In our last blog about data center hygiene, I talked about how most hackers are getting into your data centers in pretty standard, and more importantly, preventable ways. You can read more in depth about hacks and security with some interesting perspectives and thought leadership from our Guardicore Labs team, who research and write about the truly interesting campaigns they discover and analyze. In this article, however, I want to focus on four of the most talked about breaches of the past few years. By looking at what was stolen, who was impacted, how the data center breaches occurred, and what the tangible damage was, we should be able to see a pattern in how these attacks were perpetrated, and how they could have been stopped.
Equifax – What Happened?
The amount of data stolen was huge, including 148 million American names, dates of birth and social security numbers, 15 million British names, dates of birth and driving license and financial details, and an unknown number of PII belonging to Canadians and Australians. Home addresses, genders, passport details and taxpayer ID cards were stolen, as well as payment card information.
The damage to Equifax continues to grow. The stock drop alone cost the company $4 billion, alongside scrapped bonuses and IT costs of $242.7 million. There are 19 class action lawsuits pending against the company, and fines outstanding from US and Canadian regulatory commissions. The UK have fined the company £500,000, (US$660,000) which is the maximum they could levy prior to new GDPR regulations.
How Could it Have Been Prevented?
The initial entry point for the Equifax attackers was an unpatched vulnerability in their front-end web services, specifically in Apache Struts 2.0. According to the US House of Representatives, “The company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed attackers to access and remove large amounts of data.” To understand more about this advice, see our deep dive on the Equifax failures.
Segmentation was obviously a core problem for Equifax- the lack of segmentation allowed the attackers to move with ease to critical areas once they made it through the perimeter. This was made worse by poor data hygiene, something we mentioned in our previous blog. The hackers were able to steal the data because of an out-of-date digital certificate, which had expired more than 19 months before the breach.
Equifax have also been criticized for their lack of proper incident response, a problem we see in many data center breaches. As early as August 2016, Equifax was warned about vulnerabilities, and told about flaws in their data center. Allegedly, the company did nothing, even when they learned that hackers had broken into their computer system and when they observed and blocked what they called “suspicious network traffic.” This dangerous inaction is not only illegal, but borders on negligence.
Target – What Happened?
100 million customers were affected by the 2013 Target data center breach, with data exposed including mailing addresses, names, email addresses, phone numbers and credit and debit card account data. This information could then be used to hack consumer accounts or launch phishing scams. Financial data stolen was complete, including account numbers, CVV codes and expiration dates.
Target also suffered a drop in their stock price as a result of the data center breach, with hundreds of lawsuits and around $3.6 billion worth of fines levied against them. The most unique outcome of this in comparison to other data center breaches is that it caused a total change to the retail industry. Card payment systems and Point of Sale systems were changed, the EMV chip was adopted, and a new protocol began with the tokenization of transactions.
How Can Data Center Breaches like the Target Attack be Avoided?
Third party vendors and services can be the weakest link in your ecosystem, without you even knowing it. For Target, the hack of their HVAC vendor network was the entry point for the hackers. With the right amount of visibility, the company could have seen that this was a risky connection, and a potential breach point. Once inside the Target network, the financial data was accessible to the attackers because it was not segmented for PCI compliance. Lastly, poorly patched Point of Sale systems could have been protected with better account management.
While the company was warned of the breach in advance, the CISO at Target was concerned about losing revenue during the all-important holiday season, so delayed the incident response.
Yahoo – What Happened?
The largest breach of its kind, 1 billion records were exposed in 2014 when Russian hackers infiltrated the Yahoo network. Among the data stolen was email addresses, usernames, phone numbers, security questions and encrypted passwords. This information has since been used in hundreds of attacks worldwide. Shockingly, Yahoo failed to notify anyone about the breach until 2016, and there is still not a clear answer to how the network was breached.
In 2018, the SEC fined them $50 million, and as with all data center breaches that affect this many individuals, there is likely to be more financial and legal consequences on the way.
Marriott – What Happened?
It can be hard to gauge the damage of an attack, especially when the company in question is less than upfront about the situation. Attackers breached the network of the Starwood systems, owned by Marriott hotels, during 2014, which means they achieved a dwell time of at least 1441 days. The hackers were Chinese intelligence services, with the motive of tracking people of interest and espionage.
The data stolen includes the names, phone numbers, email addresses, dates of birth and passport information of guests at the hotel, providing clear benefits for intelligence agencies who want insight into people’s movements, meetings, and credentials. It can also be used to create counterfeit passports, with real identification information. The secrecy around this attack, and the length of the dwell time means that the consequences are likely to be harsh. The GDPR breach alone will cost Marriott $915 million, while US federal investigations are still underway before further fines can be given.
Gaining Visibility and Control over Data Center Breaches like Yahoo and Marriott
Now let’s look again at our data center security checklist from the previous blog. In all of these cases, solving the issues on the checklist could have reduced risk and perhaps even prevented these data center breaches. Starting with visibility, identify your critical assets and digital crown jewels, so that you know where segmentation can make a difference. Ensure that areas of compliance are near the top of your to-do list. Protect your data center from the weakest links, namely the third-party vendors, suppliers and distributors who could be putting you at risk. Lastly, alongside underlying data hygiene, make sure you have an incident response plan that is up to date and tried and tested.
Want to learn more about how segmentation and microsegmentation can help you achieve early wins for your company? Check out our white paper on smart segmentation.
Interested in research? Follow the exploits uncovered by Guardicore Labs here. You can also check out Infection Monkey, a free, open source vulnerability assessment tool that works across premises, vSphere, multiple clouds and containers. A recent addition- look up potential threatening domains and IPs using our cutting-edge Cyber Threat Intelligence.