Avatar

This month has been particularly prevalent for the loss of personal information. At the beginning of the month it was reported that Club Nintendo had been breached with the personal data of up to 4 million stolen by attackers [1]. Subsequently, the forums of Ubuntu were hacked with the loss of 1.82 million usernames, passwords and email addresses [2]. Additionally, Apple have announced that their developer website has had an unknown amount of personal data stolen [3].

However, this is not all. The Chicago Tribune writes that the personal information of 2300 users of Morningstar Document Research services may have been compromised [4]. The web forums of NASDAQ were reported to have been compromised with an unknown amount of personal information affected [5]. And six people were fired for inappropriate access to patient health records from the California hospital where Kim Kardashian recently gave birth [6].

Not only does lost personal data cause distress to individuals and put them at risk of fraud from the attackers using the stolen details to gain unauthorized access to services by impersonating the compromised individual, but it can also lead to significant fines being levied against the offending organization. This month, WellPoint agreed to pay $1.7 million to the US Dept. of Health and Human Services to settle allegations that their IT systems did not adequately secure private information [7]. Sony agreed not to contest a fine of £250 000 levied by the UK Information Commissioner’s Office for the theft of the personal details of tens of millions of individuals in 2011 [8].

These attacks underline just how difficult it is to protect systems against determined attackers. It may not be possible to provide 100% protection for every system within an organization; however every job role within an organization can play their part to minimize the chances that their organization will be the next one to be compromised. This can be achieved by focusing on reducing the number of vulnerabilities that attackers may use, limiting or encrypting any personal data stored, and swiftly detecting breaches to block an attack before it can cause harm.

System administrators can identify and prioritize the systems which contain personal data and ensure that these systems are hardened against attack and that patches are deployed as soon as they become available. Every patch is vital and can protect against vulnerabilities, so patches for third party software are just as important as operating system patches. Additionally administrators and network managers can monitor access logs and potentially identify attackers as they perform reconnaissance on their targets and investigate large transfers of data to minimize the magnitude of a breach if a system should become compromised.

Security offices should also be aware which systems contain and have access to personal information to ensure that vulnerabilities in these systems are minimized by ensuring that patches to third party software are promptly installed, and that internally written code is audited and tested for bugs that may introduce vulnerabilities that can be exploited to gain system access or to leak data. Additionally, security officers need to be aware of the threat of insiders accessing data for which they are not authorized. Users need to be duly authenticated, their data access based on their role, and policies in place both to detect unauthorized data access, but also to deal with perpetrators once they are caught.

Developers should be aware of the common faults within software that are used by attackers to compromise systems. Ensuring that their own code, and the code developed by their colleagues is free from the issues described in the OWASP top 10 vulnerabilities should be integrated into the development process [9].

The California Attorney General published a report this month that over half of all individual records breached could have been prevented by encrypting personal data [10]. Given the magnitude of the number of breaches, and the financial penalties that can be levied, organizations need to consider how they can not only encrypt that data that they have, but also consider if they need to collect so much information in the first place. Personal data that is not collected cannot be breached.

Given the number of breached systems, members of the public can be forgiven for reconsidering the free exchange of their personal data in return for access to systems. When faced with a web form requiring the input of personal data, it is worth remembering that data relating to a fake persona living at “123 Four Street, Faketown” cannot cause harm if it is leaked. If organizations wish to be trusted with personal data, then they need to earn that trust and ensure that their systems are properly secured.

References
1. “Gamers Hit In Massive Nintendo Hack”, TechWeek, 8th July 2013.
http://www.techweekeurope.co.uk/news/nintendo-hacked-customer-data-accessed-121123
2. “Ubuntu forums hacked; 1.82M logins, email addresses stolen”, ZDNet 21st, July 2013.
http://www.zdnet.com/ubuntu-forums-hacked-1-82m-logins-email-addresses-stolen-7000018336/
3. Apple announcement. 22nd July 2013
http://devimages.apple.com/maintenance/
4. “Morningstar warns clients of data breach”, Chicago Tribune, 5th July 2013.
http://articles.chicagotribune.com/2013-07-05/business/chi-morningstar-data-leak-20130705_1_data-breach-security-breach-credit-card
5. “NASDAQ Community Website Hacked and Down”, Infosecurity Magazine, 18th July 2013.
http://www.infosecurity-magazine.com/view/33524/nasdaq-community-website-hacked-and-down/
6. “Six people fired from Cedars-Sinai over patient privacy breaches”, Los Angeles Times, 16th July 2013.
http://www.latimes.com/news/local/la-me-hospital-security-breach-20130713,0,7850635.story
7. “WellPoint pays HHS $1.7 million for leaving information accessible over Internet”, U.S. Department of Health & Human Services, July 11th 2013.
http://www.hhs.gov/news/press/2013pres/07/20130711b.html
8. “Sony coughs up £250K ICO fine after security fears”, The Register, 17th July 2013.
http://www.theregister.co.uk/2013/07/17/sony_ico_fine_accepted/
9. “OWASP Top 10 2013”, Open Web Application Security Project.
https://www.owasp.org/index.php/Top_10_2013-Top_10
10. “Attorney General Kamala D. Harris Releases Report on Data Breaches; 2.5 Million Californians Had Personal Information Compromised”, Office of the Attorney General, State of California Department of Justice, 1st July 2013
http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-releases-report-data-breaches-25-million



Authors

Martin Lee

EMEA Lead, Strategic Planning & Communications

Cisco Talos