Question

List three real life notifiable data breaches (NDB) that occurred prior to 2018 and dicuss them in detail.

Answer 1

List three real-life notifiable data breaches (NDB) that occurred prior to 2018 and discuss them in detail.

Let us understand NDB:

The Notifiable Data Breaches (NDB) scheme requires regulated entities (entities) to notify particular individuals and the Australian Information Commissioner (the Commissioner) about ‘eligible data breaches’. A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates.

Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s position.

Not all data breaches are eligible.

For example, if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the Commissioner. There are also exceptions to notifying in certain circumstances.

Eligible data breach an eligible data breach arises when the following three criteria are satisfied:

1. There is unauthorized access to or unauthorized disclosure of personal information, or a loss of personal information, that an entity holds.
2. This is likely to result in serious harm to one or more individuals.
3. The entity has not been able to prevent the likely risk of serious harm with remedial action (see, Preventing serious harm with remedial action).

Few Real Life Notifiable Data Breaches:

1.       Hudson's Bay, the parent company of Saks Fifth Ave, confirmed in April that a data breach compromised payment systems and therefore customer's credit and debit cards. The estimated amount of affected customers have not yet been released but could number in the millions. Online customers were not affected.

2.       Under Armour confirmed in March that data from its MyFitnessPal app was accessed by an "unauthorized party." Payment information was not released, but the app is used to track weight loss and information pertaining to that likely leaked. More than 150 million people's information was likely compromised.

3.       Panera Bread confirmed on April 2 that it was notified of a data leak on its website. Personal information, including names, addresses, and partial credit card numbers may have leaked, though the company says the investigation is ongoing. The flaw in the website was fixed as of Monday, but up to 37 million people's information could have been leaked according to an estimate.

4.       Kmart confirmed in June that credit card information was stolen from shoppers who came into its stores.

The store did not confirm how or when the data was stolen but did say other personal details were not also taken.

5.       Gamestop confirmed a data breach in April 2017. Customers that shopped online were vulnerable for a six-month period, from August 10, 2016, to February 9, 2017. Names, addresses, and credit card information were all taken in a breach of the website's payments processor.

6.       Arby's confirmed in February 2017 a data breach may have affected 355,000 credit and debit cards used at its stores. Malware affecting the chain's cashier systems between October 25, 2016, and January 19, 2017, allowed the unauthorized access.

Let us discuss few Biggest Data Breaches of 21^st Century:

Sr. No.	Company names	Impact
1.	Equifax	Personal information 143 million of users including their card details were exposed
2.	Adult Friend finder	More than 412.2 million accounts
3	Anthem	Theft of personal information on up to 78.8 million current and former customers.
4	eBay	145 million users compromised
5	JP Morgan Chase	76 million households and 7 million small businesses
6	Home Depot	Theft of credit/debit card information of 56 million customers.
7	Yahoo	3 billion user accounts
8	Target Stores	Credit/debit card information and/or contact information of up to 110 million people compromised.
9	Adobe	Accessed IDs and encrypted passwords for 38 million “active users.”
10	US office of personnel management	Personal information of 22 million current and former federal employees
11	Sony’s Play Station Network	77 million PlayStation Network accounts hacked; estimated losses of $171 million while the site was down for a month.
12	RSA Security	Possibly 40 million employee records stolen.
13	Heartland Payment Systems	134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.
14	TJX Companies, Inc.	94 million credit cards exposed.
15	Uber	Personal information of 57 million Uber users and 600,000 drivers exposed.

Let us discuss Yahoo, JP Morgan Chase and eBay in detail:

YAHOO

In September 2016, Yahoo confirmed a massive security breach that hackers swiped personal information associated with at least 500 million accounts that took in place in 2014, disclosed that a different attack in 2013 compromised more than 1 billion accounts. The incident is a big deal since so many have a Yahoo account of some type or other for email or finance or fantasy sports and so on. In the official statement given by Yahoo, The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected. Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoos network. Yahoo, as one of the internet busiest sites with one billion monthly users that is one of the oldest free email services, have many users built their digital identities around it, from their bank accounts to photo albums and even medical information. Even though it is too early to say what impact the breach might have on Yahoo and its users because many questions remain, including the identity of the state-sponsored hackers behind it. But there are already some impact to Yahoo users and stakeholders. As Yahoo confirmed the stolen user information was being used primarily for spamming, i.e., sending spam to the people whose information was stolen. But since such info can often be passed around widely among criminal hackers, it's always possible it could be used for more nefarious purposes. In the meantime, hackers posted to underground forums and online marketplaces what they claimed was stolen Yahoo data and offering a large collection of stolen Yahoo credentials including usernames, easily cracked passwords, birth dates, ZIP codes and email addresses on an underground site where hackers can buy and sell stolen data. An infamous cybercriminal named Peace claimed on a website that he was selling credentials of 200 million Yahoo users from 2012 on the dark web for just over $1,800. And the underground site uses Tor, the anonymity software, and Bitcoin, the digital currency, to hide the identities of buyers, sellers and administrators who are trading attack methods and stolen data.

It will take Yahoo months and years’ time before it regains users trust.

