Aleph-Naught PII Records on the Wall
Remember that old song “Aleph-Naught Bottles of Beer on the Wall”? Of course not, because it’s actually 99, but when it comes to security breaches it makes more sense to start counting down from aleph-naught. The amount of Personally Identifiable Information (PII) exposed on the internet is perhaps a never ending event, just like the song. Gabia, HSBC Korea, Epson Korea, Yale, SCMLC, ShoWorks, and RBS were all involved of data loss amounting to 433,652 records and information on one of Vanguard’s senior VPs was made public.
|Aleph-Naught PII Records on the Wall|
According to Reuters, information involving 350,000 customers of Epson Korea. There were a number of related attacks were made on other Korean companies including the domain registrar Gabia and HSBC Korea’s website was brought down for an hour which disabled their online banking service.
Yale University fell prey to Googlebot’s indexing. Google modified its search engine in September of 2010 to be able to index FTP servers, but university was unaware. As a result, some 43,0000 social security numbers were made available on the internet and remained for 10 months until June 30th when the breach was discovered. Yale Daily News covers the incident and explains that the file was hidden on their server under a misleading filename, but was not enough to prevent finding it on the internet.
Identity Finder which attempts to minimalize data loss exposure discovered 311,778 social security numbers belonging to Southern California Medical-Legal Consultants (SCMLC). The issue was discovered on May 11th of this year, but was not mentioned in press release by Identify Finder until this week.
The company ShoWorks Inc was victim of an attack that exposed the emails and passwords of 20,000 employees through the allianceforbiz.com website. The information leaked included other information as well.
An email sent from a Hayse plc employee to 800 staff at the Royal Bank of Scotland (RBS) contained the pay rates for 3,000 contractors. According to the FT article, the IT staff was able to delete half of the emails before people had the chance to read them.
Perhaps most startling was the sensitive information obtained regarding the senior VP Richard Garcia at Vanguard. Vanguard produces the ShadowHawk Unmanned Aerial System (UAS) which is used by the military and other corporations and law enforcement around the world. The company is contracted by both the Pentagon and FBI which is why it was chosen according to Anonymous’ press release. CNET reports that in a conversation with Vanguard’s CEO “there was no breach of its servers or Web site, but rather that it was Garcia’s personal Gmail account that was accessed.” He goes on to state that the 1GB of information obtained by AntiSec involved Garcia’s involvement at InfraGard and that no sensitive or proprietary information of Vanguard was exposed. This is certainly not the first time hackers have hijacked email accounts of federal or related officials.
As the 2011 Data Breach Investigations Report produced by Verizon’s RISK Team, the US Secret Service, and the Dutch High Tech Crime Unit states, data breaches still don’t require highly sophisticated attacks. In fact, the attack methods used can be highly innovated, straightforward, and simple, such as character encoding hacks. Whatever is connected to the internet, be it a mobile device (see recent Android Gingerbread (2.3.3) exploit), personal computer, or web server, hackers are finding their way in and are rewarded by their peers through sites like Rank My Hack, Twitter, or simply being able to identify with a larger community. It is up to IT departments to take the initiative, stay up to date on the latest kinds of attacks, read reports on solutions such as Protegrity’s “It’s Not Just about Credit Card Numbers Any More” report, and structure its data systems in a defensive manner.