Information Security
Lapses
Top 10 Security Breaches
Kyle Chase
Revati Kailasam
Kelly Walker
Since 2005, more than 3,000 data
breaches have been reported.
 Over 545 million records compromised as
a result of these data breaches.
-Privacy Rights Clearinghouse

Information Security Lapses

What happened?
◦ A summary of the breach

How did it happen?
◦ Attack Methods
◦ Control Failures

How could it be prevented or minimized?
◦ Preventative IT security

Financial Impact
◦ Cost of the breach
Top 10 Information Security
Failures in Recent History




Parent company of TJ Maxx, Marshalls, Home
Goods, and more
Reported data breach potentially affecting
thousands of consumers
Masterminded by Albert Gonzalez
Hackers gained access via store wireless
networks
◦ Outdated WEP security

Gained access to corporate servers housing
sensitive information
◦ Including CC Information
TJX (2005)

PCI compliance issues
◦ In compliance with only 3 of 12 standards
◦ Failure to upgrade systems in timely manner

Too much information stored
◦ CC #s, PINs, CVV #s


Lack of encryption
Lack of fraud detection
◦ Breach lasted 18 months

Result: 45.7 Million credit card numbers
stolen
TJX (2005)

Intentionally released search logs
◦ Contained-
 SSN’s
 Bank account information
 Demographic information
Exposed 650,000 users to identity theft
IT Security/Control Issues
Violation of Electronic Communications
Privacy Act
 Lawsuits averaged $5,000 per victim



AOL (2006)

Links to TJX Case

SQL injection attack to access ATM and Point
of Sale systems
Injected malware to intercept user inputs in
real-time

◦ Albert Gonzalez – connected to cases involving TJX,
Heartland, Hannaford, 7-Eleven
◦ Also were able to access historical data
◦ PINs stolen in electronic transmission


$2 million in damages
Better encryption and fraud detection
systems could have decreased the loss
7-Eleven (2007)

Already bad reputation for protecting consumer data

Reported breach to PlayStation Network and Qriocity
music service
◦ Rootkit Incident
◦ Immediate shutdown of the PlayStation Network

Affected:

Released:
◦ 77 million PlayStation Network users
◦ 25.4 million Sony Online Entertainment users
◦
◦
◦
◦
◦
Customer Names
Addresses
Email
Log-Ons
Credit card information
Sony (2011)

Access to system administrator PC
containing sensitive information
◦ Malicious Email to gain access
◦ Masked by Anonymous DDOS attack
 Slowed Fraud Detection
 Anonymous denies involvement

“Sony probably did not pay enough
attention to security when it was
developing the software that runs its
network.” – Reuters
Sony (2011)

Monster was created in 1999

Monster.com is one of the largest employment website in
the world

Hackers broke the password protected resume library

Information from 1.3 million users were stolen

Information stolen were limited to names, addresses, phone
numbers and email addresses
Monster.com (2007)

Hackers sent phishing emails and made extortion based
threat

Monster waited five days to inform it’s users about the
security breach

Monster put a notice on its website and also posted letters
to the affected users about the breach

As per monster the estimated cost for upgrading it’s site
was 80 million
Monster.com (2007)

Epsilon created in 1969, is the world’s largest permission
based email marketing service company

Epsilon has more than 2400 A-list clients and sends more then
40 billion emails annually on behalf of its clients

On march 30, 2011 epsilon detected “ an unauthorized entry”
into its email system

Nearly 75 of Epsilon’s clients were affected

60 million email addresses were stolen

Data compromised were limited to email addresses and names
Epsilon (2011)

Some of the clients under attack were financial
institutions; (Capital One, US Bank, JPMorgan Chase, Citi
and Barclays Bank of Delaware) retail chains (best buy,
Home Shopping Network, Walgreens, Brookstone, New
York & Company and Kroger, TiVo), hotel chains (RitzCarlton Rewards and Marriott Rewards), McKinsey, The
College Board, Disney Destinations and many more.
Epsilon (2011)

Hackers sent spam and phishing emails to the victims of
breach

Epsilon reported about the breach on April 01, 2011 to
both customers and clients

