BEST OF THE WEB

Biggest breaches of 2013: Lessons we haven’t learned

SC Magazine – sponsors of the popular SC Congress series of conferences – released it list of the Top 8 Security Breaches of 2013 recently, and the dispiriting thing is, the themes are sounding awfully familiar. Apparently, some shops have learned nothing from previous fiascos – hands up, anybody who remembers Heartland and TJX – and continue to ignore best practices we’ve known about for years.

What lessons have we forgotten?

* No excuse for no encryption. Probably the largest volume of data breach information comes from low-tech (or even no-tech) hacking, not high-tech hacking. More than 700,000 patients at AHMC Hospitals in California has personal details exposed when thieves broke in and stole two laptop computers.  At least no episodes of lost USB keys made the list this year, though it still happens all the time: contactor Computer Sciences Corp. lost one in transit, compromising the information of Medicaid providers across the U.S; the police force in Manchester, U.K. was fined the equivalent of about $200,000 for losing an unencrypted USB key with sensitive data from a drug squad investigation; health-care provider Kaiser Permanente lost a USB key with personal details of 50,000 patients after a privacy breach at an Anaheim, Calif., facility. We’ve had more than our share in the last few years in Canada. Whether it’s on a laptop, USB key or server, there’s no excuse for data at rest to remain unemcrypted.

* Monocultures are lethal. Microsoft Corp. products actually seem to be performing better on the security side than the days when the Office-Outlook-Exchange monoculture was dominant, but any time you have a product that dominates a market space, you’re more exposed. Adobe Acrobat has now become the poster child for ubiquitous applications subject to attack; the company admitted in October that a breach thought to have affected 2.9 million users actually affected 38 million. It’s the only PDF reader anybody who’s anybody uses, so vulnerabilities in the code can affect a huge footprint of users.

* Big money=Big target. Hacktivist collective Anonymous targeted the personal banking information of 4,000 banking executives, breaching the U.S. Federal Reserve Bank’s system through a vulnerability in a vendor product. While they weren’t out to thieve more than information, most hacking activity is motivated by money, and the more there is, the more likely you’ll be targeted by hackers.

* Social insecurity. People share too much on social networks; that’s kind of the point of them in the first place. But that information can be exposed, as it was when hackers compromised hashed and salted passwords for 50 million users of the hot-deals Website Living Social. Fortunately, according to the company, no financial information was exposed.

You can view the SC Magazine slide show here.

Dave Webb
Dave Webb
Dave Webb is a freelance editor and writer. A veteran journalist of more than 20 years' experience (15 of them in technology), he has held senior editorial positions with a number of technology publications. He was honoured with an Andersen Consulting Award for Excellence in Business Journalism in 2000, and several Canadian Online Publishing Awards as part of the ComputerWorld Canada team.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web