A week hardly passed this year without a major data breach to remind us of how precarious the state of security was throughout 2017. And while I’d love to report otherwise, you’d be hard pressed right now to find anyone in the know who thinks things are looking up.
For starters, the personal information of every US voter was leaked; the Social Security numbers of more than a hundred million Americans were stolen; and a slew of retail businesses exposed untold amounts of your financial data. And when it was all said and done, what did we learn? Well, mostly that corporations are still terrible at keeping our sensitive information safe.
The good news is that there was a recognisable shift this year in who the public holds responsible. Faceless hackers no longer seem a viable scapegoat for corporations whose security is found wanting. And even better, the ways in which companies respond in the aftermath of a breach is as important as the details of the breach itself.
Unfortunately, most data-breach hunters will tell you that the negligence we know about is merely the tip of the iceberg. Many security researchers who delve into breaches are sitting on massive backlogs of leaked data with little time to sort through it all.
Truth be told, tips about exposed data and hacked websites come rolling in every day — so many that my editors eventually became concerned that our readers were developing what they called “breach fatigue.” As data breach at Vevo: “Pretty soon, Gizmodo will be nothing but articles about who got hacked today.”
Below is a list of just a few of the data breaches that grabbed headlines over the past year — some of which you might have even read here first.
Hands down, Equifax is the top breach of 2017 – which is to say, it was the absolute worst in many ways. The amount of private data stolen was massive. It prompted several scathing congressional hearings. And the level of negligence involved was staggering. From the cause of the breach itself — ultimately found to be easily avoidable — to the way in which Equifax continued to imperil its consumers after-the-fact, there’s no denying this was a cybersecurity catastrophe of epic proportions.
Equifax’s role as a credit reporting agency only adds insult to injury: It was like watching a firefighter flick a lit cigarette into a fireworks factory. Millions upon millions of US consumers trusted Equifax to guard their financial information. Today the company’s name is more or less synonymous with identity theft.
If there’s one good thing that came out of this incident, it’s that US officials seem to at least recognise that the days of using a Social Security number as a means to authenticate a person’s identity are over. Of course, recognising that fact and doing something about it are two different things.
RNC voter data
In June, Gizmodo broke a story about a major breach involving the personal information of nearly every registered voter in the country. It is the largest known breach of voter information ever reported, and it included a slew of political data collected on nearly 200 million Americans.
The breach, discovered by researchers at California-based UpGuard, was a result of information being stored on an unsecured Amazon S3 bucket managed by a conservative data firm that received close to $US1 ($1) million from the Republican National Committee during the 2016 election cycle.
In addition to the usual demographic information, the company was hosting a vast amount of personal data used to conduct sentiment analysis on individual voters: The data was used to predict where you and your family members likely fall on hot-button issues such as abortion, gun control, school vouchers, and so on. This rich data is incredibly useful for political campaigns when trying to decide which voters should receive campaign phone calls, mailers, and attention from door-to-door canvassers.
On a related note, Gizmodo broke a story last week detailing a data breach that exposed the state of California’s entire voter database. Last we checked, a law enforcement investigation was underway. In August, we reported that a leading supplier of voting machines had confirmed that the personal information of more than 1.8 million Chicago residents had been exposed.
Yahoo, to our knowledge, did not suffer a data breach this year. But we learned a lot of new information about its 2013 breach, what’s commonly understood to be the largest known hack of user data in history. The number of known accounts affected went from 1 billion to 3 billion in the last two months alone — after the company was acquired by Verizon.
In pursuing the hackers responsible, the US Justice Department announced in March that it was investigating hackers linked to Russian intelligence who have since been identified as FSB officers Dmitry Dokuchaev and Igor Sushchin. A third man, Karim Baratov, who is Canadian, pleaded guilty to hacking 500 million Yahoo accounts just a few weeks ago. It’s unlikely Dokuchaev and Sushchin will ever see the inside of a courtroom.
During a hearing before the Senate Commerce, Science and Transportation Committee in October, Yahoo executives – joined by those at Equifax – told Congress that the company was helpless when it comes to defending against such attacks. The sophistication of state-sponsored actors, well-funded and armed with exploits that haven’t been publicly disclosed, can’t be stopped by traditional means, the executives said, while pleading for enhanced cooperation with US intelligence agencies.
Even if Uber hadn’t suffered a breach this year, the company’s public image would still be pretty fucked given all the self-inflicted scandals plaguing the 9-year-old ride-hailing service. The company settled a lawsuit this month that alleged it illegally obtained a rape victim’s medical records; a former employee has accused the company of illegal surveillance, stealing trade secrets, and infiltrating anti-Uber activist groups in foreign countries; and the company has even tried blaming its own employees’ pitiful earnings on the employees themselves.
When you combine all of this with a huge data breach, which the company attempted to conceal, it’s a wonder Uber continues to exist.
As we previously reported, Uber paid a 20-year-old hacker $US100,000 ($129,120) to keep quiet after he managed to get his hands on the personal data of 57 million users. Of course, this case is complicated by the fact that Uber funneled the cash through a bug bounty program, which in some ways legitimized the payoff. Nevertheless, two Uber executives were fired as a result of the payment, including its chief security officer, Joe Sullivan.
Uber really screwed itself when it tried to conceal the breach. In states like California, in fact, it’s illegal. There are multiple lawsuits underway related to the Uber breach.
Once the bug was reported and fixed, the company could’ve saved itself yet another round of terrible PR by simply disclosing that it repaired a security flaw. It’s even possible that the amount Uber paid would have never been disclosed. Companies disclose breaches like this all the time, and it results in a day or two worth of news. But you can be sure, if there’s a way to inflate something into a full-blown scandal, Uber will find a way.
