Are we sitting comfortably?
Twas a dark and stormy night, and the cybersecurity team stood patiently in their Scrum meeting. “Tell us a tale,” the CISO said, and one of their number raised their hand. They caught the eye of their colleagues, and began…
1. An artists tale
Curious reader, gird thy loins. We shall start gently…
Our first tale is one of data exposure on a global scale. Beloved by illustrators, graphic designers, filmmakers, web developers, and trusting hobbyists, no one was safe.
In the year 2019, nearly 7.5 million user records, both private and business accounts, held by a well-known multimedia and creativity software products company were left exposed to anyone with a web browser. This included account information, email addresses, their country of origin, and what products they were subscribed to. Citing a misconfiguration of one of its “prototype environments” as the action that led to a server becoming exposed on the internet, this was enough information to make targeted spear-phishing attacks a walk in the park for bad actors and digital opportunists.
This was, however, arguably less severe than their 2013 data breach – mainly due to the type of content exposed. Bad actors found and published a 3.8GB file with 152 million usernames, passwords, and (brace for the horror) encrypted payment details, on a backup server. It was later revealed that the company was likely aware of its negligent security practices at the time of the breach, which was reflected in its fine, as it used the same encryption key for all passwords.
2. The terror in the numbers
Our next story is one of volume and probability, for if there is anything certain in this life, it is death, taxes, and distributed denial-of-service (DDoS) attacks.
Deep in the bowels of Imperva HQ, our data scientists witnessed, battled, and defeated a monster. In our 2022 Q2 report, read the details of how they mitigated a volume record-breaking DDoS attack sustained over several hours. In one Cthulhu-worthy incident, we detected a 10M Rps DDoS attack that used only 12K IPs and mitigated a record-breaking 25.3 billion requests measuring 3.9M Rps.
Not only are attacks getting bigger, but they are also getting more frequent. Serious DDoS attacks (over 500 Gbps) rose by an earth-shattering 287% in Q2, with 91% of network-layer DDoS attacks being targeted again within only 24 hours. DDoS attacks are still escalating, and our next report (2022 Q3) already hints at more horrors.
3. The safest way to travel?
Aerophobia affects more than 25 million adults in the US. The thought of trusting one’s safety to a 400,000-pound tube of metal, packed with highly flammable liquid at over 35,000 ft, is enough to leave many of us with a justified sense of anxiety and dread. In 2018, however, the terror was of far more earthly origins.
A large hack cost a well-known European air carrier £183 million in fines for a data breach containing stolen card information and the PII of over 380,000 trusting travelers during a two-week incident at the height of the holiday season. Imagine, if you will, toasting yourself obliviously on a beach in Benidorm as your card number, CVV number, and expiration date are traded around the dark web. I wouldn’t fancy trying to change my passwords on an unsecured hotel wi-fi. That’s enough to give anyone a fear of flying.
It was a PR disaster, the fallout from which, later combined with coronavirus and the air carrier’s home country’s exit from the EU, meant turbulent times for them. So much so that the Information Commissioner’s Office’s (ICO) additional £488 million fine, 4% of the airline’s 2017 income, was cut to only £20m after investigators took into consideration the airline’s financial crash and the danger of their bankruptcy as a result.
4. Nightmare on Web Services Provider Street
Sometimes, something creeps around our neighborhoods, unseen, for a protracted amount of time. Sometimes it’s those who we trust most, those we think would have learned from previous mistakes, who let us down by staying silent for too long.
The largest (known) data breach on record happened to a famous web services provider, but it didn’t happen just once. Two staggering breaches of user account data were revealed to the public in the second half of 2016, and sleepy little Web Services Provider Street got a rude awakening.
In a painful press conference, a top banana at this web services provider confessed that despite them keeping the business open, at some point in late 2014, over 500 million customer accounts had been violated. In further news, a separate data breach, occurring in late 2013 affected over 3 billion accounts belonging to its customers. Leadership at this web services provider were severely criticized for the tardiness of their disclosure, and the company is still embroiled in several lawsuits and under investigation by the United States Congress. The breaches meant bad news for share prices and local investment, with a major communications company knocking $350 million off its offer to buy the company in 2016.
