Rotors of M-209 cipher machine.

Major Breaches

Password and Data Breaches

Attackers can steal sensitive data directly some of the time. Poorly configured databases or cloud storage may send out the data if you simply know what to ask for.

Or, it may be a multi-step attack. First, get the passwords to accounts with access. Then uses those identities to request the sensitive data.

Malware can also leak passwords or the data itself. Steal passwords by logging keystrokes when the victim is typing in their password. Or, search the file system and any available network shares for potentially sensitive data, and exfiltrate that to a "command and control" system, often called C&C or C2.

BitCoin and similar blockchain currency systems have a poor track record. Not the blockchain itself, but the storage. The Blockchain Graveyard lists over 40 incidents in which cryptocurrency institutions have suffered intrusions. Most of them closed down afterward. Almost all could have been prevented, as they happened through social engineering, credential reuse, the takeover of the cloud hosting account, or vulnerable applications.
Blockchain Graveyard

Read about what's stored on a credit card:
Deconstructing a Credit Card's Data How Crooks Get the CVV

Sloppy Cloud Storage

Cloud storage platforms like Google Cloud and AWS or Amazon Web Services make it very easy to deploy and use high-capacity storage.

The problem may be that it's too easy. People who probably shouldn't be doing this, because they aren't careful enough, very likely don't know how to be properly careful, can now deploy storage in the public cloud and upload data.

Digital Shadows found over 12 petabytes of publicly accessible data belonging to organizations around the world, containing personal and financial information on customers, employees, and other data subjects. It was spread across over 1.5 billion files stored on AWS S3 storage buckets, rsync and SMB servers, FTP servers, NAS or Network Attached Storage devices, and misconfigured websites. You can read their April 2018 detailed report with registration, or read the overview in The Register.

Digital Shadows report The Register story

Marriott, November 2018

Brian Krebs on Marriott breach

Marriott disclosed a data breach exposing personal and financial information on 500 million customers who had made reservations at any of its properties over the past four years. That means any of the hotels in the several chains in the Starwood group. In March 2019, Mark Begor and Arne Sorenson, CEOs of Equifax and Marriott International, respectively, testified before a US Senate subcommittee and reported that the breach had compromised:

Sorenson stated, "To date, we have not found evidence that the master encryption keys needed to decrypt encrypted payment card and passport numbers were accessed, but we cannot rule out that possibility."
Begor's statement Sorenson's statement

GovPayNow.com / GovPayNet, September 2018

Brian Krebs on GovPayNow.com

"Let's privatize everything," they said. "What could possibly go wrong?"

GovPayNet, operating online as GovPayNow.com, serves approximately 2,300 state and local government agencies in 35 states. They handle online payments for parking and traffic citations, bail payments, court-ordered payments, licensing fees, and more. GovPayNet had been acquired in January 2018 by Securus Technologies, part of the enormous for-profit prison system in the U.S.

They leaked over 14 million customer records over six years, including names, addresses, phone numbers, and the last four digits of payers' credit cards.

The Paradise Papers, November 2017

International Consortium of
Investigative Journalists

The Paradise Papers started to become public in November 2017. That was 13.4 million confidential electronic documents relating to offshore investments. It was 1.4 TB in size, so there were more documents but a smaller total data size than the Panama Papers.

Many large companies, national leaders, and prominent individuals were involved. Apple, Avianca, Nike, African politicians with lavish overseas homes, the British royal family, a rock star who owns a Lithuanian shopping center, and on and on.

Equifax, 2017

Equifax
data breah

Hackers gained access to personal and financial data of over 145 million U.S. consumers. Equifax is a credit bureau, so the data is pretty much everything you would need for identity theft.

The Panama Papers, Mossack Fonseca, May 2016

Panama law firm Mossack Fonseca was specializing in helping its clients shield their money from taxes. In May 2016, it became public that 11.5 million documents, some 2.6 terabytes, some dating back to the 1970s, had been leaked to investigative journalists. The team of journalists uncovered illegal activities involving prominent poiltical and business figures around the world. The collection was called the Panama Papers.

