Cyber-Crime 2012: Big Business for Attackers, Big Costs for Victims
South Carolina Security Goes South
In October, officials in South Carolina's Department of Revenue admitted that information belonging to as many as 4.4 million people and businesses had been compromised in a breach. In the aftermath of the breach, it was revealed that an employee was tricked into opening a file laced with malware. From there, the perpetrators stole log-in credentials to department computers and then began pilfering information. (Image courtesy of WikiCommons)
Global Payments Pays a Price
In March, electronic transaction processor Global Payments announced that 1.5 million credit cards had been exposed in a breach. Then came more bad news: In June, the company reported that its investigation had uncovered potential unauthorized access to the servers containing personal information collected from merchant applicants. The price tag for the incident was significant for the firm: As of May 31, Global Payments said it recorded $84.4 million in costs associated with the situation.
Zappos Gets Zapped
Online shoe retailer Zappos.com announced in January that it had suffered a massive attack that compromised the personal information of 24 million customers. Hackers were able to access Zappos customers' names, email addresses, addresses, phone numbers, the last four digits of credit card numbers and passwords. The good news—the passwords stolen were hashed, meaning they were not readable without being unscrambled. In response to the breach, however, Zappos still made affected customers change their passwords as a precaution.
LinkedIn's Weakest Link
LinkedIn joined the list of breached companies this year when a list of some 6.5 million hashed but unsalted passwords was uploaded to an online Russian forum. An analysis of the passwords revealed that many of the passwords had been cracked. In the aftermath of the incident, LinkedIn announced that it would now hash and salt passwords. eHarmony was also affected, with some 1.5 million passwords belonging to members posted to the forum as well.
Adobe Systems Hit
Adobe took down a user forum for its Adobe Connect video conferencing service after a hacker compromised a server and downloaded information on its 150,000 members. The information taken from the server included names, usernames, titles, email addresses and company names, along with a hashed version of their passwords. In a message posted on Pastebin Nov. 13, the hacker expressed interest in only posting the information on Adobe employees and employees of U.S. government agencies publicly.
Yahoo Passwords Are Up for Grabs
Yahoo officials confirmed in July that an older file from the Yahoo Voices (formerly Associated Content) was stolen by hackers, allowing them to get their hands on more than 400,000 user credentials. Of that amount, less than 5 percent of the Yahoo accounts had valid passwords. In addition to Yahoo email addresses, the list also included email addresses for Gmail, Hotmail, AOL and other services. Users of the Yahoo Contributor Network can sign up using their Google or Facebook IDs, which accounts for the various emails listed. (Image courtesy of WikiCommons)
University of Nebraska Security Lessons
A data breach at the University of Nebraska resulted in the theft of Social Security numbers, addresses, grades and other information. All totaled, 654,000 student records were affected. The situation was discovered May 23, when a staff member of the Computing Services Network detected a breach in the Nebraska Student Information System indicating an individual had gained access to the database. The attack was shut down within hours of its discovery, and officials were able to identify an undergraduate student they believed was responsible.
Flame Burns Bright
Flame was first identified after security researchers were asked by the United Nations International Telecommunications Union to investigate reports of a computer virus affecting Iran's oil ministry. What followed was the discovery of a sophisticated piece of malware that many suspect is part of efforts by the United States and Israel to spy on and sabotage Iran's nuclear program in a classified operation code-named Olympic Games. The malware propagates itself on local networks and removable media, and is capable of operations, ranging from taking screenshots to recording audio conversations and intercepting network traffic. The malware also hijacked the Microsoft Windows' Update mechanism, using a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft. While the malware is only believed to have affected a few hundred computers, its size and sophistication are enough to get it included on this list. (Image courtesy of WikiCommons)
BlueToad Takes Credit for Breach
Digital publishing company BlueToad confessed in September that it was responsible for a data breach that resulted in the theft of device identification data belonging to 12 million Apple users. This flew in the face of claims by hackers in a group known as AntiSec that they had gained access to an FBI computer containing stolen UDIDs, which is shorthand for unique device identifiers. UDIDs can identify a particular iOS device, such as an iPhone or iPod. The company came forward after being notified that it was the likely source by a security consultant with the Intrepidus Group that analyzed the roughly 1 million UDIDs that had been posted on the Web and linked them to BlueToad.
Northwest Florida State College Breach
Employee data was breached between May 21 and Sept. 24 after one or more hackers accessed a folder on the school's main server. According to school officials, an internal review between Oct. 1 and Oct. 5 revealed that 76,000 current and former students had their personal information exposed in the breach, as did about 200,000 students from Florida who were eligible for Bright Futures scholarships for the 2005-2006 and 2006-2007 school years. Additionally, more than 3,000 current and retired employees had their information exposed as well. As of Oct. 8, some 50 employees had reported issues of identity theft.