5. The hotel of horrors
Pity, horror fans, the unsuspecting caretaker of a large, world-renowned hotel chain. Driven mad, after purchasing another hotel group for $13.6 billion in 2016, when their new reservation system came pre-hacked – exposing the names, addresses, VIP status, passport numbers, and more, of over 500,000 guests. After acquiring this digital albatross, the hacked database and all its repercussions were thrown into the merger deal without the hotelier’s caretaker having any suspicions as to what they were taking on. The caretaker probably compounded matters further by making the acquired hotel group’s IT staff redundant during the acquisition. As a result, this inherited nightmare is probably the second largest data breach ever recorded.
A cautionary tale for us all – as it seems the large, world-renowned hotel chain didn’t thoroughly check what it was buying.
6. Hot wind and hellfire
If you haven’t heard of SolarWinds you may have been living in a remote cabin in the woods for the last two years.
In late 2020, software provided by Texas-based SolarWinds was found to contain malware responsible for the largest, global, software supply chain attacks of all time. Piggy-backing on the Orion platform, a SaaS IT infrastructure monitoring and management platform, it was like unleashing pure damnation and chaos directly into the hearts of US government agencies and Fortune 500 companies around the globe. Without WAF, RASP, or cloud data protection, many burned. In an unprecedented zero-day attack, 18,000 SolarWinds customers unsuspectingly installed updates that left them vulnerable to black-hat hackers who used installed malware to spy on multiple organizations. Those affected ranged from the likes of Cisco and Microsoft to parts of the Pentagon, the State Department, the National Nuclear Security Administration, and the Department of Homeland Security.
Federal investigators found that the SVR, Russia’s Foreign Intelligence Service, was most likely responsible for the attack.
7. Social stigma
In yet another tale of inherited woe, a major multimedia company, which bought a social networking service in February 2016, revealed that 360 million of its user’s accounts had been compromised.
After discovery, forensic examination showed that the breach originally occurred as early as early June 2013 and affected any accounts registered before June 11, 2013. It’s possible that social media account login credentials can have an even greater value than stolen credit card information, allowing fraudsters to conduct a broad array of automated brute force attacks. 360 million usernames and passwords were in the public domain for over three years, for sale and available for bad actors to attempt access to other websites through the likes of credential stuffing.
Perhaps the real horror here lies in what platform data we abandon, and the prevalence of users reusing passwords and login details.
Again, buyer beware. Don’t acquire a company until you’ve thoroughly checked its data security.
8. Know your enemy
Between late February and early March 2014, in a clear call for an organization to know where their data is and what their staff are doing with it, cyberattackers used the credentials of three employees to gain access to a multinational e-commerce company’s user database. They, The Syrian Electronic Army, then accessed the encrypted passwords and usernames of all 145 million registered patrons and replaced the front page of the websites with their own logo.
Many organizations practice ‘The Principle of Least Privilege,’ meaning a user should only be given the access needed for them to complete a task. This may have helped, but without insight and monitoring of an organization’s data stack, who is doing what, and where they are doing it, that can be a hollow exercise.
Not all negative effects of cybercrime directly affect users. As a major international news event, this caused the e-commerce company’s share price to crash and forced them to issue a very public announcement for all 145 million vendors and shoppers to immediately change their passwords.
9. Dread in the Heartlands
Over a decade ago in late ‘08/early ‘09, a major payment services provider reported that a massive data breach, including the digital information stored on the magnetic strip used by credit and debit cards, had taken place across their systems. Affecting over 130 million accounts, this stolen information – via malware and exploited SQL vulnerabilities – was notable for having the potential to be used to manufacture millions of counterfeit cards.
As a result of the PR backlash, the company lost significant market share. They were also obliged to pay over $140 million in regulatory fines and penalties. It was the stuff of nightmares, and even today, payment processors everywhere are justifiably wary and shudder at the very thought. Nearly 14 years on, it still ranks as one of the most prolific and disruptive data breaches of all time.
