Cyber Security
Hackers winning / Security on Defence

The Great Data Breach Disasters of 2017

Burgess COMMENTARY

Peter Burgess

The Great Data Breach Disasters of 2017 Photo: AP

A week hardly passed this year without a major data breach to remind us of how precarious the state of security was throughout 2017. And while I’d love to report otherwise, you’d be hard pressed right now to find anyone in the know who thinks things are looking up.

For starters, the personal information of every US voter was leaked; the Social Security numbers of more than a hundred million Americans were stolen; and a slew of retail businesses exposed untold amounts of your financial data. And when it was all said and done, what did we learn? Well, mostly that corporations are still terrible at keeping our sensitive information safe.

The good news is that there was a recognizable shift this year in who the public holds responsible. Faceless hackers no longer seem a viable scapegoat for corporations whose security is found wanting. And even better, the ways in which companies respond in the aftermath of a breach is as important as the details of the breach itself.

Unfortunately, most data-breach hunters will tell you that the negligence we know about is merely the tip of the iceberg. Many security researchers who delve into breaches are sitting on massive backlogs of leaked data with little time to sort through it all.

Truth be told, tips about exposed data and hacked websites come rolling in every day—so many that my editors eventually became concerned that our readers were developing what they called “breach fatigue.” As one reader put it after we reported a data breach at Vevo: “Pretty soon, Gizmodo will be nothing but articles about who got hacked today.”

Below is a list of just a few of the data breaches that grabbed headlines over the past year—some of which you might have even read here first.

Equifax

Hands down, Equifax is the top breach of 2017—which is to say, it was the absolute worst in many ways. The amount of private data stolen was massive. It prompted several scathing congressional hearings. And the level of negligence involved was staggering. From the cause of the breach itself—ultimately found to be easily avoidable—to the way in which Equifax continued to imperil its consumers after-the-fact, there’s no denying this was a cybersecurity catastrophe of epic proportions.

Equifax’s role as a credit reporting agency only adds insult to injury: It was like watching a firefighter flick a lit cigarette into a fireworks factory. Millions upon millions of US consumers trusted Equifax to guard their financial information. Today the company’s name is more or less synonymous with identity theft.

If there’s one good thing that came out of this incident, it’s that US officials seem to at least recognize that the days of using a Social Security number as a means to authenticate a person’s identity are over. Of course, recognizing that fact and doing something about it are two different things.

Article preview thumbnail Equifax Investigation Clears Execs Who Dumped Stock Before Hack Announcement Equifax discovered on July 29th that it had been hacked, losing the Social Security numbers and… Read more

Article preview thumbnail Report: Equifax Warned of Vulnerability Six Months Before Attack, Took No Action It didn’t seem possible, but Equifax may have screwed the pooch even harder than previously thought. Read more

Article preview thumbnail IRS Suspends $7 Million Contract After Equifax Screws Up for the Umpteenth Time The IRS announced late Thursday night that it has temporarily suspended a $7.25 million contract… Read more

RNC voter data

In June, Gizmodo broke a story about a major breach involving the personal information of nearly every registered voter in the country. It is the largest known breach of voter information ever reported, and it included a slew of political data collected on nearly 200 million Americans.

The breach, discovered by researchers at California-based UpGuard, was a result of information being stored on an unsecured Amazon S3 bucket managed by a conservative data firm that received close to $1 million from the Republican National Committee during the 2016 election cycle.

In addition to the usual demographic information, the company was hosting a vast amount of personal data used to conduct sentiment analysis on individual voters: The data was used to predict where you and your family members likely fall on hot-button issues such as abortion, gun control, school vouchers, and so on. This rich data is incredibly useful for political campaigns when trying to decide which voters should receive campaign phone calls, mailers, and attention from door-to-door canvassers.

On a related note, Gizmodo broke a story last week detailing a data breach that exposed the state of California’s entire voter database. Last we checked, a law enforcement investigation was underway. In August, we reported that a leading supplier of voting machines had confirmed that the personal information of more than 1.8 million Chicago residents had been exposed.

