So many breaches lately – its becoming hard to keep up. Here’s a quick summary of some of the higher profile breaches from recent months. There are many more where this came from, and the full list of known breaches can be found at these sites:
On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system.
Customers of Walgreens, Best Buy, Citigroup and several other major US companies were affected, as all of these companies use Epsilon services for email campaigns.
RSA, the security division of EMC, has revealed the firm’s data breach in mid March was the result of a spear phishing attack. The spear phishing attack exploited an Adobe Flash vulnerability that was unpatched at the time.
This eventually led to the compromise of sensitive data connected with RSA’s SecurID tokens, used for multi-factor authentication.
This stolen information was later used by hackers in attacks against several large defense contractors, with at least one such attack being successful.
Since the April PlayStation Network breach that exposed over 100 million user accounts, Sony has been hacked more than 10 times. Sony Pictures, Sony Europe, Sony BMG Greece, Sony Thailand, Sony Music Japan, Sony Ericcson Canada, and others, have all been the target of attacks.
Some analysts say Sony’s security woes started when the company pressed charges against 20 year-old hacker, George Hotz, who reverse-engineered Sony’s PlayStation 3 so that it could run unapproved third-party applications.
Sony responded by suing Hotz, a move that reportedly infuriated many in the hacker community. Many experts say the attack on the PlayStation Network in April could have been an act of vilgilante justice resulting directly or indirectly from Sony’s lawsuit against Hotz.
“Sony’s perceived abuse of the legal system in targeting reverse-engineer George Hotz infuriated hacker groups,” said Randy Abrams, director of technical education at ESET, an IT security firm. Abrams also noted that even before the Hotz incident, Sony had drummed up “significant antipathy” as the result of a 2005 scandal involving Sony CDs that automatically installed a rootkit that made users’ computers vulnerable to attack.
See also: Sony Entertainment earned $77.5Bn last year but because of recent breaches lost $22Bn this year (Infographics)
On May 10, a compromise to Citi Account Online resulted in hackers stealing account information of more than 360,000 of Citigroup Inc.’s U.S. credit card customers. The bank said it discovered on May 10 that hackers used its Account Online system to access the data for North America Citi-branded credit cards issued in the U.S. Hackers accessed customer names, account numbers and contact information, including email addresses.
A group of hackers behind a string of recent cyberattacks claimed on Monday to have stolen internal data from the US Senate website. The Senate Sergeant at Arms, which is responsible for congressional security, confirmed there had been an intrusion into the server hosting the public website, Senate.gov, but said no sensitive information was compromised.
The hacker group, which goes by the name of “Lulz Security,” published files online at lulzsecurity.com said to have been swiped from Senate.gov.
“This is a small, just-for-kicks release of some internal data from Senate.gov — is this an act of war, gentlemen?” Lulz Security said in a statement.
“We don’t like the US government very much,” the group added. “Their sites aren’t very secure.”
Lulz Security, whose name is derived from the text-messaging shorthand phrase LOL, or “laugh out loud,” has claimed credit for a series of cyberattacks in recent weeks.
The targets have included Sony’s online operations, an FBI partner website, the website of videogame developer Bethesda Softworks and the website of the US non-profit Public Broadcasting Service.
International Monetary Fund:
The International Monetary Fund was targeted by attackers over several months earlier this year, The New York Times reported. Many security experts are speculating the attackers may have had some support from a nation-state.
The cyber-attackers appeared to have deliberately infected a computer at the IMF with malware designed to steal information, according to The New York Times. The intrusion was “a very major breach,” an anonymous official said in the June 12 article.
A group of hackers calling themselves Lulz Security has claimed responsibility for briefly bringing down the public website of the U.S. Central Intelligence Agency (CIA) on Wednesday.
“Tango down – cia.gov – for the lulz,” the group, which had earlier claimed responsibility for hacking into the websites of the U.S. Senate, Sony, Nintendo and Fox News, wrote on its Twitter feed.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services