The leak was the largest to date by a wide margin — Wikileaks Cablegate was 1.7 GB, Ashley Madison 30 GB, and Sony Pictures about 230 GB. The Panama Papers breach was over ten times the size of the largest previous breach.

Anthem Health Insurance, 2015

Anthem medical
data breach

Hackers gained access to 80 million Anthem Health Insurance records including Social Security numbers, birthdays, addresses, income data, and email and employment details.

Target / Neiman Marcus, 2013

Target
breach

Major U.S. discount retailer Target suffered a security breach between Nov 27 and Dec 15, 2013. Up to 40 million consumer credit and debit cards may have been compromised, including customer names, card numbers, expiration dates, and CVV codes, making this the second-largest retail cyber attack to this point (after the 2007 TJX Companies compromised affecting 90 million). Debit card PIN data was also stolen, although it was encrypted with Triple-DES (nice use of 1998 technology...), and the names, mailing addresses, phone numbers and email addresses of up to 70 million additional people was also been stolen.

The malware involved is called BlackPOS and Картоха. The second of those is spelled in the Cyrillic alphabet, maybe looking a little different in Italic, Картоха, and pronounced car-toe-kha and not cap-tock-sa.

News and details include:

Luxury retailer Neiman Marcus revealed a breach based on the same malware, running 16 July through 30 October 2014. See a Reuters story of 12 Jan 2014 and an initial Dark Reading report of 13 Jan 2014; then a Neiman Marcus announcement updated 21 Feb 2014 and Ars Technica (24 Jan) and Dark Reading (23 Jan) analyses of a theft of 1.1 million customers' debit and credit cards. Also see the New York Times story of 23 Jan 2014.

Heartland Payment Systems, 2008

A 2008 breach at Heartland Payment Systems compromised tens of millions of credit and debit card transactions.

Password Breaches

How to crack
passwords

Every large breach of a password database provides more information on how humans generate passwords. These insights go into the cracking software. There have been plenty of large databases exposed:

32 million from RockYou in 2009

6.4 million from LinkedIn leaked in 2012

24 million from Zappos in 2012

68 million email addresses and passwords from Dropbox, stolen in 2012 and released in 2016

177.5 million password hashes for 164.6 million users of LinkedIn, obtained in 2012 and leaked in 2016

50 million from Evernote in 2013

50 million from LivingSocial in 2013

150 million from Adobe in 2013

360 million from MySpace, stolen in June 2013 and published online in May 2016

Over 500 million Yahoo Inc. user accounts stolen in late 2014 The company described this as a "state-sponsored attack", but researchers said it was actually a theft by a criminal organization who then sold the data to an eastern European government.

32 million from Ashley Madison in 2015

200 million Yahoo Inc. user accounts offered for sale in August 2016 Nearly two months later Yahoo said that this was separate from the over 500 million stolen in 2014.

Over 412 million user accounts stolen from Friend Finder Network in October 2016 A total of 412,214,295 users of sex-related web sites including adultfriendfinder.com, cams.com, penthouse.com, stripshow.com, and icams.com. See reports in LeakedSource and CSO Online. Information on over 3.5 million AdultFriendFinder user data had been stolen and posted online in May 2015, as reported on CNN and Channel 4 News and CSO Online.

Over one billion user accounts stolen from Yahoo in August 2013 This was only noticed and announced over three years later in November 2016. This is completely separate from the 500 million stolen in 2014 and announced in September 2016.

Up to 143 million names, Social Security numbers, birthdates, and addresses stolen from Equifax in May through July 2017

340 million records left on an open database server by Exactis The data included including personal interests, religion, and the number, age, and gender of children. The data was stored on an open database server by the marketing firm until it was noticed in late June 2018.

This table and list of references points you to many more examples.

Other Prominent Breaches

U.S. DHHS
Breach Portal

The too-cutely named HITECH Act in the U.S. requires that the Secretary of the Department of Health and Human Services provide information to the public about all breaches affecting 500 or more individuals. See the department's breach portal for the details.

Back to the Security Page