As technology evolves, most of us hope the companies we entrust with our data are keeping pace. Unfortunately, that’s not always the case. Add to that the fact that security best practices are typically reactive, and that equals some mighty large breaches of security. Following is a rundown of the worst of the worst incidents of 2012.
1. Wyndham Hotels
Perhaps the most egregious security breach of 2012 was one that actually began in 2008, but which was brought to the public’s attention in June of last year. Last spring, the Federal Trade Commission brought a lawsuit against Wyndham Hotels, proprietor of properties such as Ramada, Super 8, Howard Johnson, and Days Inn, because the company repeatedly left their database vulnerable to hackers over the course of a few years.
So what happened? It seems that Wyndham failed to utilize industry-wide best practices such as using complex passwords and user IDs and encrypting customer credit card data. Because this information was stored in an improperly secured, centralized data center, hackers were able to easily install phishing software. When the company discovered the security lapse, however, they did not make changes to their security procedures and the hacking continued for years. The result was over $10.6 million in credit card transactions made fraudulently.
The incident that nabbed the most headlines happened to the internet’s favorite shoe retailer. In mid-January, Zappos’ CEO, Tony Hsieh sent an internal email to Zappos employees that warned that they were “the victim of a cyber-attack by a criminal who gained access to parts of our internal network and systems.”
The bad news was that hackers had managed to compromise over 24 million records which included user names, phone numbers, email addresses, partial credit card numbers, and encrypted passwords. The breach was caught when the hacker uploaded the passwords to a Russian hacking website and asked for help decoding them.
However, there was some good news as well. After reviewing the incident, it became clear that Zappos had followed proper security protocols, such as salting their encrypted passwords, and the aftermath was little more than a need for customers to change their passwords. On top of that, the company’s quick actions after the breach indicate that they already had a notification process in place that they successfully implemented.
Not long after learning of the Zappos security breach, the public was hit with a double whammy. Both LinkedIn and eHarmony had their users passwords published to code cracking forums, presumably by the same hacker. Users were notified via email and urged to change their passwords immediately.
Because the posted passwords were quickly brute-forced by security experts, and presumably hackers, it became clear that the companies didn’t properly hash and salt the encrypted passwords. This made them highly decodable for hackers.
The takeaway from these incidents was twofold. First, large companies need to take basic security steps to ensure that the information users entrust to them is properly safeguarded. Second, users were reminded of the importance of maintaining unique passwords for each website they visit.
In mid-2012, Last.fm divulged to the public a security breach that had most likely occurred a few months prior. Once again, hackers had exploited lax security to make off with millions of user passwords. The incident was discovered when the passwords were again dumped on a hacking forum.
After going public with this incident, the company’s original developer, Russ Garrett, claimed that he was responsible for failing to institute proper password encryption. Additionally, he admitted that the security protocols hadn’t been updated since the site was originally coded in 2003.
One major breach that occurred in 2012 managed to fly under the radar, despite happening to one of the larger online companies. Hackers broke into a Yahoo subdomain by sending commands through an inadequately secured URL and managed to steal files from Yahoo’s Contributor Network.
In total, the files stolen contained about 450,000 user names and passwords. Shockingly, these files were not encrypted and were instead stored in plain text. The hackers involved made a statement claiming that this incident was isolated and that there had “been many security holes exploited in Web servers belonging to Yahoo! Inc.”
Since the user information released was older, the incident didn’t cause much damage. What it did do, however, is serve as a reminder to users and companies alike that older files and data needs to be guarded as vigilantly as new user information. Additionally, companies need to revisit and update security practices to ensure that all data is properly protected.
What can we personally learn from these security breaches? We can’t always trust that others are doing the work that they should in order to keep our personal data safe. Make 2013 the year you resolve to follow best practices online.
Have other cyber breaches you’d like to share? Leave them in the comments.