Why do data breaches happen?

Equifax recently experienced what many are calling the most serious data breach in history - thus, posing the question: why do data breaches happen?

September 25, 2017
• by
Vivek Sharma

Earlier this month, Forbes reported that "An authorized third party gained access to Equifax data on as many as 143 million Americans... Included among files accessed by hackers was a treasure trove of personal data: names, dates of birth, Social Security numbers, addresses…" If that doesn’t sound bad enough, consider this additional irony – Equifax, as one of the leading credit reporting agencies, is expected to secure its customers from abuse of their personal data!  

ITRC defines data breach as "an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure." The Equifax data breach, referred to by many as the most serious data breach in history, was unfortunately not an isolated instance. Over the last 9 months, ITRC recorded and published over 1,000 data breaches, with more than 50% of those breaches happening within large businesses. While some of these are certainly highly technical and complex, most happen due to poor access control, procedural misses, overdue patches, and known application vulnerabilities. This blogpost explains the four most common, and technologically unsophisticated (at least in hindsight), ways in which large-scale data breaches happen: 1) unknowingly giving away password/account access, 2) exploiting weak access control on who/where user data is kept, 3) exploiting basic technical/architectural vulnerability, and 4) exploiting a weak 3rd party entry point.

Account compromises through phishingspamming, or spyware are not uncommon, and all methods effectively involve users unknowingly giving away account access. While these approaches are mostly used at the individual account level, they are also employed on a larger scale – in fact, these four methods were responsible for over 50% of data breaches in 2016. This is exactly what happened with Yahoo! in 2016. A detailed postmortem by the FBI revealed that the breach started with a 'spear phishing' email to an unsuspecting Yahoo! employee with system-level access. Once the 'state sponsored actors' got access to the system, they created forged cookies to impersonate actual account users. The information they got included names, addresses, telephone numbers, date of birth, encrypted passwords, and unencrypted security questions for over a billion users! 

Hackers also exploit weak access controls around where data is stored or how it is transferred. The recent work trend towards BYOD (bring your own devices) has increased this risk as many of these devices do not have recommended mobile security solutions. Risk also comes from MITM (man in the middle) type attacks on Wi-Fi networks that do not use security measures like WAP, WPA, or WPA2. Earlier this year, a contractor employee at Anthem stole the personal health information, including Social Security and Medicare information data, of more than 18,000 Anthem Medicare enrollees, by simply copying the data from Anthem systems and emailing it to his personal email address.

When it comes to exploiting technical and architectural vulnerabilities, technical exploits, like zero day attacks, and sophisticated intrusions, like with Sony pictures hack, might come to mind. Many technical vulnerabilities, however, are much simpler in nature. Earlier this year, JP Morgan was the victim of the largest theft of customer data of any financial institution in history. This was actually a relatively unsophisticated technical hack that started with compromised employee access. That by itself shouldn't have been a problem as JP Morgan, like most leading banks, has two factor authentication (2FA) to enable server access. However, the security team forgot to install 2FA on one of the servers! Once hackers got in through there, they quickly gained access to an additional 90 servers, and stole account information of more than 83 million households and small businesses.

Finally, while companies can secure their own software systems, poor security of a third-party entry point to the company network can also cause overall vulnerability. This is exactly what happened with Target, who had provided a HVAC contractor with remote network access to facilitate electronic billing and project management. By compromising the HVAC system and then gaining access to Target systems, hackers installed credit card stealing malware on POS at Target stores, and, in a little over two weeks, stole personal details of 70 million customers and 40 million credit cards. The attack was so pervasive that even after Target first thought they had secured the system, they found malware on 25 registers. 

It's also important to understand what really happens after these massive data breaches. Timing is key, and Securityweek explains the typical sequence of steps from data breach to monetization, and makes a case for quick disclosure and rapid response

"The attackers behind the breach will sell the stolen card data to brokers, who in turn sell cards in batches to lower level criminals who use the data to either buy goods online or print cards to be used in physical stores… As soon as it becomes apparent that a specific merchant has been compromised, all of the compromised cards will be quickly deactivated. This means that freshly stolen and active cards are highly valuable ($100 or more), while older cards can be worth pennies. This is a serious spread, and criminals need to know which sorts of cards they are buying, and the state of the cards they are holding. To address this challenge, criminals will periodically test a subset of their cards by using them to make small online purchases… and quickly determine the percentage of cards that are active and working."

With data breaches happening with increased severity and frequency, what can be done? At the individual level, there are a few must-do safety precautions – maintaining strong and unique passwords, changing passwords frequently, activating 2FA wherever available, regularly checking bank statements, keeping a backup of important data, and avoiding insecure Wi-Fi networks. For businesses, FTC has published a detailed guide for business response to data breaches, which can be a good starting point to prepare against and respond to breaches, and additional efforts are afoot to mandate timely transparency around data breaches. Data breaches can have severe impact on individuals and organizations and precaution, at least for known causes, is certainly better than the cure.