Security SNAFUs? How bad is it so far this year? Well, let’s start with Snapchat’s 4.6 million user database SNAFU, followed by a parade of retail stores including Neiman Marcus and Sally Beauty Holdings, telling their customers how their payment card information had been hacked. The hacker group Syrian Electronic Army was also busy tormenting Microsoft, among many others. And there’s plenty of other mischief, such as denial-of-service attacks and cyber-espionage to round out what’s only the first half of the year.
- In the first few days of the year, gaming sites, including Steam, were hit by multiple denial-of-service attacks, with some blaming irate players.
- In other New Year mayhem, malware being inadvertently served up via Yahoo’s advertising network, mainly in the countries of Romania, Great Britain and France. Yahoo said it took steps to block the malvertising attack.
- Snapchat, the photo app and delivery service, suffered a security gap that resulted in the phone numbers and usernames of up to 4.6 million accounts being downloaded by a site called SnapchatDB.info. Snapchat called the incident “no big deal,” but would try to make it more difficult to do.
- The high-end store Neiman Marcus acknowledged hackers had stolen information related to about 1.1 million payment cards of its customers, and the company’s senior vice president and CIO Michael Kingston had to testify about the malware-based cyberattack before Congress.
- The Syrian Electronic Army, the hacker group believed to be loyal to Syrian President al_Assad, continued its attacks, hacking the official Facebook and Twitter pages of Skype and the website’s blog telling users not to use Microsoft’s e-mail service Outlook claiming Microsoft sells user information to the government. The Syrian hacker group also hacked @XboxSupport Twitter pages, and the official Microsoft Office Blog. Besides Microsoft, it also hit CNN by hacking the official Twitter account and posting messages of the Syrian flag, which CNN quickly removed. Later in the year, the hacker group also hacked the websites of eBay and Paypal UK, the DNS of Facebook which Facebook quickly restored, and the Forbes website and their Twitter accounts, among others.
- AIG’s Variable Annuity Life Insurance Company disclosed information related to 774,723 customers had been taken on a hard drive by a former financial advisor arrested by law enforcement last September and being criminally prosecuted.
- The University of Maryland suffered two breaches, the worst one in February when hackers stole personal data related to 307,079 individuals from a records database. Brian Voss, the U-MD CIO, was quoted as saying the hackers had a “very significant understanding” of the school’s network security and “these people picked through several locks to get to the data.”
- The Los Angeles Department of Health Services said it’s notifying about 168,000 patients that their personal health information as well as billing information was at risk of exposure after Sutherland Healthcare Solutions, which handles DHS’s billing and collections, reported in February that its office was broken into and computer equipment holding that information stolen.
- Indiana University said a breach of its systems had exposed the personal data of about 146,000 students. The university indicated it believed the information, which had been stored in an insecure manner, wasn’t grabbed by an individual hacker but instead was crawled by a number of automated web-crawling applications.
- In a flub, Banner Health based in Phoenix accidentally exposed personal information on more than 50,000 people when their Medicare and Social Security numbers showed up on magazine address labels.
- The State of Connecticut said that due to a printing error, the tax forms mailed to about 27,000 people on unemployment information could include someone else’s information. The department said it was re-mailing the forms.
- Bitcoin exchange Mt. Gox said it lost 750,000 of customers’ bitcoin — a value of $470 million — after the virtual currency disappeared from its digital coffers. It later filed for bankruptcy.
- Hackers were circulating credentials for what appeared to be more than 7,000 FTP sites, including compromised servers for the New York Times, where hackers uploaded several files to its server.
- The Wall St. Journal, citing undisclosed sources, reported that a major infiltration of a military network blamed on Iran was “facilitated by a poorly written contract with computer-services provider Hewlett-Packard Co.” because the government contract with HP for the Navy Marine Corps intranet didn’t require the company to require security for a specific set of government databases, “and as a result, no one regularly maintained security on them.”
- Social site Meetup was made unavailable for over a day as it suffered a denial-of-service attack that came with an extortion request for $300. Meetup said it would not negotiate with cyber-criminals.
- The Internal Revenue Service said an IRS employee took home personal information on about 20,000 individuals stored on a drive and loaded it onto an insecure home network.
- The Veterans of Foreign Wars of the U.S. notified 55,000 of its veteran members that it learned in April that attackers, possibly from China seeking military information, had gained access to its systems to download tables containing name, address and Social Security numbers. The attack made use of malware such as remote access Trojans, the VFW said.
- Law enforcement alerted Portland, Ore.,-based Central City Concern, which assists those struggling with homelessness, poverty and drugs, that a former CCC employee had wrongfully copied personal information from what was discovered to be about 17,914 client records in order to try and process fraudulent tax returns in the names of people CCC was trying to help.
- Coca-Cola said a former employee in Atlanta stole 55 laptops that had contained unencrypted personal information on about 74,000 people, most of them Coca-Cola employees. The company didn’t say how it had regained the laptops but acknowledged to the Wall St. Journal that company policy requires laptops to be encrypted but these stolen laptops weren’t.
- AOL said a cyberattack had compromised customer e-mail accounts, possibly tens of millions of them, and urged AOL users to change their passwords.
- Canadian police arrested a 19-year-old man for allegedly exploiting the Heartbleed Bug to steal data about taxpayers. They said Stephen Arthuro Solis-Reyes of London, Ontario, took advantage of the vulnerability to steal information from the Canada Revenue Agency’s website, including Social Insurance Numbers for about 900 people there.
