What do data breaches at Sony, Panera, Target and Marriott have to teach us?
As cybersecurity experts, we dissect breaches to learn what techniques are used and how they evolve. Watching the patterns of breach gives us clues and warnings for how to help our clients protect their business and customer data, as well as their systems and intellectual property.
Here, we profile some of the most significant, recent breaches and lessons to be learned from their stories. These cases reveal how simple security measures could have gone a long way to protect billions of customers’ data from a breach.
“Those that fail to learn from history are doomed to repeat it.”George Santayana
Data Breach #1: SQL Injection Cripples Sony’s PlayStation Network
Lesson Learned: Weak website protections and poor data segmentation brought Sony to its knees.
While an SQL injection is less nefarious or complicated than it sounds, it still wrought havoc on Sony’s PlayStation Network in April 2011. What the breach yielded was no joke: 77 million accounts were compromised – payment information, passwords, birthdates, names, etc. – as well as a month of service downtime. (Phillips 2016)
Structured Query Language (SQL) is a way to navigate large, relational databases. Queries are often complex given the volume of data they hold, and a user could search. In this case, it was PSN accounts and associated data. With the right understanding of SQL, imagination, and criminal motive, an SQL injection is merely using that language to write database queries on a website, search bar, etc. Through trial and error, as well as some reasonable guesses, a website will interpret a hacker’s submissions as queries and eventually yield valuable data other than what a webpage is designed to provide. (Pound 2016)
As the SQL injection vector is so simple, it’s among the most frequent type of attack vectors, having hit Sony Pictures Entertainment in mere months after the PSN breach. (Martin 2011) Cybersecurity research firm, Akamai, reported in their State of the Internet report that the prevalence of SQL injections accounts for “nearly two-thirds of all web application attacks,” dwarfing the next primary vector, Local File Inclusion, by around 40 percentage points. (Akamai 2019) Even earlier data paints the same picture. Between 2005 and September 2011, 83 percent of successful breaches were the result of SQL injections, accounting for 312M+ data records lost across a variety of businesses. (Imperva 2011)
Details as to how these hackers received the sheer volume of data are unclear. However, with additional measures on PSN websites or other access points, such as a different application programming interface (API) or even character validation, Sony could have prevented the breach. An important caveat: remember the same perpetrators, Lulzsec, initiated a sustained DDoS attack a little more than a week prior. It makes sense that Sony should have dedicated its resources to recovering from and addressing that problem first.
Data Breach #2: Plaintext Weakness and Lack of Encryption Hits Panera and Under Armour
Lesson Learned: Avoid keeping your data in one basket, standardize protection mechanisms, and keep it encrypted.
In April 2019, security researcher, Dylan Houlihan, visited the Panera website and found that it displayed valuable consumer data, affiliated with the company’s rewards and loyalty program, stored in plaintext. (Krebs 2018) This resulted from flaws like those on Sony’s PSN website. From a cybersecurity perspective, plaintext storage was a significant shortcoming.
These companies chose to store their data in a vault under lock and key with limited access control or physical access. However, encrypting sensitive data with a better approach would have better protected it. To a regular user, encrypted data would appear as complex alphanumeric sequences. Only the encryption key, protected under a chain of custody and access controls, can render the data usable for people or software programs.
Instead, these companies stored password, birthday, and credit card data in plaintext, offering up the crown jewels of credential theft. Criminals could copy, paste, store for easy filtering, and reproduce elsewhere on the internet for sale. And, Panera issued passwords to their loyalty account holders in sequential numbers. (Krebs 2018) These two oversights — plaintext format on the web site and number issuance method – made it easy for a hacker to access exfiltrated, filtered, and storable data for later use.
Fitness clothier, Under Armour, suffered a similar attack centered on API manipulation. Unlike Panera, Under Armor was prudent and disclosed the breach within a week of its discovery, sharing its breach progress while remedying the problem.
Because Under Armor maintained some level of data segmentation, their breach exposed emails, usernames, and passwords rather than more valuable payment information or birthdays. Also, they alerted customers that their passwords were protected with encryption. (Sprecher 2018)
Despite encrypting data, they were not without injury, having used two different encryption technologies. In a Q&A page on the breach, Under Armour clarified MyFitnessPal data was encrypted with SHA-1 hashing rather than bcrypt as used for other data. Wired quotes Kenneth White, director of the Open Crypto Audit Project, explaining bcrypt is designed to work slower to provide more complex encryption, whereas SHA-1 works faster for quicker availability. (Newman 2018) In prioritizing more immediate access using multiple encryption mechanisms, Under Armour had a chain that was only as strong as its weakest link.
Data Breach #3: Target, Marriott
Lesson Learned: Trust, but verify, should be the approach to every vendor you do business with or exchange data.
Perhaps the worst-case outcome in poor third-party management, Target’s 2013 holiday season hack began after their HVAC supplier’s network was compromised. This resulted from a blend of publicly–available information, poor access control, and improper software configuration. (Schwartz 2014) While Target passed PCI audits of payment card protection standards, their compliance overlooked severe security gaps. (Schwartz, Target Breach: 10 Facts 2013) Further, they had published a list of their providers online, and some of their practices were available in a Microsoft whitepaper, providing culprits with initial intelligence.
Similarly, Marriott hotels lost personal information on ~500 million customers in November 2018. After alerting security to a suspicious access attempt to Marriott’s guest reservation system, a forensics team investigated, finding that the compromise started in 2014 after Marriott purchased Starwood hotels. The two reservation systems never merged, and Marriott laid off most of Starwood’s staff who would have best known their IT infrastructure.