Article preview thumbnail GOP Data Firm Accidentally Leaks Personal Details of Nearly 200 Million American Voters Political data gathered on more than 198 million US citizens was exposed this month after a… Read more

Article preview thumbnail US Voting Machine Supplier Leaks 1.8 Million Chicago Voter Records [Updated] A leading US supplier of voting machines confirmed on Thursday that it exposed the personal… Read more

Article preview thumbnail Stolen California Voter Database Held for Bitcoin Ransom [Updated] An Amazon AWS server believed to contain files on all of California’s registered voters was left… Read more

Yahoo

Yahoo, to our knowledge, did not suffer a data breach this year. But we learned a lot of new information about its 2013 breach, what’s commonly understood to be the largest known hack of user data in history. The number of known accounts affected went from 1 billion to 3 billion in the last two months alone—after the company was acquired by Verizon.

In pursuing the hackers responsible, the US Justice Department announced in March that it was investigating hackers linked to Russian intelligence who have since been identified as FSB officers Dmitry Dokuchaev and Igor Sushchin. A third man, Karim Baratov, who is Canadian, pleaded guilty to hacking 500 million Yahoo accounts just a few weeks ago. It’s unlikely Dokuchaev and Sushchin will ever see the inside of a courtroom.

During a hearing before the Senate Commerce, Science and Transportation Committee in October, Yahoo executives—joined by those at Equifax—told Congress that the company was helpless when it comes to defending against such attacks. The sophistication of state-sponsored actors, well-funded and armed with exploits that haven’t been publicly disclosed, can’t be stopped by traditional means, the executives said, while pleading for enhanced cooperation with US intelligence agencies.

Article preview thumbnail Equifax and Yahoo Complain They Are Helpless Against State-Sponsored Hacks Former and current Equifax and Yahoo executives appeared on Capitol Hill on Wednesday to testify… Read more

Uber

Even if Uber hadn’t suffered a breach this year, the company’s public image would still be pretty fucked given all the self-inflicted scandals plaguing the 9-year-old ride-hailing service. The company settled a lawsuit this month that alleged it illegally obtained a rape victim’s medical records; a former employee has accused the company of illegal surveillance, stealing trade secrets, and infiltrating anti-Uber activist groups in foreign countries; and the company has even tried blaming its own employees’ pitiful earnings on the employees themselves.

When you combine all of this with a huge data breach, which the company attempted to conceal, it’s a wonder Uber continues to exist.

As we previously reported, Uber paid a 20-year-old hacker $100,000 to keep quiet after he managed to get his hands on the personal data of 57 million users. Of course, this case is complicated by the fact that Uber funneled the cash through a bug bounty program, which in some ways legitimized the payoff. Nevertheless, two Uber executives were fired as a result of the payment, including its chief security officer, Joe Sullivan.

Uber really screwed itself when it tried to conceal the breach. In states like California, in fact, it’s illegal. There are multiple lawsuits underway related to the Uber breach.

Once the bug was reported and fixed, the company could’ve saved itself yet another round of terrible PR by simply disclosing that it repaired a security flaw. It’s even possible that the amount Uber paid would’ve never been disclosed. Companies disclose breaches like this all the time, and it results in a day or two worth of news. But you can be sure, if there’s a way to inflate something into a full-blown scandal, Uber will find a way.

Speaking of ride-hailing services, last month Gizmodo reported that as many as 1 million customers and drivers who used the service Fasten were temporarily exposed in a breach discovered by the Kromtech Security Center. The data was interesting mostly because Fasten was the official ride-hailing service of SXSW last year, and the leak included locational data for tracking the movements of customers.

Article preview thumbnail Relatable Uber Hacker Was Just Trying to Pay His Bills Uber revealed last month that it paid a hacker $100,000 to keep quiet about the fact that he stole…

Read more Article preview thumbnail Former Employee Accused Uber of Hacking and Surveillance In a damning letter released today, a former Uber employee, Richard Jacobs, claims that the company …

Read more Article preview thumbnail Uber's Massive Scraping Program Collected Data About Competitors Around The World For years, Uber systemically scraped data from competing ride-hailing companies all over the world, …

Read more Car-tracking breach In what we labeled the “creepiest data breach of 2017,” security researchers unearthed the logins for half a million vehicle-tracking devices. Here’s a snippet from our September 21st coverage:

“The Kromtech Security Center recently found over half a million records belonging to SVR Tracking, a company that specializes in ‘vehicle recovery,’ publicly accessible online. SVR provides its customers with around-the-clock surveillance of cars and trucks, just in case those vehicles are towed or stolen. To achieve ‘continuous’ and ‘live’ updates of a vehicle’s location, a tracking device is attached in a discreet location, somewhere an unauthorized driver isn’t likely to notice it.”