- After months investigating a data breach of its payment system, Michaels art and crafts store chain said information on 3 million payment cards from customers were compromised. Plus, at a subsidiary Aaron Brothers art and framing stores, 400,000 customer payment records were compromised.
- The Heartbleed Bug, a flaw sound in some versions of OpenSSL code, set off a worldwide stampede to update affected vulnerable servers and other gear. But there were some missteps along the way. Akamai Technologies, whose networks handles up to 30% of all Internet traffic, said it was re-issuing all SSL certificates and security keys used to created encrypted connections between its customers’ websites and visitors to those sites after a researcher found fault in custom code the company thought had shielded most of its customers from the Heartbleed Bug.
- Government prosecutors named 27-year-old Nicholas Knight, a former Navy systems administrator assigned to the nuclear reactor of an aircraft carrier, as the leader of an antigovernment hacking group called team Digi7AL, which allegedly broke into networks of more than 30 governments, companies and individuals two years ago to steal personal information about employees and customers. Knight had been discharged from the navy after prosecutors accused him of trying to hack into a Navy database while on board the USS Harry S. Truman.
- eBay informed the public that hackers had stolen about 145 million user names and encrypted e-mail addresses from its databases, and recommended that eBay users immediately change their passwords.
- A suspected Iranian hacker group seeded Facebook and LinkedIn with bogus profiles of attractive women and even created a fake online news organization to get digitally close to more than 2,000 people whom it wanted to spy on. Once they had befriended their targets through fake profiles, the people were emailed malicious links designed primarily to steal email account credentials, according to details provided by security consultancy iSight Partners.
- Cloud provider Joyent suffered an outage after an administrator made an operational error in simultaneously re-booting all the virtual servers hosted in the company’s US-East-1 data center. About an hour later, they were back online, while Bryan Cantril, the CTO there, said Joyent would now do a “postmortem” on the incident to find out “how this was architecturally possible.”
- Gingerbread Shed Corp., the marketing, RFID access control and ticketing software company in Tempe, Ariz., notified about 50,000 customers that an unauthorized third party obtained access to information about them, including names, telephone numbers, e-mail addresses, credit-card information and the user names and passwords for the company’s website accounts.
- The Home Depot said an employee with authorized access to its computer systems had gotten hold of 30,000 records on customer information associated with the tool-rental area and had provided some of it to unidentified third parties. That information included names, address, phone number, birth date, card brand, card account number and card expiration date.
- Israeli-based security firm RISCO, which was helping provide security management for the FIFA World Cup games, tweeted a photograph of their state-of-the-art monitoring center, but in it accidentally exposed the World Cup’s security center’s internal Wi-Fi password to the whole world.
- Restaurant chain P.F. Chang’s said that customer debit and credit card numbers had been stolen from stores, adding they learned of it through the secret Service. The cause, still under investigation, may be malware-infected point of sale terminals; P.F. Chang’s said it was switching to old-fashioned manual processing of customer card information at its restaurants.
- A hacker group calling themselves “Rex Mundi” broke into Domino's Pizza’s network, grabbing the names, addresses, phone numbers, e-mail addresses, passwords and even favorite pizza toppings of about 592,000 French and 58,000 Belgian customers which were posted on the Pastebin site. The hackers indicated they had demanded 30,000 Euros from Domino’s to not post the information, but Domino’s refused to pay it.
- The Montana Department of Public Health and Human Services said a department server containing 1.3 million records on client information, including names, addresses, births dates, Social Security numbers and clinical information, had been broken into by hackers. It was unclear whether data had been extracted.
- Butler University in Indiana said personal information related to up to 160,000 students, faculty and alumni was put at risk because of a data breach tied to a suspect in California who had a flash drive with Butler employees’ personal information, including birthdays, Social Security numbers and bank account information.
- Long Island-based radiology practice NRAD Medial Associates said it discovered that an employee radiologist had accessed and acquired protected health information from NRAD’s billing systems without authorization. The breach was estimated to be 97,000 records of patient names and addresses, dates of birth, Social Decurity information, health insurance, and diagnosis information. NRAD’s public statements indicate the employee no longer works there.
- An estimated 233,000 records of individuals were compromised, including Social Security numbers and payment information, after hackers exploited a vulnerability in systems belonging to Paytime, Inc. the Mechanicsville, Pa., payroll company disclosed.
- American Express was informed by the Secret Service that several large files containing personal information amounting to almost 76,608 American Express account records were posted on Internet sites by individuals claiming to be associated with the worldwide hacking collective Anonymous. AmEx said it was working to prevent a similar compromise.
- Microsoft commandeered part of an Internet service provider’s networks in order to shut down a criminally-operated botnet based on malware known as Bladabindi-Jenxcus. But the Nevada-based company, No-IP (a DNS provider owned by Vitalwerks) complained Microsoft’s actions interfered with customers that had nothing to do with the botnet. Microsoft admitted it made a technical error, admitting some No-IP customers “whose devices were not infected by the malware experienced a temporary loss of service.” Microsoft and Vitalwerks later reached a settlement related to the subdomains used to control the malware.
- Code Space, a hosting provider on Amazon EC2 used by organizations for project management and development needs based on Subversion and Git, was forced to close down after attackers first slammed them with a denial-of-service attack to demand ransom—and then wiped out most of their customer-held code when they refused to pay it.
This story, "The Worst Security SNAFUs This Year (So Far) " was originally published by Network World.