The worst IT security incidents of 2007
Despite the message being driven home by governments, consumer groups and industry bodies that IT security is paramount, this year has thrown up a worrying number of serious breaches.
Some of these violations are down to the increasing sophistication of the criminals perpetrating the attacks but, in many instances, systems are compromised in ways that simply should not be possible. Aside from the damage done to an organisation's brand, an increasingly strict legislative framework in this area — laws such as Sarbanes-Oxley — should have left no-one in doubt as to the importance of getting security right.
Obviously, there is no such thing as a 100 percent secure system, but this year has shown some businesses are continuing to fall short when it comes to security basics. The threat of legal action over lost or stolen customer data, including potential prison terms for the managers responsible, have still not hit home for some organisations, as the following cases illustrate.
1. The HMRC CD data loss
On the 20 November 2007, Her Majesty's Revenue & Customs admitted to losing the details of 25 million individuals, with 7.25 million UK families potentially affected.
Details on the discs, which were only password protected, included names, addresses, dates of birth, national insurance numbers and bank and building society account details.
The discs were lost during a National Audit Office (NAO) investigation in October. A junior official in HMRC sent the unencrypted discs to the NAO, but HMRC were not informed that the discs had not arrived to be audited until 8 November. Darling himself was informed of the loss on 10 November — three weeks after the discs had failed to arrive at the NAO.
This was the second major data-loss incident involving HMRC to emerge in November. On 6 November, it was revealed that the pension details of 15,000 Standard Life customers were sent to the pension provider by HMRC via an unnamed third-party courier at the end of September. The disc went missing and was not encrypted.
2. TJX Companies breach
The TJX hack was first reported in January, and is now recognised as the largest reported number of personal details ever lost by a company.
In March TJX, which operates discount retail chains such as TK Maxx in the UK and TJ Maxx and Marshalls in the US, admitted that 45.7 million customer accounts had been compromised.
A group of banks and credit providers claimed in October that the figure could be twice as high, claiming 96 million credit card details were stolen.
In an SEC filing in March, TJX noted that cybercriminals first accessed its computer systems in July 2005 and installed software to harvest sensitive customer information, such as account information, names and addresses, drivers' licence numbers and military and state identification. The breach continued until mid-January 2007. Details later emerged that hackers had broken into TJX's WEP encrypted wireless LAN in Minnesota.
Accounts and transactions affected included credit and debit card transactions, as well as checks and returned merchandise without receipts at the company's Marshalls, TJ Maxx, HomeGoods and AJ Wright stores in the US and Puerto Rico. Credit card transactions at TJX's Winners and HomeSense stores in Canada, as well as credit and debit card transactions at its TK Maxx stores in Ireland and the UK, were also compromised.
3. Monster job site hacked
In August, online job site Monster.com suffered a security breach that reportedly resulted in the theft of the confidential information from some 1.3 million job seekers. That figure was later revised to "millions".
Hackers stole information from the US online recruitment site's password-protected CV library by using credentials taken from Monster clients. They launched the attack using two servers at a web-hosting company in the Ukraine, combined with a botnet. The compromised computers had been infected with a malicious software program known as Infostealer.Monstres.
The company first learned of the problem on 17 August, when investigators with internet security company Symantec told Monster it was under attack.
4. Salesforce customer information breach
In November, hosted CRM specialist Salesforce.com had its systems compromised when one of its its employees mistakenly gave away their corporate login details.
The phishers, who had "tricked" the employee, then used the information to access the Salesforce systems, and stole a customer list. They contacted the customers on that list, some of whom gave out sensitive details. Salesforce went public with a warning after criminals started sending targeted malware to those on the list.
Salesforce admitted that customer data was stolen as a result of the breach but, when contacted by ZDNet.co.uk, the company refused to say whether any UK customers had been affected, whether any financial damage had occurred, and whether disciplinary action had been taken against any employees as a result of the security incident. It offered no other comment on the matter.
5. Nationwide fined over £1m for laptop theft
In a rash of lost laptops over the course of 2007, perhaps the most serious penalties suffered by an institution in the UK were those of Nationwide, when it was fined by the FSA in February to the tune of £1m for a lost laptop.The building society lost the laptop in August 2006 when the laptop was stolen from an employee's house in a burglary.
According to the FSA, Nationwide was guilty of failing to have effective systems and controls in place to manage its information security risks. The FSA also discovered that Nationwide was not aware that the laptop contained confidential customer information and did not start an investigation until three weeks after the theft.
6. Department of Homeland Security causes mini distributed denial-of-service attack
While not an actually an instance of cybercrime, this was a serious bungle by an organisation that is supposed to know better. A technical slip-up this autumn by a government contractor saw many US security professionals clogging up each other's email inboxes.
On Wednesday 3 October, the Department of Homeland Security (DHS) sent its daily Open Source Intelligence Report to "a subscription list of hundreds, perhaps thousands of recipients", wrote Marcus H Sachs, the director of the SANS Internet Storm Center, in a blog post. A reader replied to the list address with a request for a change, and his email was re-sent to all of the list subscribers.
"In the next hour or so, dozens of readers have replied, creating a mini-DDoS of sorts to the subscriber's inboxes," wrote Sachs. Almost half the emails were either pleas to stop sending more emails, or people demanding to be unsubscribed, despite the fact that unsubscribe instructions are at the bottom of the DHS daily reports, wrote Sachs.