Major Breaches

Password and Data Breaches

Attackers can steal sensitive data directly some of the time. Poorly configured databases or cloud storage may send out the data if you simply know what to ask for.

Or, it may be a multi-step attack. First, get the passwords to accounts with access. Then uses those identities to request the sensitive data.

Malware can also leak passwords or the data itself. Steal passwords by logging keystrokes when the victim is typing in their password. Or, search the file system and any available network shares for potentially sensitive data, and exfiltrate that to a "command and control" system, often called C&C or C2.

BitCoin and similar blockchain currency systems have a poor track record. Not the blockchain itself, but the storage. The Blockchain Graveyard lists over 40 incidents in which cryptocurrency institutions have suffered intrusions. Most of them closed down afterward. Almost all could have been prevented, as they happened through social engineering, credential reuse, the takeover of the cloud hosting account, or vulnerable applications.
Blockchain Graveyard

Read about what's stored on a credit card:
Deconstructing a Credit Card's Data How Crooks Get the CVV

2023 T-Mobile

T-Mobile announced on 19 January 2023 that they had had a data breach exposing data from approximately 37 million current customer accounts. It included customer name, billing address, email, phone number, date of of birth, and T-Mobile account number, plus details on the number of customer lines and plan features.

T-Mobile had learned of the breach on 5 January, and later determined that the data theft began around 25 November 2022.

This came after a slightly larger breach in 2021, for which T-Mobile agreed to pay a $500 million settlement in 2022. T-Mobile report revenues of nearly $20 billion just in the third quarter of 2022 alone, so settlements of a few hundred million dollars here and there don't seem so bad to them.

Brian Krebs report T-Mobile's SEC filing about the event Dark Reading

2022 Experian

On 23 December 2022, KrebsOnSecurity alerted the consumer credit reporting bureau Experian that identity thieves had found a way to view any consumer's full credit report.

Experian, of course, did little and said nothing.

Four days later they told Brian Krebs that they had received his message. They repeatedly refused to respond to requests for their comments on the event.

One month later they sent a letter to Brian Krebs saying that the weakness existed from 9 November to 26 December 2022. Well, they didn't say that exactly, instead using the lawyer-crafted "During this time period, we experienced an isolated technical issue where a security feature may not have functioned."

With "isolated", "technical issue", and "may not have functioned", Experian packed three distracting and minimizing phrases into one sentence.

KrebsOnSecurity, 9 Jan 2023 KrebsOnSecurity, 25 Jan 2023

2022 Shields Health Care Group

Shields Health Care Group provides medical imaging and outpatient surgical services for healthcare providers. That led to the theft of data for two million patients from almost 60 healthcare providers.

A hacker had gained access to Shields systems for three weeks in March. The data includes names, Social Security numbers, dates of birth, contact details, diagnoses, billing information, insurance details, provider names, medical record numbers, and patient IDs.
SC media report

2021 Healthcare Breaches

The ten largest healthcare data breaches in 2021 impacted over 22.6 million patients. Four of the largest ten were the fault of vendors rather than the actual healthcare providers.
SC media on the largest ten SC media on vendors being the problem

2021 T-Mobile

T-Mobile was breached once again, in a major event. Data was stolen describing at least 47 million customers, some say as much as 100 million. Names, phone numbers, and physical addresses, but also social security numbers, dates of birth, driver's licence information, and IMEI numbers.
Wired story #1 Wired story #2 Vice TechCrunch Wall Street Journal Brian Krebs report

Also see T-Mobile's breach in early 2023, which was nearly as large.

2020 U.S. Federal Government Data Breach

The hacking group called Cozy Bear or APT29, backed by the Russian intelligence agency SVR, penetrated several components of the U.S. federal government, along with a few state and local government agencies and some corporations. It was publicly reported on December 13, 2020, but it had been going on for at least six to nine months. It was among the worst cyber-espionage attacks ever suffered by the U.S., with many highly sensitive targets compromised.