Kromtech separately disclosed a breach that exposed 10 million vehicle identification numbers (VINs) that we predicted could’ve been useful for car thieves. More than 16,000 VINs were linked to Jeep Wranglers, which was significant because at the time we disclosed the breach a Tijuana motorcycle club had just been indicted for using VINs—as well as access to a manufacturer’s key database—to steal 150 Wranglers worth an estimated $4.5 million.

Article preview thumbnail Passwords to Over a Half Million Car Tracking Devices Leaked Online We’ve seen a lot of data breaches this year: some big, some small, some that are dangerous, and… Read more

Article preview thumbnail Massive Leak of 10 Million VIN Numbers Could Help Crooks Make Stolen Cars Look Legit Security researchers have discovered a vulnerable database containing the details of approximately… Read more

Kaspersky Lab

The Kaspersky Lab story has been a mess. On one hand, it seems like a company with a decent reputation had been caught up in a red scare over Russian hackers targeting the US election. On the other, the company’s software apparently played a role in transmitting classified US documents into a foreign government’s hands.

As it turns out, Israeli intelligence officers who’d hacked into Kaspersky Lab’s software determined that Russian hackers had used the popular scanner to access classified information pulled from the laptop of an NSA contractor who was running Kaspersky antivirus. (As part of its function, Kaspersky accesses all of the files stored on a computer, just like other popular anti-malware tools.) It was later disclosed that the NSA contractor had improperly stored classified material on his home computer, causing the breach.

Regardless, the White House instituted a government-wide ban on Kaspersky Lab products. The company is now suing the Trump administration, accusing it of violating due process.

Article preview thumbnail Trump Signs Ban on Kaspersky Software President Donald Trump on Tuesday signed legislation officially banning the federal government’s… Read more

Article preview thumbnail Kaspersky Lab Suing Trump Administration Following Software Ban In September, the US government mysteriously announced that it was banning Moscow-based Kaspersky… Read more

Top Secret leaks

WikiLeaks kicked off the year by dumping a slew of CIA secrets online, including the “Vault 7” database of exploits, some of which were marked Top Secret. One of the more interesting dumps detailed how the CIA can track Windows users using wi-fi signals and a process known as trilateration. There was also some interesting router hacking techniques disclosed in June. Although WikiLeaks continues to impress by getting its hands on this stuff, aside from its historical value, the true worth of this information is questionable—particularly with regard to any zero-day exploits it may have disclosed. Security researchers who market in zero-days, and have even sold them to the US government, say privately the value of these previously unknown exploits not only plummets over time, but after they’ve been used once, intelligence agencies tend to treat them as worthless.

Article preview thumbnail Leaked Files Show How the CIA Can Hack Your Router to Spy on You The CIA has had the ability to turn routers and network access points into surveillance devices for … Read more

Article preview thumbnail Leaked Manual Reveals How CIA Can Track Windows Users by Gauging Wi-Fi Signal On Wednesday, WikiLeaks released the latest issue in its ongoing Vault 7 series—a trove of secret… Read more

Gizmodo also reported a breach linked to a security contractor in September: Researchers at UpGuard found a batch of job resumes left unprotected online that included thousands of individuals with high-level security clearances. It appeared as if the contractor outsourced its resume-processing to a third-party company, which then failed to delete the data after assuring the contractor it would be removed from an Amazon server. Among the leaked applications was someone who admitted to being a “warden advisor” at the CIA’s infamous Abu Ghraib black site. (People who worked at locations like Abu Ghraib are nearly unhirable because of the PR liability of hiring someone “tainted” by “allegations” of torture.)

