I’m still not used to typing “2014” in the date field yet, but I just looked up the other day and realized that this year is already half over. An assessment of the first two quarters shows that on the security front, there’s both good news and bad news. The good news is that software vendors are focusing more than ever on making their operating systems and applications more difficult to exploit, and are taking important steps to fix vulnerabilities in a timely fashion – most of the time.
The bad news is that sometimes security flaws are still around months or even years after their discovery, giving potential attackers free reign to develop exploits that can put thousands of computers at risk. The Heartbleed vulnerability in Open SSL had been there since 2011 when it was publicly disclosed in April of this year, and according to SC Magazine, a major vulnerability in Windows that was reported by James Forshaw eight months ago (and for which he received a $100,000 bounty from Microsoft) still hasn’t been fixed.
The other bad news is that even when patches are issued quickly, there are still individuals and businesses that don’t get around to applying them, thus leaving more systems open to attack. And software flaws aren’t the only means by which attackers can infiltrate systems and networks.
When it comes to security breaches this year, statistics from the Identity Theft Resource Center for January 1 through July 8 also reveal both positives and negatives. The total number of breaches reported for all categories (banking/credit/financial, general business, educational, government/military, and medical/healthcare is 395 as of the beginning of July, which over 20 percent more than half the number for the entire year of 2013 (614). As with last year, the category with the greatest number of breaches was medical/healthcare, reporting 181 of the breaches.
Let’s look at some of the scariest takeaways from all of these reports.
“That’s where the money is”
We’ve all heard the old saw that’s attributed (falsely) to Willie Sutton, who supposedly answered the question “Why do you rob banks” with “That’s where the money is.” Well, that’s still where the money is, and the fact that so few reported breaches involved banks and other financial and credit institutions is good news. The scary thing is that one of the largest reported breaches in that category, with the most records exposed, is one with which many of us do business: American Express. That breach involved the exposure of 76,608 records pertaining to California customers.
Security breaches of credit card companies are scary because so many of us carry and depend on those cards for our everyday expenditures now. It’s not just those who can’t afford to pay upfront, either. Many businesses, such as car rental companies and hotels, frown on or refuse cash payments and thanks to rewards programs, many of us use credit cards to pay all of our bills and then pay off the credit card balance in full every month. Our credit card statements can provide a great deal of information about where we go, what we do and how we live, so the thought of hackers having access to all of that is frightening, indeed.
The new risk of charging it
Even if the credit card company itself is able to prevent a breach of its systems, card holders still aren’t safe from hackers. The merchants to whom you present your cards must also be diligent. Unfortunately, some of the big breaches this year have involved the exposure of credit card information at the merchant level. Whether you’re enjoying a restaurant meal, attempting to make yourself beautiful, or just buying groceries for your family, using your card can put you at risk.
The Target security breach in 2013 made big headlines, but there have been a number of similar, albeit smaller breaches already this year. In June, several thousand credit cards that had been used at multiple P.F. Chang’s locations appeared for sale on the same site that was selling the card data that was stolen in the Target fiasco.
The same thing happened to customers of Sally Beauty earlier in the year. Some of those customers who used their cards to pay for items purchased at the beauty supply stores had data from their cards illegally accessed. Weeks later, the Michaels craft stores disclosed that up to 3 million of their customers’ credit and debit cards might have been exposed in two separate breaches.
The new year began with hackers targeting high-end shoppers in January, in a breach that involved the credit cards of as many as 1.1 million Neiman-Marcus customers.
These types of breaches are scary because thieves don’t have to steal your physical card; all they need is the data from the magnetic strip. They can use that to encode counterfeit cards that can then be used to make fraudulent purchases. Unless the merchant that got hacked notifies you, you’ll never know anything happened – until you get the bill for thousands of dollars’ worth of items you didn’t buy.
It’s Pay Time – for hackers
The Am Ex breach looks pretty small compared to a breach that occurred in April affecting more than 230,000 people in almost every state in the U.S., with most of the victims in Pennsylvania. Paytime, a payroll services company, informed its customers that hackers had infiltrated its system and stolen personal information that included both social security numbers and bank account numbers.
This one is particularly disturbing because with that information, criminals can steal a person’s identity and/or access the victim’s funds, and it’s a situation where the victims themselves have no control over whether or not to use the company’s services (as they would in choosing their personal banks or what merchants to buy from) since it’s the employer who makes that decision. Victims are attempting to put together a class action lawsuit against the company, alleging negligence.
The government is not immune
In fact, government is a prime target for hackers, especially those from foreign countries – both individuals and state-sanctioned espionage agents. A very recent report from the Department of Homeland Security has confirmed that Chinese hackers are suspected of a security breach of the U.S. Office of Personnel Management, which stores files on all federal employees.
This is scary at a personal level if you work for the federal government (or as in my case, have family members in the military or other government service). Employment records in both public and private sector contain a lot of private information about people – personal data that can be used for identity theft, medical information, personal history, etc. – but many federal employees who have secret or top secret security clearances will have even more detailed info in their personnel files.
Even if you have no ties to the government yourself, though, it’s more than a little scary that its databases can be breached. That’s particularly true in these troubled times with so many conflicts between nations going on all over the world. We Americans tend to think war can never come to our own shores, even after the devastation of 9/11, but it’s highly likely that future battles will be waged in large part in cyberspace – and if our country loses that one, anything can follow.
These are just a few of the major security breaches we’ve seen thus far in 2014. Others include an attack on eBay in May that exposed users’ names, contact info and encrypted passwords. AOL experienced a breach in April that disclosed users’ email addresses and resulted in spam with spoofed addresses that appeared to come from AOL accounts. Outside the U.S., personal data of 20 million bank and credit card accounts was accessed in South Korea and personal data stolen. Hackers stole millions of social security numbers, including those of many famous people, thought to have come from compromised computers at LexisNexis, Dun & Bradstreet and Kroll.
None of this year’s breaches have received the level of publicity the Target breach got, although millions of people have been affected by them. And perhaps that’s the scariest aspect of all this. Are we getting so used to wide-scale security breaches that we’ve become desensitized to the news of yet another one?