Solorigate: Winds of change
Excellent analysis by Orange Cyberdefense, with thoughts on what has led us to the point where these threats emerge

The initial entry was through a supply chain attack on SolarWindow's Orion software. The attackers were able to access internal emails and other documents, and create their own single sign-on credentials giving them access across federated architectures.

The New York Times
Dec 15 2020 FireEye analysis
Dec 13 2020 FireEye additional technical details
Dec 24 2020 Volexity
analysis "Detecting Abuse of Authentication Mechanisms"
National Security Agency "Customer Guidance on Recent Nation-State Cyber Attacks"
Microsoft "SunBurst: The Next Level of Stealth"
Reversing Labs Wikipedia article with
many links to references

One week before the breach was announced, Donald Trump had fired the head of CISA, the Cybersecurity and Infrastructure Security Agency, for not repeating Trump's lies that the 2020 election was "totally rigged". Six days after the breach was publicly reported, Trump announced that it could not have been Russia, it must have been China, "everything is well under control", and immediatedly pivoted to continuing his claims that he had won the recent election "by a landslide".

Sloppy Cloud Storage

Cloud storage platforms like Google Cloud and AWS or Amazon Web Services make it very easy to deploy and use high-capacity storage.

The problem may be that it's too easy. People who probably shouldn't be doing this, because they aren't careful enough, very likely don't know how to be properly careful, can now deploy storage in the public cloud and upload data.

Digital Shadows found over 12 petabytes of publicly accessible data belonging to organizations around the world, containing personal and financial information on customers, employees, and other data subjects. It was spread across over 1.5 billion files stored on AWS S3 storage buckets, rsync and SMB servers, FTP servers, NAS or Network Attached Storage devices, and misconfigured websites. You can read their April 2018 detailed report with registration, or read the overview in The Register.

Digital Shadows report The Register story

Data aggregator companies People Data Labs and OxyData.io stored 4 billion records on 1.2 billion people on unsecured servers at AWS and Google Cloud. It included names, email addresses, and home and mobile phone numbers plus what seemed to be data scraped from LinkedIn, Facebook, and other social media.

SC Magazine report Data Viper report

The 2019 breach of Capital One was based on misconfigured Amazon Web Services S3 storage buckets.

Capital One, March-July 2019

Names, birth dates, Social Security Numbers, bank account numbers, and more, for over 100 million people.

A former AWS employee accessed Capital One data through a misconfigured web application firewall. The access and data theft occurred from March 12 to July 17, 2019; the hacker then posted details to GitHub and the FBI was notified on July 19.

The New York Times on the breach Washington Post on the breach US FTC on the breach SC Magazine on the breach SC Magazine on the AWS S3 misconfiguration

Marriott, November 2018

Marriott disclosed a data breach exposing personal and financial information on 500 million customers who had made reservations at any of its properties over the previous four years. That means any of the hotels in the several chains in the Starwood group. In March 2019, Mark Begor and Arne Sorenson, CEOs of Equifax and Marriott International, respectively, testified before a US Senate subcommittee and reported that the breach had compromised:

• 383 million guest records
• 18.5 million encrypted passport numbers
• 5.25 million unencrypted passport numbers
• 9.1 million encrypted payment card numbers
• Several thousand unencrypted payment card numbers

Sorenson stated, "To date, we have not found evidence that the master encryption keys needed to decrypt encrypted payment card and passport numbers were accessed, but we cannot rule out that possibility."
Begor's statement Sorenson's statement

GovPayNow.com / GovPayNet, September 2018

"Let's privatize everything," they said. "What could possibly go wrong?"

GovPayNet, operating online as GovPayNow.com, serves approximately 2,300 state and local government agencies in 35 states. They handle online payments for parking and traffic citations, bail payments, court-ordered payments, licensing fees, and more. GovPayNet had been acquired in January 2018 by Securus Technologies, part of the enormous for-profit prison system in the U.S.

