It Never Grows Old: Learn From 3 Major Data Breaches
Famous data breaches are hitting the headlines. Unfortunately, when they do, it’s too late 🤷. Hundreds of millions are stolen while data is leaked, sold, and taken advantage of. It’s hard to admit, but common sense might be messing with security people when they prioritize response. When you get thousands of alerts daily, isn’t it right to act immediately on something that hits the hardest? Yes and no.
You’ll see why it’s tricky in a data breaches list below 👇. Devastating security breaches and data leaks had been operating quietly for years. It’s a kind of attack that is killing you softly (and we aren’t talking songs here). It might seem unnoticeable for quite a while, and if nobody is getting hurt, everyone assumes it will pass. But when everything is exposed, heads roll.
Compromises may remain unnoticed for months and years
Take a look at our data breach selection that shows some patterns to be aware of. More actionable insights you will find in our Cyber Threats Search Engine.
TARGET
What: Target PoS terminals hack
Where: approx. 1,800 stores in the US
Victims & Consequences:
- 40 million credit/debit card users affected
- 70 million users’ personal data compromised
- CEO and CTO resigned
- The retailer faced lawsuits from banks
- Total breach cost reached $200 million
- $18.5 million settlement paid
- 47 states claimed the settlement
How Did it Happen?
Theory 1: 🥩Meat scales. Endpoint hack
When we think of software, we talk about vendors, open-source, and merging code. We don’t go too deep. Now, that’s a juicy mistake that attackers wait for us to make. You don’t treat a meat scale as something serious, do you? Here they got you.
According to a Verizon study, penetration testing specialists could access Target’s point-of-sale terminals belonging to a core network and read card credentials. They also communicated with cash registers in several locations, having hacked a deli meat scale on an entirely different site. Researchers said they could easily move laterally, but their main goal was infiltrating the root system.
Theory 2: 💨Air conditioner. Third-party VPN hack
Biggest data breaches are performed rarely and require thorough preparation. If you still doubt everything is connected in the software world, hear this out. Another theory of Target infiltration says that a small HVAC contractor in Pennsylvania was breached first (presumably by spearphishing). Once attackers hijacked the firm’s VPN credentials, they remotely connected to Target and eventually got to cash registers.
Eventually, the financial data might have been stolen with Kaptoxa/BlackPOS malware that steals information from POS devices via memory scraping. This malware was able to get credit card info and then clone it for further usage. At the time of the attack, the cost of Kaptoxa/BlackPOS on cybercrime forums was $1800 for a “low-cost” version and $2500 for a “full edition.” The possible author of this malicious tool had used the nickname Antikiller.
MARRIOTT
What: Data exfiltration in the Marriott hotels chain
Where: the US
Victims & Consequences:
- Up to 339 million guests’ data exfiltrated over 4 years
- Personal data sold on the dark web and used for reconnaissance
- £18.4 million fine
How Did it Happen?
Theory 1. 🕵Chinese Intelligence
Marriott, which is, according to sources, a top hospitality partner of the American military and government personnel, had its sensitive data exfiltrated for years. The investigation points to a strategic move of Chinese intelligence that flourished during Donald Trump’s presidency.
After Marriott acquired the Starwood chain of hotels, they presumably bought it with an unwanted “addition” in the form of malware already operating in the background. Interestingly, there was a preceding bid war 💣 between Marriott and Chinese Anbang Insurance Group Co. The latter suddenly withdrew its final offer, letting Marriott buy Starwood.
The malware was exfiltrating passport numbers, among other data, which allowed to track certain persons’ appearance, marital status, family details, and current location. Researchers say Chinese intelligence sought to identify American spies and their actions, including communications with Chinese people. Gathered data could also be used against individuals and organizations.
Theory 2. 🔀Messy Integrations
The tech stack used in hotel chains includes lots of dependencies that come with inherent vulnerabilities. For example, an online booking engine is connected to a central reservation system. It then feeds information to a property management system, which is also correlated with several CRMs, revenue management tools, business intelligence software, and more 🤯. Obviously, lateral movement and privilege escalation is a no-nonsense concern here. Additionally, persistence and defense evasion were quite sophisticated since this malware operated at least from 2014 to 2018.
CAPITAL ONE
What: CapitalOne bank’s data leak & crypto mining
Where: the US and Canada
Victims & Consequences:
- 100 million bank customers’ data stolen in the US
- 6 million customers affected in Canada
- Roughly 140,000 SSNs compromised in the US, 1 million — in Canada
- 80,000 bank accounts compromised
- 3 years’ worth of sensitive financial data leaked
- $190 million settlement
- $80 million fine
- CISO replaced
How Did it Happen?
Fact: 👤 Inside Job
A nightmare for every organization is an insider’s breach. Things get even more complicated when an insider job comes from a former employee of one of your trusted software contractors 😨. Paige Thompson was a software engineer at Amazon Web Services (2015–2016). Cloud services of this provider, like web application firewall, were deliberately misconfigured in 2019 to gain access to highly sensitive information of their client, CapitalOne. By applying techniques of the SSRF (Server-Side Request Forgery) attack, Paige executed unauthorized commands on a server from a remote user. What’s unusual is that Thompson had been posting about her hacking activities on Twitter for months. Beyond data exfiltration, she also planted a crypto mining software.
A massive data breach came to light when CapitalOne employees received an email from a GitHub user with a link to the data leak published online. You can find more cyber breach details with screenshots of Thompson’s messages here and here.
People will always fight for money, power, and attention
You’ve just read about perfect examples of three main types of cybersecurity breaches. Or, should we say, three motivation types: money, power, and attention. Arguably, people will always fight for those three. We must acknowledge the fight and do our best to protect what’s important to us. As you can see, devastating consequences were often a result of pretending that nothing was happening 🙈 (or, well, poor risk management). At SOC Prime’s Detection as Code platform, we are uniting cyber specialists in a shared security approach that uses both quantity and quality to power up 🚀 enterprise cybersecurity processes.
