2016: Top 5 data leaks so far

In this roundup, we talk about five true leaks and some lessons to be learned from them.

We’re halfway through the year 2016. At first glance, this year may have seemed a bit unspectacular from a cybersecurity point of view: not too many highly publicized events or incidents so far, with the exceptions of DROWN and several new APTs. However, a deeper dig yields a number of major (or, rather, really large) data leaks that took place in the first half of 2016. For this list, we decided to include only “real” leaks, leaving out such events as the bulk sale of social network credentials (it’s unclear when and how that data was stolen).

In this roundup, we talk about five true leaks and some lessons to be learned from them.

#5 Time Warner Cable (320,000 users affected)

Early this year, Time Warner Cable issued a warning to its 320,000 customers urging them to change their e-mail passwords because hackers might have accessed the information.

According to Time Warner, the data might have been accessed via “malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored TWC customer information, including email addresses.”

TWC later said there’s no indication that the company’s systems were breached.

However, as was disclosed later, customers who have e-mail accounts through Roadrunner, TWC’s webmail portal — so, addresses at rr.com — are believed to be implicated in the incident.

Lessons:

  • Your customers can be a weak link. So it is in your best interest to remind your clients about dangers such as phishing. Consider advising them to use security solutions that include anti-spam and anti-phishing features. For example, Kaspersky Lab offers strong and recognized Anti-Phishing Technology in both consumer and business solutions.
  • If you know of any companies (partners, suppliers, or subcontractors) that can store your customers’ information, investigate how they store and process this information. Your partners need to be ready to implement serious protective measures if necessary; if they aren’t, you may need new partners.

#4: Centene (950,000 people possibly affected)

Six hard drives containing the health data of approximately 950,000 individuals were reported missing early this year.

The drives, property of Centene Corp., a health-care enterprise, contained data from individuals who received laboratory services from 2009 to 2015, including names, addresses, birth dates, Social Security numbers, member ID numbers, and health information. No financial or payment information was stored on the hard drives.

According to Centene, there was no indication the data was used inappropriately, but the company still found the situation serious enough to notify the affected persons, as well as the media.

Lessons:

  • Along with cybersecurity, the need for physical security of data equipment critical and constant. Allowing a handful of hard drives with sensitive information to go missing goes against the cybersafety culture as much as password “1234” does.
  • Forming a culture of cybersafety and security may be a process of trial and error (or, rather, errors and consequences), but Kaspersky Lab, for example, offers special training programs for enterprises. Our program is called “Kaspersky Security Awareness,” and as the name implies, it’s educational but also very practical in nature. Learn more about these programs here.

#3: Verizon (1.5 million enterprise customers affected)

A treasure trove of information on 1.5 million Verizon Enterprise customers reportedly made its way onto an underground cybercrime forum. The seller requested quite a price: The entire database was offered for $100,000, but included in that price, the hacker(s) said, was information about security vulnerabilities in Verizon’s site.

Verizon, in turn, said that it had patched the vulnerability that led to the breach. Only basic contact information, such as names and e-mail addresses, had been exposed.

Lesson:

  • Even the largest entities occasionally miss some flaws in their front end or corporate networks, and those can become entry points for attackers. So it is wise to check the security of your own public websites, maybe even perform penetration tests.

#2: 21st Century Oncology Holdings (2.2 million records stolen)

A Florida-based cancer clinic network warned 2.2 million of its patients that at least some of the health data, as well as Social Security numbers, were stolen from its computer network.

The actual breach took place in October 2015, and the company brought in the FBI and a digital forensics firm immediately. The FBI requested that the firm delay the public announcement.

21st Century Oncology was heavily criticized later for not better safeguarding its patients’ data. The attack details are scarce; the firm chose not to specify the nature of the attack. It said only that in addition to security measures “already in place,” it had taken “additional steps to enhance internal security protocols to help prevent a similar incident in the future.”

Lesson:

  • Digital forensics will help you to understand details of the breach, but it would be wiser to have some experts to look at your infrastructure before an intrusion. Kaspersky Security Intelligence Services provides, among all others, customer-specific Threat Intelligence Reporting, which serves to identify externally available critical components of your network.

And the award for the top site leak goes to…

#1: The US Department of Health and Human Services (5 million records)

The US Department of Health and Human Services (HHS) came under heavy criticism after it belatedly disclosed a major leak of medical data that affected as many as 5 million people.

The circumstances of the breach are outrageous: It was not a cyberattack at all — it was common thievery. Burglars reportedly broke into the Office of Child Support Enforcement in Olympia, Washington, and took a personal laptop that contained up to 5 million names and Social Security numbers.

The incident took place in February, but HHS reported it publicly in late March.

Two people were eventually arrested in connection with the burglary, but whether the laptop was recovered — and where the stolen data ended up — is unclear.

Lesson:

  • Mobile devices (that includes laptops) are rather easy to carry away — hence the term mobile —and therefore, so is the data stored therein. The possibility of losing a laptop is always worrisome, but at least there is a way to decrease the worries about the safety of data: encryption. Personally identifiable data can be sold for very serious money, often much more serious than a laptop. But if the data is stored encrypted, it’s not going to leak into the wrong hands.
Tips