They leaked over 14 million customer records over six years, including names, addresses, phone numbers, and the last four digits of payers' credit cards.

The Paradise Papers, November 2017

The Paradise Papers started to become public in November 2017. That was 13.4 million confidential electronic documents relating to offshore investments. It was 1.4 TB in size, so there were more documents but a smaller total data size than the Panama Papers.

Many large companies, national leaders, and prominent individuals were involved. Apple, Avianca, Nike, African politicians with lavish overseas homes, the British royal family, a rock star who owns a Lithuanian shopping center, and on and on.

Equifax, 2017

Hackers gained access to personal and financial data of over 145 million U.S. consumers. Equifax is a credit bureau, so the data is pretty much everything you would need for identity theft.

The Panama Papers, Mossack Fonseca, May 2016

Panama law firm Mossack Fonseca was specializing in helping its clients shield their money from taxes. In May 2016, it became public that 11.5 million documents, some 2.6 terabytes, some dating back to the 1970s, had been leaked to investigative journalists. The team of journalists uncovered illegal activities involving prominent poiltical and business figures around the world. The collection was called the Panama Papers.

The leak was the largest to date by a wide margin — Wikileaks Cablegate was 1.7 GB, Ashley Madison 30 GB, and Sony Pictures about 230 GB. The Panama Papers breach was over ten times the size of the largest previous breach.

Anthem Health Insurance, 2015

Hackers gained access to 80 million Anthem Health Insurance records including Social Security numbers, birthdays, addresses, income data, and email and employment details.

Target / Neiman Marcus, 2013

Major U.S. discount retailer Target suffered a security breach between Nov 27 and Dec 15, 2013. Up to 40 million consumer credit and debit cards may have been compromised, including customer names, card numbers, expiration dates, and CVV codes, making this the second-largest retail cyber attack to this point (after the 2007 TJX Companies compromise affecting 90 million). Debit card PIN data was also stolen, although it was encrypted with Triple-DES (nice use of 1998 technology...), and the names, mailing addresses, phone numbers and email addresses of up to 70 million additional people was also been stolen.

The malware involved is called BlackPOS and Картоха. The second of those is spelled in the Cyrillic alphabet, maybe looking a little different in Italic, Картоха, and pronounced car-toe-kha and not cap-tock-sa.

News and details include:

• Brian Krebs' initial announcement 18 Dec 2013.
• Target's initial press release 19 Dec 2013.
• CNN Money story 27 Dec 2013.
• Brian Krebs wrote an initial report on how the memory-scraping malware works, with links to a Reuters story and an analysis by US-CERT.
• iSIGHT Partners released a report on Картоха/BlackPOS. 16 Jan 2014
• Wired ran a story on the iSIGHT Картоха/BlackPOS. report. 16 Jan 2014
• Wired ran a story pointing out that Target and others were victims of a large hack in 2005. 17 Jan 2014
• Time magazine said Sergey Tarasov, a 17-year-old Russian, did it, he denied it, then Rinat Shabayev claimed credit for Картоха/BlackPOS. 20-27 Jan 2014
• FBI says Картоха/BlackPOS was connected to twenty breaches. 24 Jan 2014
• Target announced that the intruder stole and used a vendor's credentials. 30 Jan 2014
• Brian Krebs announced that the intrusion was via an HVAC or heating, ventilation and air-conditioning subcontractor that worked at Target and other top retailers including Whole Foods and Trader Joe's. Fazio Mechanical Services of Sharpsburg PA had remote access to Target networks for electronic billing, contract submission, and project management (not, as initially thought, to monitor energy consumption and temperatures in stores as often done by HVAC contractors). Target's network infrastructure did not separate the HVAC systems from the POS or point-of-sale terminals, allowing the compromised HVAC account to push malware onto the POS terminals. The first malicious access was on 15 Nov; from then through 28 Nov the attackers uploaded data-stealing malware to a small number of POS terminals and tested that it worked as designed. Just two days later, by the 30th, the malware had been installed on a majority of Target's POS terminals and were actively collecting consumer card data. It was uploaded to compromised "drop" systems and eventually uploaded to Russia and Eastern Europe where it immediately went on the black market. 14 Feb 2014
• Kreb elaborated that the breach seems to have started with malware delivered through email phishing to employees of the HVAC contractor. Sources close to the investigation say that the Citadel password-stealing malware was used. They also report that Fazio was relying on the free version of Malwarebytes Anti-Malware. The free version is on-demand only, it does not do real-time protection (that's in the pro version), and its license explicitly prohibits corporate use. Sources close to the investigation say that the Citadel password-stealing malware was used. They also report that Fazio was relying on the free version of Malwarebytes Anti-Malware. The free version is on-demand only, it does not do real-time protection (that's in the pro version), and its license explicitly prohibits corporate use. 14 Feb 2014
• Brian Krebs presented a detailed description of how Картоха/BlackPOS and similar memory-scraping POS malware works. 14 Feb 2014
• A Businessweek article alleged that the FireEye security service notified Target's security team about the breach, but they did not act in time to prevent the theft, 13 March 2014.