By extension, Marriott’s outsourced IT and security services to their partner, Accenture. Regardless of Accenture’s capabilities managing these services, ultimate responsibility would fall to Marriott to effectively oversee the relationship. Further, Marriott may have spared themselves had they brought IT services in-house. (Fruhlinger citation)
Moreover, as reported in The New York Times and Washington Post, Chinese intelligence services likely perpetrated the breach. Writing for CSO online, Josh Fruhlinger supplements their conclusion with his research: the absence of breached data on the dark web (especially given the sheer volume of payment card credentials) and involvement of federal agencies beyond the usual FBI or Homeland Security response.
Moreover, he observes how Marriott is a significant hospitality provider for the US government and military. This would serve as a continuation of a Chinese campaign to build profiles on American government and military personnel. (Fruhlinger 2019)
Given the role that Marriott plays serving government customers, it reinforces the point that some self-awareness from Marriott would have led to a more appropriate cybersecurity strategy. More importantly, although technical details were sparse, it’s likely that the Remote Access Trojan, used to steal data in this breach, was uploaded after a phishing campaign.
While not every breach relies on advanced technology, valuable data will take new forms as security researchers, Bob Diachenko and Vinny Troia, have shown. Their discovery of 1.2 billion individual profiles available publicly on a leaked server exemplifies a new variety of valuable data. (Seals 2019) Like the data Facebook collects and misused during the Cambridge Analytica breach, the data they found was used to compile user and consumer profiles. At this volume, data like this could provide a would-be hacker (as luckily this data was found, rather than maliciously stolen) with the tools to target specific types of victims and tailor attacks to make them more likely to succeed.
Colossal data breach stories, like these, have lessons for every organization.
Every organization takes a risk as they adopt new technologies, test innovations, and modernize systems and operations. But, as these colossal data breach stories illustrate, simple steps, the right approach, and engaging partners are as valuable as the latest cybersecurity tools and protocols.
Akamai. 2019. “Web Attacks and Gaming Abuse.” State of the Internet. Vol. 5. no. 3. Edited by Martin McKeay, Amanda Fakhreddine, Steve Ragan and LaSeur Lydia. Akamai, June. Accessed January 9, 2020. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-web-attacks-and-gaming-abuse-report-2019.pdf.
Fruhlinger, Josh. 2019. “Marriott data breach FAQ: How did it happen and what was the impact?” CSO Online. September 30. Accessed January 21, 2020. https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html.
Imperva. 2011. “Labs: Application Security.” SQL Injection: By The Numbers. September 20. Accessed January 9, 2020. https://www.imperva.com/blog/sql-injection-by-the-numbers/.
Jarvis, Keith, and Jason Milletary. 2014. “Inside a Targeted Point-of-Sale Data Breach.” Dell SecureWorks Counter Threat Unit Threat Intelligence (Dell SecureWorks). https://portal.secureworks.com/intel/mva?Task=ShowThreat&ThreatId=773.
Krebs, Brian. 2018. “KrebsOnSecurity.” Panerabread.com Leaks Millions of Customer Records. April 2. Accessed January 9, 2020. https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/.
Martin, Adam. 2011. “LulzSec’s Sony Hack Really Was as Simple as It Claimed.” The Atlantic. September 22. Accessed September 9, 2019. https://www.theatlantic.com/technology/archive/2011/09/lulzsecs-sony-hack-really-was-simple-it-claimed/335527/.
Newman, Lily Hay. 2018. “Wired Magazine.” The Under Armour Hack Was Even Worse Than It Had To Be. March 30. Accessed January 9, 2020. https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing/.
Phillips, Tom. 2016. “Five years ago today, Sony admitted the great PSN hack.” Eurogamer. April 26. Accessed January 9, 2020. https://www.eurogamer.net/articles/2016-04-26-sony-admitted-the-great-psn-hack-five-years-ago-today.
Port Swigger. n.d. Web Security Academy > SQL Injection. Accessed January 09, 2020. https://portswigger.net/web-security/sql-injection.
Pound, Mike. 2016. “Running an SQL Injection Attack.” YouTube. Edited by Sean Riley. Computerphile. June 5. Accessed January 9, 2020. https://www.youtube.com/watch?v=ciNHn38EyRc.
Radichel, Teri. 2014. “Case Study: Critical Controlsthat Could Have PreventedTarget Breach.” SANS Institute. https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-prevented-target-breach-35412.
Schwartz, Mathew. 2013. “Target Breach: 10 Facts.” Dark Reading. December 21. Accessed January 21, 2020. https://www.darkreading.com/attacks-and-breaches/target-breach-10-facts/d/d-id/1113228?page_number=1.
—. 2014. “Target Breach: HVAC Contractor Systems Investigated.” Dark Reading. February 6. Accessed January 21, 2020. https://www.darkreading.com/attacks-and-breaches/target-breach-hvac-contractor-systems-investigated/d/d-id/1113728.
Seals, Tara. 2019. “Data-Enriched Profiles on 1.2B People Exposed in Gigantic Leak.” Threat Post. November 22. Accessed January 21, 2020. https://threatpost.com/data-enriched-profiles-1-2b-leak/150560/.
Sprecher, Aaron M. 2018. “The Under Armour Hack Was Even Worse Than It Had To Be.” Wired. March 30. Accessed January 21, 2020. https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing/.
Verizon. 2019. Data Breach Investigation Report. Verizon.