|
|
Welcome! to Secure Hive
Aleph-Naught PII Records On The Wall
 Joe
Purcell
Staff Writer
2011-08-25
Remember that old song "Aleph-Naught Bottles of Beer on the
Wall"? Of course not, because it's actually 99, but when it
comes to security breaches it makes more sense to start counting
down from aleph-naught. The amount of Personally Identifiable
Information (PII) exposed on the internet is perhaps a never
ending event, just like the song. Gabia, HSBC Korea, Epson
Korea, Yale, SCMLC, ShoWorks, and RBS were all involved of data
loss amounting to 433,652 records and information on one of
Vanguard's senior VPs was made public.
According to
Reuters, information involving 350,000 customers of Epson
Korea. There were a number of
related attacks were made on other Korean companies
including the domain registrar Gabia and HSBC Korea's website
was brought down for an hour which disabled their online banking
service.
Yale University fell prey to Googlebot's indexing. Google
modified its search engine in September of 2010 to be able to
index FTP servers, but university was unaware. As a result, some
43,0000 social security numbers were made available on the
internet and remained for 10 months until June 30th when the
breach was discovered. Yale Daily News
covers the incident and explains that the file was hidden on
their server under a misleading filename, but was not enough to
prevent finding it on the internet.
Identity Finder which attempts to minimalize data loss exposure
discovered 311,778 social security numbers belonging to Southern
California Medical-Legal Consultants (SCMLC). The issue was
discovered on May 11th of this year, but was not mentioned in
press release by Identify Finder until this week.
The company ShoWorks Inc was
victim of an attack that exposed the emails and passwords of
20,000 employees through the
allianceforbiz.com
website. The information leaked included other information as
well.
An email sent from a Hayse plc employee to 800 staff at the
Royal Bank of Scotland (RBS) contained the pay rates for 3,000
contractors. According to
the FT article, the IT staff was able to delete half of the
emails before people had the chance to read them.
Perhaps most startling was the
sensitive information obtained regarding the senior VP
Richard Garcia at Vanguard. Vanguard produces the
ShadowHawk Unmanned Aerial System (UAS) which is used by the
military and other corporations and law enforcement around the
world. The company is contracted by both the Pentagon and FBI
which is why it was chosen according to Anonymous'
press release.
CNET reports that in a conversation with Vanguard's CEO
"there was no breach of its servers or Web site, but rather that
it was Garcia's personal Gmail account that was accessed." He
goes on to state that the 1GB of information obtained by AntiSec
involved Garcia's involvement at InfraGard and that no sensitive
or proprietary information of Vanguard was exposed. This is
certainly not the first time
hackers have hijacked email accounts of federal or related
officials.
As the
2011 Data Breach Investigations Report produced by Verizon's
RISK Team, the US Secret Service, and the Dutch High Tech Crime
Unit states, data breaches still don't require highly
sophisticated attacks. In fact, the attack methods used can be
highly innovated, straightforward, and simple, such as
character encoding hacks. Whatever is connected to the
internet, be it a mobile device (see
recent Android Gingerbread (2.3.3) exploit), personal
computer, or web server, hackers are finding their way in and
are
rewarded by their peers through sites like
Rank My Hack, Twitter, or
simply being able to identify with a larger community. It is up
to IT departments to take the initiative, stay up to date on the
latest kinds of attacks, read reports on solutions such as
Protegrity's "It's
Not Just about Credit Card Numbers Any More" report, and
structure its data systems in a defensive manner.
More Information and trial copies of
Secure Hive Click Here!
|
|