Epsilon announced that it was going to enhance its data
security system

Epsilon could have faced a price tag as high as 4 billion for
data breach
Epsilon (2011)

In 2009 McAfee client , a U.S. defense contractor,
identified suspicious programs running on its network

Forensic investigation revealed that a spear phishing
email containing a link to web page that when clicked
automatically downloaded a remote access tool or
“RAT” onto the victim’s computer

McAfee while investigating command-and-control
operation in 2009 discovered about the cyber
espionage “operation shady RAT”
Operation shady RAT (2009-2011)

McAfee traced the activity back to 2006

The widespread cyber-espionage campaign dubbed
“Operation shady RAT” infiltrated the computer
systems for national governments, global corporations,
non profit and other organizations

Fourteen countries were victims

Forty nine of the seventy two organizations
compromised were from United States
Operation shady RAT (2009-2011)

Data compromised were email archives, sensitive corporate
documents and other intellectual property

McAfee is working closely with U.S. government agencies,
law enforcement and others in hopes of eventually shutting
down shady RAT’s command-and-control server

Most of the targets have removed the malware from the
system
Operation shady RAT (2009-2011)




Department of Defense health care
program
SAIC – business partner of TriCare
September 14, 2011 breach of patient
information affecting approximately 4.9
million patients
Largest Federal breach to date
TriCare (2011)




Unencrypted computer backup tapes
stolen from SAIC employee’s car
Tapes contained patient information
TriCare states that risk is low
Breach caused 3 lawsuits totaling $4.9
billion
TriCare (2011)




Company that provides tools and
services to protect assets and
information
Specializes in computer forensics and
malware analysis tools
February 6, 2011 Anonymous hacks
into computer system in retaliation
Compromised web server and
cracked passwords
HBGary (2011)




Used Barr’s administrative password
to change password for Greg
Hoglund’s email
Greg operated rootkit.com
Hackers used social engineering to
gain control of rootkit.com
Defaced HBGary’s website and
accessed 71,000 emails
HBGary (2011)



Published some emails that revealed
immoral and illegal activities that
company was involved in
Since the breach – Aaron Barr has
resigned
March 6, 2012 Hector Xavier
Monsegur – member of anonymous
pled guilty
HBGary (2011)




Authentication mechanism developed by
Security Dynamics
Token generates a code at fixed intervals
Uses random key known as seed record
– key to generating a one time password
Used in combination with password user
creates – the server has real time clock
and a database of valid cards that can
validate code
RSA SecurID (2011)






Difficult to hack – need both pieces of
information
March 17, 2011 victims of attack costing the
company $66.3 million
Sent phishing emails with malware attached
Malware exploited a back door in Adobe Flash
Hackers used Poison Ivy Remote Administrative
Tool
Attack is known as APT – Advanced Persistent
Threat
RSA SecurID (2011)


Replaced 40 million tokens
Breach resulted in attacks on three
U.S Defense contractors
◦ L-3 Communications
◦ Lockheed Martin
◦ Northrop Grumman

Could be tied to cyber espionage
from China
RSA SecurID (2011)

Costs directly associated with the breach include:
 Cost of replacing stolen devices
 Cost of recovering lost information
 strengthening IT security and in some cases Premise’s
security

Other costs include:
 Expenses related to informing and providing credit
monitoring service for the victims
 Expenses related to lawsuits
The financial impact

Other monetary impacts are:
 Fall in share prices
 Increased marketing expenses
 Cost of hiring and training new employees
The financial impact

AICPA listed in its Personal Competencies
◦ Accountants need to address “privacy,
intellectual property rights and security issues
related to electronic communications” as
element of Leverage Technology to develop and
enhance personal competencies.

