We keep hearing about them in the news. The tallies are astounding: 145 million user accounts compromised here, 40 million credit cards stolen there. What isn't always as clear with the most high-profile data breaches is how they occurred in the first place and what you can do to prevent seeing your organization in a similar headline.
CIO.com tapped several security professional to summarize the origins of the top five recent data breaches to affect U.S. firms. There are also lessons to learn from AT&T, Community Health Systems, Experian, Michaels, Neiman Marcus, P.F. Chang's and the UPS Store, among many others.
Lesson From Adobe: Build Better Systems
Topping the list is the Adobe Systems breach, which the company calls a "sophisticated attack" of its network and involved stealing 153 million customer records. The company later said a smaller subset of those accounts were still active.
Joe Siegrist, CEO and co-founder of password management company LastPass, says the breach is unique because it involved so many customer records and because we have so little information about what actually occurred. Hackers stole 3.8 GB of compressed data – email addresses, password hashes and password hints – all apparently obtained from a backup server, he says.
David Schoenberger, CIO at CertainSafe, says the hacker probably broke in using various methods, including SQL injections or fake IP addresses. He says the answer is to build better systems – use stronger passwords and deploy better firewalls.
Lessons From eBay: Encrypt Data, Educate Employees
The recent eBay breach, meanwhile, involved the theft of 145 million user accounts. Todd Weller, the VP Corporate Development for Hexis Cyber Solutions explains that this breach at least didn't involve stolen credit cards, which were protected by strong data encryption. Hackers were able to steal the names, addresses, emails, and phone numbers for users. This involved confirmed reports of hackers stealing login credentials for specific employees.
[ Analysis: Is eBay Trading Too Much Security for Seller Happiness? ]
There are few clues about how the attack actually took place, but Weller says it was likely a phishing scam or a social engineering attack that tricked employees into giving out their logins. The best preventive measures, he adds, would have been encrypting all user data and educating employees about phishing scam dangers.
Lesson From JP Morgan Chase: Invest in Intrusion Detection
The worst data breaches are sometimes left unsolved, but security professionals can sometimes piece together the root cause. Idan Tendler, the CEO of security analytics company Fortscale, says it's possible, based on unconfirmed reports, that the JP Morgan Chase breach of 83 million customers' persona data happened after hackers obtained a list of the applications that run on the bank's internal servers.
Once hackers had the list, they searched for known vulnerabilities for each application until they found a way to break in. They then obtained administrative privileges to gain access to the servers. Then they stole the data. Tendler says analytics tools could have noticed the intrusions at specific times of the day and looked for login anomalies.
Lesson From Target: Find the Most Critical Vulnerabilities
Target became one of the latest victims of a phishing email campaign. Kevin Conklin, a spokesperson for the IT security company Prelert, believes the Target breach was a result of a hacker using authorized login credentials obtained using an email phishing campaign targeting a specific contractor. The credentials allowed the hackers to install a malware program on the POS terminals that read a customer's credit card. All told, the attack compromised 70 million customer accounts and 40 million credit cards.
Conklin says the twist is that Target security tools detected the breach and issued alerts, but the attackers likely kept manually attempting to login. It's possible that Target received thousands of these alerts during the attack period. Conklin argues that threat detection tools, including one his company offers, could reduce the damage because they search for more critical anomalies.
Lesson From Home Depot: Well-Configured Firewalls
Most security experts say Home Depot was the victim of a spearphishing attack – a highly specific, targeted ruse that arrives by email and then infects a computer with malware. According to Francis Turner, a product manager for ThreatSTOP, the Home Depot breach, which affected 56 million credit and debit cards, could have involved just one successful attack – and just one employee agreeing to the install. It's also possible this one specific employee was repeatedly spearphished.
Turner says the real hack isn't the intrusion but, rather, the fact that the malware could "call home" and carry out further instructions. Firewalls configured to block both incoming and outgoing attacks would have helped, he adds.