Personal data leaks happen every day. Some of them make it into the news, and some remain obscure. In the United States alone, 163 million user records have been compromised so far this year (according to data provided by the Identity Theft Resource Center). For those not keeping score, that’s four times as many as were compromised in all of last year.
This year isn’t over quite yet, but we didn’t want to wait to tell you about the five largest leaks recorded since the beginning of 2017 — in the first three-quarters of the year, to be precise. To be fair, this list should start with Yahoo and the 3 billion accounts leaked. However, that leak occurred back in 2013; also, news updating the scope of the leak was published as early as October, in the fourth quarter; and finally, that news was an update regarding a breach that was already well known.
And now for the main event: the Equifax break-in. In September, company representatives disclosed that hackers had gained access to databases with clients’ names, social security numbers, dates of birth, and addresses. The leak spanned more than a month, from mid-May until the end of July. To access the data, the attackers used a vulnerability in the Apache Struts 2 framework. By Equifax’s initial assessment, the attack involved the data of 143 million people, but the company later increased the victim count to 145.5 million. Among other things, the attack compromised more than 209,000 credit card numbers, as well as documents containing personal data on 182,000 people. The vulnerability that led to the leak had been eliminated by Oracle (the developer of Apache Struts) back in March, but two months later, Equifax, one of the largest credit-reporting agencies in the United States had not yet installed the updates.
A vulnerability in the Web application software of a large online job search engine let an unknown hacker get hold of the names, dates of birth, and social security numbers of users from 10 states. In February, the hacker created an account in the system and used the vulnerability to gain access to more than 5.5 million accounts. The break-in was discovered two weeks later, after which the vulnerability was closed. In an official press release, America’s Job Link Alliance explained the vulnerability, saying that an app that was part of an October 2016 update was “incorrectly configured.”
The Dow Jones incident is very similar to the previous example in that it involved another AWS repository with a data archive. The problem was, again, the settings, although this time, data was not open to the entire world, but rather to users of AWS. The incident compromised the personal and financial information of millions of subscribers to the Wall Street Journal, Barron’s, and other newspapers and magazines issued by one of the largest financial information agencies in the world. Whether the cybercriminals were able to gain access to data before the cloud container’s setting were corrected is unknown.
In August, IT security experts discovered an open Amazon Web Services (AWS) cloud container. It contained a backup copy of data from Election Systems & Software (ES&S), a company that manufactures voting machines and elections management systems. The data contained a total of almost 2 million accounts with names, addresses, dates of birth, and party affiliations of Illinois residents. By default, access to AWS bins is possible only after authentication; however, for some unknown reason, the settings on this device were misconfigured, and that made the container accessible to the public. There is no way to know whether anyone discovered this container before the experts did, but the personal data of 1.8 million people was publicly accessible, so ultimately, this incident matches the definition of a leak very well.
You may not have heard of Avanti, but your workplace probably has, and you may even have bought snacks from one of its vending machines. In July, this supplier of snack sales solutions for corporate lunchrooms announced that malware had been found on some of its payment terminals. The attackers managed to infect some machines with rather complicated malware created specifically to intercept credit card numbers, expiration dates, and CVVs. How exactly they managed to infect the devices is unclear. In some cases, the attackers evened gain access to customers’ biometric data — some terminals were equipped with fingerprint sensors. The differences in the kiosks’ settings prevented the attackers from hacking the entire network. For the same reason, the company failed to accurately estimate the damages, announcing that at least 1.6 million accounts had been compromised.
To sum up the lessons of these five major leaks: In at least four of them (in the first case, the cause is still unknown), the leaks were entirely preventable. In the incidents with Election Systems & Software and Dow Jones & Company, information was left unprotected by incorrect software configuration. America’s Job Link Alliance suffered from a known vulnerability of a Web app. And the Equifax case came down not to a vulnerability but rather to lax updating — patching on time would have fixed the vulnerability well before it was exploited. In short, those leaks could have been prevented with a timely audit of the IT infrastructure — an event that should really be conducted on a regular basis in companies of all sizes.