Download our FREE whitepaper on data loss prevention best practices. Download Now

Top 3 Biggest Data Breaches in History

The cost of a data breach for an enterprise can be enormous, both directly, as a result of legal and regulatory actions, and indirectly through loss of reputation and customers. Every CISO is most certainly aware of this, and so it comes as no surprise that large enterprises are the most likely to invest heavily in the resources and technologies intended to help them prevent such incidents. However, despite these huge investments, year after year we hear about yet another major data breach affecting millions of people and costing billions of dollars.

First, How Do Data Breaches Happen?

The main weaknesses that lead to data breaches are the complexity of enterprise systems and human errors that happen when designing, maintaining, and using those systems, throughout the entire system lifecycle. The bigger and the more complex the system, the harder it is to keep it continuously secure. And the bigger the enterprise, the more likely malicious actors will be highly interested in obtaining access to its sensitive data. One small weakness may cause a chain reaction – just like one slightly deformed fan blade in an airplane engine may detach and cut through all the other engines, ultimately killing everyone onboard.

Today’s cybersecurity tools are thorough and effective. The scope of available security products covers every aspect of the enterprise’s infrastructure: clouds, on-premises servers, networks, endpoints, IoT, and more. They provide testing, prevention, detection, and reaction. However, all of these tools need to be correctly implemented and maintained by humans, and even security experts make mistakes. Almost all major breaches in history, even if orchestrated by advanced attackers such as foreign espionage organizations, were ultimately caused by simple human error. Such errors were most often associated with insufficient security measures, a lack of due diligence with maintenance, or falling for advanced social engineering ploys.

Here are some of the biggest corporate data breaches in history and the stories behind them.

Yahoo! – Just one click was enough

Yahoo! appears on the list of biggest breaches several times, being the best example that a high-tech company is just as likely to be a victim of breaches as enterprises from any other sector – or maybe even more likely, because so many assets must be publicly exposed. The 2014 Yahoo! breach was not just their biggest, affecting up to 500 million people, but also the most interesting from a technological point of view. This is because the avalanche that led to the breach was started by one simple spear phishing email, perfectly showing how one small human error can cost an enterprise billions.

One wrong click by one employee allowed the attackers to assume a presence within the internal network, jump from an endpoint machine to the servers, and ultimately obtain access to the user database and its management tools. The most scary fact about this attack is that it could have happened to anyone – it’s simply impossible to guarantee that every single employee in the organization is careful enough not to fall for a well-prepared social engineering attack. And, what’s even worse, typical endpoint and email security software, such as antivirus and anti-phishing tools, is helpless with spear phishing attacks, which are prepared individually using custom tools and practically undetectable.

While the scope of publicly available details about the attack is not enough to say whether good endpoint protection software could have prevented this attack, it is very likely that it could. Even if the victim clicked the spear-phishing link, for the attacker to gain access to the network, they would likely need to first access credentials or other sensitive information using remote control software. This is exactly where data loss prevention (DLP) software such as Endpoint Protector would have most probably been able to detect improper access and raise an alarm, preventing from going forward with the attack.

Equifax – A few small failures lead to a tragedy

The 2017 Equifax breach, which affected 143 million people, is yet another interesting story to learn from. This breach proves how just a few small security weaknesses put together can allow a skilled attacker to escalate their presence in the target system to nearly absolute control. And if we could learn something specific from Equifax, it’s that it’s not just the end-users that make serious security mistakes – the entire chain of events was a result of security measure failures.

This attack, most probably engineered by Chinese espionage forces, started with a failure of the security personnel responsible for server software patching. The consumer complaint web portal was running a version of a web application server with a well-known vulnerability – all it would take to fix it would be to apply the recommended security patches, and all it would take to discover it was a simple security scanner.