"When a company has allowed their customers' data to fall into the hands of criminals, the resulting lack of trust is difficult to repair," CEO Ebba Blitz said in a statement. And there have possible larger implications for the $4.8 billion sales of Yahoo's core business which is at the core of this hack to Verizon. The scale of the liability could bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction. That deal is now moving to completion, but the companies cannot be integrated until it is approved by a number of regulatory agencies, as well as Yahoo shareholders. Representatives of Verizon and Yahoo started meeting recently to review the Yahoo business so that the acquisition would run smoothly once complete. But the good news is that Yahoo says the passwords were hashed, meaning that the hackers much spend much more time decrypt a single user password unless the user uses a simple common password and simple or obvious security questions and answer.

Yahoo said on 22 Sept,"2016 that at least 500 million of its accounts were hacked in 2014 by what it believed was state-sponsored actors, thieves that appeared to be the world's biggest known cyber breach by far."

On 15th March 2017, the U.S. Justice Department unsealed indictments against four men accused of hacking into a half-billion Yahoo email accounts. "Two of the men worked for a unit of the Russian Federal Security Service (FSB) that serves as the FBI's point of contact in Moscow on cybercrime cases. Another one is Karim Baratov, a Canadian and Kazakh national who lives in Canada. "

For the data breach in 2014, some security experts noted that: "the majority of Yahoo!'s passwords used the crypt hashing algorithm which is considered difficult to crack, the rest used the older MD5 algorithm which can be broken rather quickly." Such information, especially security questions and answers, could help hackers break into victims' other online accounts.

According to Yahoo's chief information security officer, Bob Lord, "the hackers used 'forged cookies' bits of code that stay in the user’s browser cache so that a website doesn’t require a login with every visit". "The cookies' could allow an intruder to access user’s accounts without a password by misidentifying anyone using them as the owner of an email account. The breach may be related to the theft of Yahoos proprietary code", Lord said. "Since individuals reuse exactly the same passwords for multiple online-services, some low level of positive conversion rate is inevitable, making ATO possible with a very small number of user accounts and may explain the positive validation of this limited number of accounts." As for the data breach occurred in August 2013, Yahoo stated this was a separate breach from late 2014 one and was conducted by an "unauthorized third party". Similar data as from the late 2014 breach had been taken from over 1 billion user accounts. Yahoo! had been able to identify that the method that data was taken from the last 2014 hack using fake cookies during this investigation, but the method of the August 2013 breach was not clear to them upon their

JP Morgan Chase

The largest bank in the nation was the victim of a hack during the summer of 2014 that compromised the data of more than half of all US households – 76 million – plus 7 million small businesses. The data included contact information – names, addresses, phone numbers and email addresses – as well as internal information about the users, according to a filing with the Securities and Exchange Commission.

The bank said no customer money had been stolen and that there was “no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack."

Still, the hackers were reportedly able to gain “root" privileges on more than 90 of the bank’s servers, which meant they could take actions including transferring funds and closing accounts. According to the SANS Institute, JP Morgan spends $250 million on security every year.

In November 2015, federal authorities indicted four men, charging them with the JP Morgan hack plus other financial institutions. Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein faced 23 counts, including unauthorized access of computers, identity theft, securities and wire fraud and money laundering that netted them an estimated $100 million. A fourth hacker who helped them breach the networks was not identified.

Shalon and Orenstein, both Israelis, pleaded not guilty in June 2016. Aaron was arrested at JFK Airport in New York last December.

The attack on the lender, which is being probed by the Federal Bureau of Investigation and other agencies, started in June at the digital equivalent of the company’s front door, exploiting an overlooked flaw in one of its websites, two people familiar with the bank’s investigation have said.

The hackers unleashed malicious programs designed to penetrate the corporate network, the people said. With sophisticated tools, the intruders reached deep into the bank’s infrastructure, tapping gigabytes of information, until mid-August.

eBay

The online auction giant reported a cyber attack in May 2014 that it said exposed names, addresses, dates of birth and encrypted passwords of all of its 145 million users. The company said hackers got into the company network using the credentials of three corporate employees, and had complete inside access for 229 days, during which time they were able to make their way to the user database.

It asked its customers to change their passwords but said financial information, such as credit card numbers, was stored separately and was not compromised. The company was criticized at the time for a lack of communication informing its users and poor implementation of the password-renewal process.

CEO John Donahue said the breach resulted in a decline in user activity, but had little impact on the bottom line – its Q2 revenue was up 13 percent and earnings up 6 percent, in line with analyst expectations.

According to eBay, attackers compromised employee log-in credentials. This gave the attackers access to the corporate network and the systems on it.

The hacking, which is still being examined by security experts, happened a couple of months ago. It is believed that the access was created after hacking into an eBay employee’s computer. The technique used to execute the cyber crime has not yet been revealed, but the criminals have also managed to steal hashed passwords that are not exactly “uncrackable”.

The exact number of compromised accounts is still unknown, but even eBay’s “humble” estimate of 145 million stolen accounts makes this a hacking of mammoth proportions. The fact that the hacking was detected so late has also enabled the hackers to check for cross-platform log-in opportunities and also sell the stolen information online.

eBay is also susceptible to XSS attacks and other hacking methods. Security expert Jordan Jones showed how the eBay’s Research Labs page can be infiltrated with the help of a simple XML code. In another research, Michael E found a way to open bogus auction pages with illegal JavaScript scripting and harvest user cookies without their knowledge.

“It’s not surprising that eBay’s site was breached. Attacks like this can definitely be considered the new norm,” Checkmarx founder and CTO Maty Siman explained. “Organizations need to take more security measures to protect their digital assets from the outset by examining their source code for vulnerabilities and eliminating them in advance.”