Thanks to our friends at Alert Logic for contributing this article to our blog.
We’re almost halfway through 2014 and so far, there has been no shortage of hacker activity. If we suggested a list of “all the security breaches of 2014,” we’d be well on our way to writing a novel. So here I’ll suggest what I think are the top breaches 2014 so far. Disagree or have other ideas? Share them in the comment box below.
Heartbleed | OpenSSL vulnerability
I’m making Heartbleed the top security breach of 2014 because of its widespread impact and the length of time it went undetected. The Heartbleed bug is a vulnerability in certain versions of the OpenSSL software library used to secure a large percentage of websites as they encrypt and decrypt data sent back and forth. The bug allows an attacker to read the memory of a web server, and gain access to encryption keys, user passwords and site content. This vulnerability has been in the OpenSSL code for a little more than two years. Reports estimate more than a half-million web servers worldwide were affected by this vulnerability, including popular sites like Amazon, Pinterest, Reddit, Tumblr, Airbnb and WordPress.
What should you learn from Heartbleed?
- Make sure the vendors you work with and the sites you visit are patched. Use https://filippo.io/Heartbleed/ if you need to check.
- Change your online passwords once you know sites are patched.
Just last month, eBay suggested its 145 million customers change their passwords because of a possible compromise due to a security breach. The breach was most likely a successful social engineering attack that affected about 100 employees—eBay’s public statement mentions “a small number of employee log-in credentials were compromised.” Earlier this month, eBay’s security team started to find anomalous activities being generated that led them to the root of the breach. After their investigation, they found that the attackers had been on their network since February. This would mean that the attackers had been on the network for about 84–98 days before detection, less than the average but still long enough to potentially do some damage.
What should you learn from the eBay breach?
- Make employee education part of your overall security program and cover topics like advanced phishing techniques.
- If you’re an eBay user, change your password.
University of Pittsburgh Medical Center (UPMC) data breach
My final pick for the top breaches of 2014 (so far) is UPMC. In February, UPMC reported a data breach and indicated that about 20 employees were affected. In May, those numbers were revised with the University reporting that 27,000 employees were potentially affected and since their first announcement in February, at least 788 of those have already been the victims of tax fraud (many of whom are now suing the University for not disclosing information sooner). What’s more interesting is that later reports indicate the UPMC breach is part of a larger, nationwide scheme where hackers use third-party vendors to access human resources or payroll records. Brian Krebs, who runs the investigative blog KrebsonSecurity.com, said at least half a dozen healthcare providers across the nation have been targeted by cybercriminals.
What should you learn from the UPMC breach?
- Have a crisis communication plan and follow it in the unfortunate event of a breach.
- Have a defense in depth strategy to combat internal and external security breaches.
What do you think? Are these really the top breaches of 2014 so far, or are there others? Leave a Reply below. We’d love to hear from you.