Speaking of ride-hailing services, last month Gizmodo reported that as many as 1 million customers and drivers who used the service Fasten were temporarily exposed in a breach discovered by the Kromtech Security Center. The data was interesting mostly because Fasten was the official ride-hailing service of SXSW last year, and the leak included locational data for tracking the movements of customers.
In what we labelled the “creepiest data breach of 2017,” security researchers unearthed the logins for half a million vehicle-tracking devices. Here’s a snippet from our September 21st coverage:
“The Kromtech Security Center recently found over half a million records belonging to SVR Tracking, a company that specialises in ‘vehicle recovery,’ publicly accessible online. SVR provides its customers with around-the-clock surveillance of cars and trucks, just in case those vehicles are towed or stolen. To achieve ‘continuous’ and ‘live’ updates of a vehicle’s location, a tracking device is attached in a discreet location, somewhere an unauthorised driver isn’t likely to notice it.”
Kromtech separately disclosed a breach that exposed 10 million vehicle identification numbers (VINs) that we predicted could’ve been useful for car thieves. More than 16,000 VINs were linked to Jeep Wranglers, which was significant because at the time we disclosed the breach a Tijuana motorcycle club had just been indicted for using VINs — as well as access to a manufacturer’s key database — to steal 150 Wranglers worth an estimated $US4.5 ($6) million.
The Kaspersky Lab story has been a mess. On one hand, it seems like a company with a decent reputation had been caught up in a red scare over Russian hackers targeting the US election. On the other, the company’s software apparently played a role in transmitting classified US documents into a foreign government’s hands.
As it turns out, Israeli intelligence officers who’d hacked into Kaspersky Lab’s software determined that Russian hackers had used the popular scanner to access classified information pulled from the laptop of an NSA contractor who was running Kaspersky antivirus. (As part of its function, Kaspersky accesses all of the files stored on a computer, just like other popular anti-malware tools.) It was later disclosed that the NSA contractor had improperly stored classified material on his home computer, causing the breach.
Top Secret leaks
WikiLeaks kicked off the year by dumping a slew of CIA secrets online, including the “Vault 7” database of exploits, some of which were marked Top Secret. One of the more interesting dumps detailed how the CIA can track Windows users using wi-fi signals and a process known as trilateration. There was also some interesting router hacking techniques disclosed in June.
Although WikiLeaks continues to impress by getting its hands on this stuff, aside from its historical value, the true worth of this information is questionable — particularly with regard to any zero-day exploits it may have disclosed. Security researchers who market in zero-days, and have even sold them to the US government, say privately the value of these previously unknown exploits not only plummets over time, but after they have been used once, intelligence agencies tend to treat them as worthless.
Gizmodo also reported a breach linked to a security contractor in September: Researchers at UpGuard found a batch of job resumes left unprotected online that included thousands of individuals with high-level security clearances. It appeared as if the contractor outsourced its resume-processing to a third-party company, which then failed to delete the data after assuring the contractor it would be removed from an Amazon server.
Among the leaked applications was someone who admitted to being a “warden advisor” at the CIA’s infamous Abu Ghraib black site. (People who worked at locations like Abu Ghraib are nearly unhirable because of the PR liability of hiring someone “tainted” by “allegations” of torture.)
We also reported a breach discovered by UpGuard involving Booz Allen Hamilton, the former employer of whistleblower Edward Snowden. The breach involved a project Booz was working on for the National Geospatial-Intelligence Agency, which among other duties monitors troop movements for the Pentagon. While some of the code that leaked indicated the program would eventually be used to handle up to Top Secret information, no classified information was found. UpGuard did, however, locate a bunch of other credentials, including private encryption keys, pointing to separate servers — the contents of which remain unknown.
We’d be remiss if we didn’t mention Reality Winner, a massive profile of whom was published in the New Yorker last week. The 25-year-old National Security Agency contractor reportedly smuggled classified intelligence out of a secured area by stuffing printed documents down her pants and walking them out the front door. The papers, which allege Russian-government hackers targeted US voting systems last year, eventually found their way into the hands of Intercept reporters.
A data breach at Whole Foods, first disclosed in late September, was mostly overshadowed by the ongoing congressional hearings over the Equifax fuckups — nevertheless, credit card data at up to 117 venues was confirmed stolen.
We fixated on this breach in multiple stories because the company, which was purchased by Amazon this year, kept refusing to disclose information that we knew it has on hand. For instance, it refused to say when it first discovered the breach, which would have in turn told us how long executives kept it a secret before notifying customers. We bugged the company for several months, but they have decided this information is not for public consumption.
Given the company’s reflexive secrecy, shop at Whole Foods at your own risk, I guess.
560 million passwords
In yet another breach discovered by Kromtech researchers, more than 560 million login credentials were exposed by a leaky database that were linked to up to 10 popular online services, including Adobe, Tumblr, and DropBox. When we broke the story, Kromtech was working with Have I Been Pwned creator Troy Hunt to determine how many of the credentials were from previous breaches. It turned out — based on a random sample of 10,000 username-password combinations — roughly 98 per cent were from previous breaches at sites like LastFM, MySpace, and others.
Ironically, someone was apparently going around collecting data from these breaches for years and compiling it into one massive database of leaked logins — only for themselves to become the source of a major data breach.
There are literally thousands of other data breaches we could list here, but you have to stop somewhere. With that in mind, take a second and visit haveibeenpwned.com to find out if your login has been exposed. Here’s to another year fraught with data insecurity. Remember to change your passwords!