Statements on Auditing Standards (SAS) 94
◦ Requires auditors to take an in depth look at how IT
controls affect internal controls.
Accounting and Security
Anderson, H. (2011, October 14). TRICARE Hit With $4.9 Billion Lawsuit. Damages Sought for Privacy Violations in Breach Incident. Retrieved March 6, 2012, from Bank Info
Security: www.govinfosecurity.com/p_print.php?t=a&id=4158
Anderson, M. (2012, March 6). Anonymous hackers identified, including one tied to HBGary hack. Retrieved March 6, 2012.
http://www.bizjournals.com/sacramento/news/2012/03/06/anonymous-hackers-identified-hb-gary.html
Arrington, M. (2006, August 6). AOL Proudly Releases Massive Amounts of Private Data. Retrieved March 19, 2012.
http://techcrunch.com/2006/08/06/aol-proudly-releases-massive-amounts-of-user-search-data/
Baker, L. B. & Finkle, J. (2011, April 26). Sony PlayStation Suffers Massive Data Breach. Reuters. Retrieved March 15, 2012.
http://www.reuters.com/article/2011/04/26/us-sony-stoldendata-idUSTRE73P6WB20110426
Beard, D., & Wen, H. J. (2007). Reducing the Threat Levels for Accounting Information Systems. The CPA Journal , 7.
Bright, P. (n.d.). Anonymous speaks:the inside story of the HBGary hack.
Garrison, C. P., & Posey, O. G. Computer Security Awareness of Accounting Students.
Jewell, M. (2007, September 7). Encryption Faulted in TJX Hacking. Associated Press.
http://www.msnbc.msn.com/id/20979359#.T30M9KsV3dI
Kantor, A. (2005, November 17). Sony: The Rootkit of All Evil. USA Today. Retrieved March 15, 2012.
http://www.usatoday.com/tech/columnist/andrewkantor/2005-11-17-sony-rootkit_x.htm
Mills, E. (2011, June 6). China Linked to New Breaches Tied to RSA. Retrieved March 7, 2012, from CNET News: news.cnet.com/8301-27080_3-20068836-245/china-linked-tonew-breaches-tied-to-rsa/?tag=mncol;txt
6 Worst Data Breaches Of 2011 by By Mathew J. Schwartz December 28, 2011
http://www.informationweek.com/news/security/attacks/232301079
Monster.com Hit With Possible Monster-Sized Data Breach By Thomas Claburn January 26, 2009
http://www.informationweek.com/news/security/attacks/212902664
Epsilon Data Breach Hits Banks, Retail Giants By: Fahmida Y. Rashid April 2011
http://www.eweek.com/c/a/Security/Epsilon-Data-Breach-Hits-Banks-Retail-Giants-154971/
http://en.wikipedia.org/wiki/Monster.com
Analysis: Is the Epsilon data breach a watershed for the marketing industry? Tuesday 05 April 2011
http://www.computerweekly.com/news/1280097340/Analysis-Is-the-Epsilon-data-breach-a-watershed-for-the-marketing-industry
The real cost of a security breach By David Hobson August 12, 2008
http://www.scmagazine.com/the-real-cost-of-a-security-breach/article/113717/
Epsilon Data Breach: Expect a Surge in Spear Phishing Attacks by Tony Bradley Apr 4, 2011
http://www.pcworld.com/businesscenter/article/224192/epsilon_data_breach_expect_a_surge_in_spear_phishing_attacks.html
Monster.com Admits Keeping Data Breach Under Wraps
http://www.foxnews.com/story/0,2933,294471,00.html
Report on ‘Operation Shady RAT’ identifies widespread cyber-spying By Ellen Nakashima, August 2, 2011
http://www.washingtonpost.com/national/national-security/report-identifies-widespread-cyber-spying/2011/07/29/gIQAoTUmqI_story.html
Exclusive: Operation Shady RAT—Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza ByMichael Joseph Gross August 2, 2011
http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109
Panko, R. (2010) Corporate Computer and Network Security. 2nd Edition. Prentice Hall Publishing.
Rashid, F. Y. (2011, March 01). HBGary Federal CEO Aaron Barr Quits Due to Anonymous Attack. IT Security & Network Security News .
SecurID. (2012, January 10). Retrieved March 2012, from Wikipedia: en.wikipeida.org/w/index.php?title=SecurID&printable=yes
Zetter, K. (2010, March 26). Hacker Sentenced to 20 Years for Breach of Credit Card Processor. Wired.com. Retrieved April 1, 2012.
http://www.wired.com/threatlevel/2010/03/heartland-sentencing/
References