10. Do you hear a scraping sound?
Not all data breaches are the product of a direct data hack. As recently as last year, the digital information of over 700 million LinkedIn users was offered for sale on the Dark Web, affecting 93% of LinkedIn members. While this didn’t include financial or password data, it did include salary information, geolocation data, email addresses, full names, other social media accounts and usernames, and LinkedIn user phone numbers.
What makes this truly scary is how this information was gathered. In a saddening indictment of organizations who don’t use adequate bot protection to protect their customer’s data, and like the product of some apocryphal urban legend, the data was obtained by exploiting the LinkedIn API to scrape, in bulk, the information that people had uploaded to their profiles. Then, ripe for use in phishing and smishing scams, this data was available for as little as a few cents per record.
Arguably scarier still, the hacker, who called themselves Tom, told the BBC that the hack took three months, was part of his “hobby,” and that he did it “for fun.”
11. They know where you live
Imagine if a marketing company, specializing in identifying audiences for political advertising, stored its internal documents on a publicly accessible Amazon cloud server without password protection. Imagine if that data, over 1.1 terabytes of personal information, about virtually all of America’s 200 million registered voters, found its way into the public domain. It doesn’t bear thinking about.
The truth, dear reader, is more horrible still. In June 2017, while gathering political information about US voters for the Republican National Committee, one political intelligence gathering company neglectfully exposed the addresses, DOBs, phone numbers, and a wealth of advanced sentiment analysis on sensitive political issues like abortion, marijuana legalization, and gun control, for all to see.
An identity thief’s paradise, nationwide, combining personal information and data gathered via predictive modeling tools. A veritable pirate trove of spear phishing ammunition.
12. That which lurks unseen
The fear of the unknown is one of mankind’s natural and preservational states of being. To quote H.P. Lovecraft, “The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown.” Defined as the tendency to be afraid of something in which we have no information, on any level, this could easily be applied to data.
Big data is here. It is estimated that by 2025 there will be 175 zettabytes (175 trillion gigabytes) of data globally. The bulk of that data will never be used, never be analyzed, and never be seen. 140 zettabytes of it will be unstructured, and 126 zettabytes of it will be dark data.
Yes. Be afraid. Without insight into your own data and your immediate data security, be very afraid.
13. A hidden battlefield
Cybercrime has a rapidly growing, weaponized, financially underwritten, and political dark side. Right now, Ukrainian and Russian-funded hackers are in a head-to-head battle, deliberately targeting each other’s infrastructure and telecommunications, and the phrase “cyber espionage” is part of the daily front-page news. Teams from China, Turkey, Russia, Taiwan, Romania, India, Iran, Vietnam, Nigeria, and Brazil, to name but a few, now have the budgets and resources to digitally and forcefully “promote a nation’s interest at home or abroad.” These nation-state threat actors, such as the middle-east-based Charming Kitten, China-linked Double Dragon (who compromised at least 6 US state governments in 2022), Russian-funded zero-day, spear phishing, malware experts Fancy Bear, and the notorious Cosy Bear (responsible for SolarWinds), are causing deliberate chaos in government infrastructure, financial systems, healthcare operations, and vital utilities.
There is a war happening under our noses, and it’s very likely we’ll all be dragged into the conflict. At the behest of their political masters, nation-state-sponsored hacking groups target organizations involved in cryptocurrency and blockchain, ISPs and European elections, journalists, directly at cloud services providers, eCommerce sites and logistics organizations, utility suppliers, social channels, whatever suits their agenda of disruption and chaos. According to Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey, the enterprise is now the most common target of state-sponsored cybercriminals [HP]. Governments worldwide have repeatedly issued warnings about the developing threat from nation-state hackers and are cautioning organizations to be prepared to respond to disruptive cyber activity. No organization is safe, and these attacks are well-funded and growing.
So sleep well this All-Hallows’ Eve. Be safe in the knowledge that we have you covered, but never forget these tales of woe. For there but for the grace of a robust, comprehensive, and consolidated security posture, go you or I.
Try Imperva for Free
Protect your business for 30 days on Imperva.