The next failure was a lack of system segmentation and storing system access passwords in simple text files. This type of practice is, unfortunately, very common among many server administrators, who wrongly assume that only legitimate users can get access to any of their servers and therefore make their lives easier by storing system access credentials in insecure files. This type of practice is luckily easily detectable using DLP software – user access to files containing sensitive, easily recognizable patterns such as usernames and passwords stored in clear text, would not just be prevented but also immediately raise an improper access alarm.

Last but not least: once the attackers accessed the sensitive data, they were able to extricate it for months from Equifax systems over regular network connections simply because one of the internal security tools did not have an updated security certificate. All in all, all three stages of the attack were possible due to the incompetence of well-trained technical staff, which raises the question: if we can’t trust the “security guys” to handle security well, whom can we trust?

Capital One – Not just foreign spies

While the two previously described data breaches were orchestrated by foreign powers, which hired well-prepared and well-financed teams of specialists, this is, surprisingly, not the most common scenario with major data breaches. Quite a few of the biggest breaches were caused by amateurs or exposed by white-hat security experts (the “good guys”) before anyone would be able to take advantage of the sensitive information. For example, for quite a while, one of the most common mechanics behind security breaches was publicly accessible Elasticsearch databases – anyone could simply point to the insecure address and access all the data using a standard login and password.

The Capital One hack was a different, yet common scenario, where a person without truly malicious intent balanced on the edge of the law to impress their peers. This was exactly the case of Paige Thompson, who caused a $250 million data breach by simply downloading sensitive data to her private computer, clearly with no intent of selling it on the black market but only to show off to the hacking community.

Why Paige Thompson deserves some attention is that she was almost a textbook model of someone who caused major harm due to a combination of circumstances. First of all, she represented an internal threat, being an ex-Amazon employee, and Capital One was using Amazon services to store their sensitive data. Second of all, Paige was suffering from mental health problems and gender identity struggles, making her more likely to seek peer validation and make bad judgments. As a result, her actions were rash and emotional, but luckily for her did not cause her to spend her life in prison for this mistake.

From a technical standpoint, Capital One was no different than most other major hacks – it was a multi-stage process caused by several security weaknesses and misconfigurations. First, Thompson took advantage of a server-side request forgery weakness in Capital One’s web application to be able to access the Amazon cloud infrastructure behind that web application, which could have been prevented if Capital One used web security scanning. Then, Thompson was able to obtain access to a role with excessive privileges, which allowed her to sync the S3 buckets, effectively downloading sensitive data to her computer. While the application was behind a web application firewall, this firewall was also misconfigured with insufficient logging or excessive permissions, allowing for this process to go unnoticed.

The Capital One breach exposed the dangers of internal threats – disgruntled employees or ex-employees are more likely to either make serious mistakes or even act inappropriately towards the company, potentially becoming the first step in the data breach. It also showed that cloud infrastructure, even if hosted by such a renowned company as Amazon, is just as likely to have security misconfigurations and that even administrative access privileges should be well-controlled and monitored.

Is there any hope to prevent data breaches?

Your best hope to help prevent data breaches in your organization is to learn from the mistakes made by others. Just these three major breaches show a plethora of typical errors such as excessive trust in security personnel and the lack of coverage of certain cybersecurity attack surfaces. No single all-in-one security solution from even the most renowned security company will cover every base that you need to cover. Only a well-designed security program can help you make sure that you don’t have holes such as the lack of DLP software to protect your endpoints.

The best approach to avoid data breaches is, therefore, to follow the zero trust conundrum – and not just zero trust networking or zero trust applications, but also zero trust security programs. While your security personnel are most likely doing their best to ensure that a breach doesn’t happen, they’re only human and will also make mistakes. Therefore, monitoring and double-checking their activities will not be a sign that you don’t trust them enough, but should rather be perceived as a will to make the right investments in not just your security but also the security of your customers and partners.

explainer-c_learning

Download our free ebook on
Data Loss Prevention Best Practices

Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.

In this article:

    Request Demo
    check mark

    Your request for Endpoint Protector was sent!
    One of our representatives will contact you shortly to schedule a demo.

    * Your privacy is important to us. Check out our Privacy Policy for more information.