Luxury retailer Neiman Marcus revealed a breach based on the same malware, running 16 July through 30 October 2014. See a Reuters story of 12 Jan 2014 and an initial Dark Reading report of 13 Jan 2014; then a Neiman Marcus announcement updated 21 Feb 2014 and Ars Technica (24 Jan) and Dark Reading (23 Jan) analyses of a theft of 1.1 million customers' debit and credit cards. Also see the New York Times story of 23 Jan 2014.

Heartland Payment Systems, 2008

A 2008 breach at Heartland Payment Systems compromised tens of millions of credit and debit card transactions.

Password Breaches

Every large breach of a password database provides more information on how humans generate passwords. These insights go into the cracking software. There have been plenty of large databases exposed:

32 million from RockYou in 2009

6.4 million from LinkedIn leaked in 2012

24 million from Zappos in 2012

68 million email addresses and passwords from Dropbox, stolen in 2012 and released in 2016

177.5 million password hashes for 164.6 million users of LinkedIn, obtained in 2012 and leaked in 2016

50 million from Evernote in 2013

50 million from LivingSocial in 2013

150 million from Adobe in 2013

360 million from MySpace, stolen in June 2013 and published online in May 2016

Over 500 million Yahoo Inc. user accounts stolen in late 2014 The company described this as a "state-sponsored attack", but researchers said it was actually a theft by a criminal organization who then sold the data to an eastern European government.

32 million from Ashley Madison in 2015

200 million Yahoo Inc. user accounts offered for sale in August 2016 Nearly two months later Yahoo said that this was separate from the over 500 million stolen in 2014.

Over 412 million user accounts stolen from Friend Finder Network in October 2016 A total of 412,214,295 users of sex-related web sites including adultfriendfinder.com, cams.com, penthouse.com, stripshow.com, and icams.com. See reports in LeakedSource and CSO Online. Information on over 3.5 million AdultFriendFinder user data had been stolen and posted online in May 2015, as reported on CNN and Channel 4 News and CSO Online.

Over one billion user accounts stolen from Yahoo in August 2013 This was only noticed and announced over three years later in November 2016. This is completely separate from the 500 million stolen in 2014 and announced in September 2016.

Up to 143 million names, Social Security numbers, birthdates, and addresses stolen from Equifax in May through July 2017

340 million records left on an open database server by Exactis The data included including personal interests, religion, and the number, age, and gender of children. The data was stored on an open database server by the marketing firm until it was noticed in late June 2018.

This table and list of references points you to many more examples.

Other Prominent Breaches

The too-cutely named HITECH Act in the U.S. requires that the Secretary of the Department of Health and Human Services provide information to the public about all breaches affecting 500 or more individuals. See the department's breach portal for the details.