Recently there were two huge data breaches of two very large companies. Both organizations collected a ton of information about their clients. The breaches were both spectacular in scope. Furthermore, both were among the largest known data breaches.
I see a large contrast between the Marriott breach and the Equifax breach. The difference between the two massive breaches clearly demonstrates the importance of basic security methods.
These days data breaches happen weekly just like new movies. And just like the movies, every week seems bigger than the last.
There is a world of difference between a state sponsored cyber attack and script kiddies. The Marriott and Equifax breaches show the disparity between them.
Massive Marriott Breach
Let’s start with Marriott. They suffered data breach twice the size of the Equifax breach – we will discuss that one next.
What Happened?
In September 2018, Marriott disclosed details about a data breach that had been ongoing since 2014. The target was the Starwood guest reservation database. This contained very private details about the people staying at the property.
The attackers had copied data from the database. The scope of the breach is estimated at around 500 million unique guests. Data on about 500 million guests was stolen over a 4 year period
What Was Taken in the Marriott Breach
Most of the people whose data had been compromised gave away a treasure trove of actionable information. The following information about most (estimated 327 million) of their guests was leaked:
- name
- address
- phone number
- email address
- passport number
- date of birth
- gender
- arrival and departure dates and times
- reservation date
- credit card number
- credit card expiration dates
- and communication preferences
That’s quiet a lot of valuable data! It gets worse – even though the credit card information was stored encrypted, it is possible that the attackers also acquired the components needed to decrypt the data.
About 5.25 million unencrypted passport numbers were stolen. Additionally another 20.3 million encrytped passport numbers were taken.
Unencrypted passwords being stored on disk are one step above writing your password on a post it note and attaching it to the monitor.
The company’s response was in line with what everyone who gets hacked says. It goes something along the lines of “We are really sorry. We deeply regret this incident occurred. We are working with local law enforcement.”
Sadly this does nothing to make the status quo any better nor does it give hope for the future. They then proceeded to offer up a year of free credit monitoring services to those affected. This is a near useless bit of compensation for the breach.
Who Was Behind the Marriott Breach?
Although we do not have certainty about who conducted the cyber attack, there is a growing chorus of investigators point at China.
Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers
– Reuters.com
Why would someone want all this data? Well now it should make sense. A foreign intelligence agency could probably benefit from all those passports, credit card numbers, and personal details. Everything that is needed to get forms of identification and identity yourself is there. This would include government personnel, high value private citizens, business leaders, etc.
Sadly none of this is out of line for China. We have a big list of indictments against Chinese hackers working for the intelligence services and the military.
Legendary Equifax Breach
In the above case of Marriott, I am more forgiving than what you are about to read. A sophisticated operation planned and carried out by a strong foreign intelligence service isn’t the same thing as being careless with your InfoSec and guarding against script kiddies.
Equifax is one of the world’s largest credit rating agencies. They have almost 1,200 times the amount of data held in the Library of Congress! I don’t know how to put this, but it’s kind of a big deal.
Equifax wins the award for most negligent data breach. There were lots of competitors but in the end Equifax demonstrated they are the best at totally not caring about your data.
What Happened in the Equifax Breach?
About 148 million consumers personal data was breached. Equifax and other consumer reporting agencies (CRA) gather tons of consumer data to analyze and make credit scores. They then compile this information into a detailed report and sell it to third parties.
This is especially damning because the consumers whose data was affected did not have a choice to give their information. There was no opt out nor was any information voluntarily submitted.
Think of what kind of information a company that generates credit reports would have on you. The CEO “retired” shortly after the affair.
How Did The Attack Happen?
This legendary breach was both large and entirely preventable. There were multiple exploitations at work here. The key method was a well known Apache Struts critical security vulnerability. In March 2017 the vulnerability was made public. However, Equifax did not patch their systems.
A custom built internet facing application was left vulnerable. It doesn’t help that the systems it was running on were developed in the 1970s. That’s not a type – 1970s. Two months later a cyberattack was launched against Equifax for 76 days.
Equifax had systems over 5 decades old involved in the breach.
There were 48 different databases breached containing unencrypted personally identifiable information (PII). It wasn’t until July 2017 that Equifax noticed the suspicious activity. Attackers were querying their databases and transferring the data out of their systems undetected.
