By: Carolyn Crandall
As Halloween approaches, I was thinking how appropriate that it comes on the last day of Cybersecurity Awareness Month each year. It is oddly fitting that this month Yahoo revised upward the number of people impacted by its 2016 breach from 1 billion to an astounding 3 billion – roughly 40 percent of the world’s population. If that isn’t enough to put a scare into the management teams of most companies, I’m not sure what is.
With that in mind, below is a list of the 10 most “spooktacular” breaches organized by number of people impacted.
Yahoo – 3 billion accounts – Yahoo reported September 2016 a breach that impacted 500 million accounts. That December, it upped the number of those affected to 1 billion and then just this month to 3 billion. Stolen data may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. It is believed Yahoo’s network was penetrated nearly three years before the breach was discovered.
MySpace – 360 million accounts – Social networking site MySpace, now owned by Time, Inc., announced in May 2016 a breach that impacted as many as 360 million accounts. Data stolen is likely to have included user names, passwords and email addresses from the period prior to June 2013, when MySpace relaunched the site with more stringent security infrastructure.
eBay – 145 million records – This breach was reported in May 2014 and included 145 million records containing email addresses, passwords, birth dates, mailing addresses and other personal information, but did not include financial data such as credit card numbers. The company reported attackers entered the network after obtaining login credentials for a limited number of employees, allowing them to access eBay’s corporate network.
Equifax – 143 million records – Occurring from mid-May to July 2017, this breach involved names, Social Security numbers, birth dates, addresses and, in some cases, driver’s license numbers. The hack has the potential to impact 44 percent of the U.S. population. The company believes the intrusion was carried out by criminal cyber attackers.
Target – 110 million users/ 40 million records – This breach was revealed in December 2013 and was believed to have occurred earlier that year. Information stolen included encrypted PIN data, customer names, credit and debit card numbers, card expiration dates and the embedded code on the magnetic strip on the back of cards used at Target. Responsibility for the attack remains unknown.
LinkedIn – 100 million users – A hacker going by the name “Peace” stole emails and passwords for up to 100 million users in 2012 and tried to sell them in May 2016. User names and passwords were among the data stolen. The true identity of the attacker has not been uncovered.
AOL – 92 million records – “You’ve got mail,” gained a new, nefarious meaning after this breach in 2006. A terminated AOL employee stole 92 million records for approximately 30 million users and sold them to an advertiser soliciting gambling advertisements. The ex-employee sold these records for $28,000.
JP Morgan Chase – 83 million records – In this 2014 breach, attackers got away with 76 million household and 7 million small business records that contained contact information, including name, address, phone number and e-mail address, as well as internal JPMorgan Chase information about the users. It is reported hackers were able to gain “the highest level of administrative privilege” on more than 90 of the bank’s servers, a significant accomplishment given JP Morgan Chase’s network was regarded at the time as one of the nation’s most secure.
Anthem – 80 million records – In February 2015, hackers gained access to names, birthdates, email address, employment details, Social Security numbers, incomes and street addresses of people who are currently covered or have had coverage in the past by Anthem, the nation’s second-largest insurer. It remains unclear who perpetrated the attack.
Sony PlayStation Network – 77 million accounts – At the time one of the largest breaches on record, hackers brought down the PlayStation network for more than a week. The intrusion is potentially one of the biggest ever to steal credit card information. Especially concerning was the amount of information on children that was stolen, as well as that the network was one of the world’s largest holders of credit cards when the breach occurred.
One spooky commonality of these breaches is that many of these networks had in place a robust security infrastructure and despite their investment, still had gaps in their in-network detection controls, which permitted these breaches to occur.
The recognition that hackers will get around perimeter defenses and that security teams must change their security controls to include detection and response is rapidly becoming mainstream. Deception-based detection is a highly effective solution for in-network detection based on how easy it is to deploy, operationalize, and scale. Uniquely, deception will also turn the table on attackers by making deception appear identical to real assets and credentials, dramatically increasing the difficulty of their attack and inevitably causing them to error and reveal their presence. With dynamic deception technology, organizations, on demand, can easily reset the synthetic network “game board”. This forces the attacker to restart their attack or risk being discovered and quarantined, collectively increasing attacker resources and cost.
A network that does not include deception-based technology as part of an adaptive defense, is truly a scary thought. Ready to find out what’s lurking in your network this spooky Halloween? Give us a shout and we’ll show you how to deliver tricks over treats to the attacker. Or read, What’s Lurking in Your Network