sure passwords used throughout your organization are complex, difficult to break, and that they contain a variety of characters (upper case, lower case, numeral, etc.). Remember that a password is only as good as long as it's kept secret. Bring Your Own Device (BYOD) has become more common now in organizations, making it more challenging to protect endpoints. For IT professionals, there are tools that can manage those devices when connected to the company's network. IT professionals can also use endpoint compliance solutions, such as Gears, to ensure certain devices meet specific compliance rules before gaining access to the network or company resources.
Were you aware of these breaches? They certainly didn't make many major headlines, but they are an indicator of how easily and frequently large-scale data breaches occur.