Article preview thumbnail Data Breach Exposes Thousands of Job Seekers Citing Top Secret Government Work [Updated] Thousands of files containing the personal information and expertise of Americans with classified… Read more

We also reported a breach discovered by UpGuard involving Booz Allen Hamilton, the former employer of whistleblower Edward Snowden. The breach involved a project Booz was working on for the National Geospatial-Intelligence Agency, which among other duties monitors troop movements for the Pentagon. While some of the code that leaked indicated the program would eventually be used to handle up to Top Secret information, no classified information was found. UpGuard did, however, locate a bunch of other credentials, including private encryption keys, pointing to separate servers—the contents of which remain unknown.

Article preview thumbnail Top Defense Contractor Left Sensitive Pentagon Files on Amazon Server With No Password [Updated] Sensitive files tied to a US military project were leaked by a multi-billion dollar firm once… Read more

We’d be remiss if we didn’t mention Reality Winner, a massive profile of whom was published in the New Yorker last week. The 25-year-old National Security Agency contractor reportedly smuggled classified intelligence out of a secured area by stuffing printed documents down her pants and walking them out the front door. The papers, which allege Russian-government hackers targeted US voting systems last year, eventually found their way into the hands of Intercept reporters. Whole Foods

A data breach at Whole Foods, first disclosed in late September, was mostly overshadowed by the ongoing congressional hearings over the Equifax fuckups—nevertheless, credit card data at up to 117 venues was confirmed stolen. We fixated on this breach in multiple stories because the company, which was purchased by Amazon this year, kept refusing to disclose information that we knew it has on hand. For instance, it refused to say when it first discovered the breach, which would’ve in turn told us how long executives kept it a secret before notifying customers. We bugged the company for several months, but they’ve decided this information is not for public consumption. Given the company’s reflexive secrecy, shop at Whole Foods at your own risk, I guess.

Article preview thumbnail What Whole Foods Hasn't Said About Its Payment Card Data Breach [Updated] On Thursday Whole Foods publicly revealed that a data breach had potentially compromised its… Read more

Article preview thumbnail Whole Foods Is Still Being Overly Secretive About Its Credit Card Breach If the whole Equifax debacle changes anything at all, it should be the public perception of what a… Read more

560 million passwords

In yet another breach discovered by Kromtech researchers, more than 560 million login credentials were exposed by a leaky database that were linked to up to 10 popular online services, including Adobe, Tumblr, and DropBox. When we broke the story, Kromtech was working with Have I Been Pwned creator Troy Hunt to determine how many of the credentials were from previous breaches. It turned out—based on a random sample of 10,000 username-password combinations—roughly 98 percent were from previous breaches at sites like LastFM, MySpace, and others. Ironically, someone was apparently going around collecting data from these breaches for years and compiling it into one massive database of leaked logins—only for themselves to become the source of a major data breach.

Article preview thumbnail Over 560 Million Passwords Discovered in Anonymous Online Database A trove of more than 560 million login credentials has been exposed by a leaky database,… Read more

There are literally thousands of other data breaches we could list here, but you have to stop somewhere. With that in mind, take a second and visit haveibeenpwned.com to find out if your login has been exposed. Here’s to another year fraught with data insecurity. Remember to change your passwords!
=============================================================
GOOD RIDDANCE, 2017 The 100 Most Popular Gizmodo Posts of 2017 Our Favorite Gizmodo Videos of 2017 2017's Best Space Explosions ABOUT THE AUTHOR Dell Cameron Dell Cameron is a staff reporter at Gizmodo. EmailTwitterPostsKeys Discussion Reply Staff (1) Community (2) Pending Sort by: Popular Jedin Dell Cameron 12/27/17 8:24am And there are zero consequences for the incompetent executives. 9 Reply1 replies View all 11 replies You may also like Kotaku How To Fix Hearthstone's Daily Quests Bug 12/22/17 2:40pm Kotaku The World's Top Tetris Player's Secret To Success Is Learning To Embrace Chaos 12/21/17 4:40pm Kotaku What Are Your Favorite Games To Play During The Holidays? 12/24/17 5:15pm ShareTweet Want Gizmodo’s email newsletter? Your email address Subscribe About Need Help? Content Guide Gizmodo Store Privacy Terms of Use Advertising Jobs More from our network © 2017 Gizmodo Media Group