How could this be? Well it turns out the device used to monitor the network traffic was inactive for the past 19 months. The reason – an expired security certificate! But it wasn’t just 1 – it was over 300!
Equifax had over 300 expired security certificates on their system at the time of the breach.
You can read many of the details in the U.S. House of Representatives Committee on Oversight report.
The Blunders Continue
Once the breach was make public, Equifax was unprepared to support the number of impacted consumers. Call centers were overwhelmed. The dedicated breach website was also unable to process the page requests fast enough.
Insider Stock Sales
Managers of Equifax sold about $1.8 million of stock shortly after the company became aware of the breach. Trading on insider information like that is illegal yet there have been no punishment dealt to the perpetrators.
Fix Site Bloopers
This one is even better. After the breach was made public, Equifax had to enter cleanup mode. They created a website that people could go to and learn about the impact of the cyberattack.
At first the website was useless giving out mixed or inaccurate information. Then it would generate weak PINs to use the service. They were both sequential and non-random!
But wait – there’s more!
In the aftermath of the breach, Equifax’s site used to set up alerts on individuals credit rating history can be easily spoofed.
https://www.zdnet.com/article/equifax-freeze-your-account-site-is-also-vulnerable-to-hacking/
I saved the best for last. One more thing.
Someone made a fake Equifax site…then…Equifax linked to it! I could not make that up if I tried. A software engineer named Nick Sweeting created the site www.securityequifax2017.com. For reasons which remain unclear, employees of Equifax tweeted the fake site as the real site – www.equifaxsecurity2017.com.
Take a look at the fake site for yourself and tell me if you would be fooled by it. The site was upfront about being a parody yet it convinced Equifax to tweet it out.
Not only did they tweet the wrong link, they tweeted it 3 times. #Equihax pic.twitter.com/T8jrhSfhqw— Nick Sweeting (@thesquashSH) September 20, 2017
Responsible Parties
China is again suspected of industrial espionage. This is because a large amount of suspicious traffic from these systems was going to China. However the facts of the matter are that a much less sophisticated attack from a much less funded organization could have done the same.
What Can They Do?
To date, neither Marriott or Equifax has faced repercussions from the breach.
One thing I would like to see happen is they stop saing we take your privacy and security very serious…because they don’t. It is evident in their actions.
What Should Marriott Have Done?
While the negligence on display with the Equifax hack is worse than the Marriott incident there was area to improve. Too much valuable information was stored in the clear – they should have encrypted it. Also if we cannot prevent an attack we need to at least detect it. Neither of those happened here.
What Should Equifax Have Done?
Equifax blundered their systems away. Not patching systems with critical security patches is a big problem. It doesn’t help having computers from 50 years ago in use.
According to the House Report, there were at least 2 points of failure that would have mitigated or prevented this breach.
- Lack of accountability and no clear lines of authority in their IT management structure – leaving a gap between IT policy and operations. This resulted in lack of implementation of key security fixes.
- Equifax had been acquiring companies and adding their systems and data to their already old and complex environment.
Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues prior to this cyberattack, the data breach could have been prevented.
House Report
What Can We Do?
Not very much in cases like this. In each of these stories the people impacted did little to nothing wrong. The collector of their data was simply negligent.
There are some avenues we could pursue to avoid this from happening so much and so bad. Regulation can be introduced to stem the tide. Senator and privacy advocate Ron Wyden has propsed a bill called the Consumer Data Protection Act of 2018.
In short it proposes doing the following:
- establishing minimum privacy and cybersecurity standards
- large fines against companies
- creating a National Do Not Track systems that allows consumers to opt out of data collection
- provide more power for consumers to review the personal data collected about them.
The Tipping Point
So how much longer is this sort of thing going to be happening? IMHO until the liability landscape changes there is no incentive for organizations who collect data about people to change their ways. They say the said tired thing each time and take trivial actions to look as good as they can.
Since there is so little liability, companies who suffer a data breach simply choose to pay the small fine that accompanies such an event.
The tipping point for us might be a massive cyberattack on our infrastructure by a foreign power. I think we need something on par with an alien invasion to rally everyone against the common threat – data breaches.
If you liked this post then you might also like: The Security Theater of Chip Cards.