SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 86: The Anatomy of a Data Breach, Part 1

Posted on April 26, 2018

During the course of your day, buy things, like gas, food, & lodging. Do you pay cash for all those things — or do you try to go back in time and operate on the barter system? Even if you do most of your business in day to day life with cash, chances are there are still at least some occasions when you pull out a card. For many more of us, debit and credit cards are an essential and irreplaceable part of daily life. Some restaurants, for example, have already opted to go completely cashless.

Here’s the thing, though: when you use your card to pay for something, you’re not just offering up the money in your bank account, you’re also offering some pretty critical information: your name and your address at the least. What if the store offers to send you your receipts by email, along with some “special offers” from time to time? And of course, you can sign up for their rewards program, too — all you need to do is hand over your phone number! It doesn’t take long before these businesses have a massive treasure trove of your personal data.

There’s probably more data like this about you out in the world than you know about, even if all you did was go to the store to pick up a few things. That data is like digital gold, both for the companies that collect it — and the bad guys who want to steal it all. That intersection is where we’ll focus our discussion today, as we delve in to the first of our two-part look at the anatomy of a data breach. On today’s checklist:

  • How data breaches happen
  • Notable data breaches
  • What you (personally) can do to minimize the risk of a data breach

Let’s jump straight into the main issue here: you go out shopping, the store collects information on you, and generally, everything works exactly as it should — until it doesn’t. Now, suddenly, there’s news of a data breach, and you hear that your information might be “out there” somewhere. How did we get to this point? How could such a breach even occur?

How data breaches happen

For a breach to occur in the first place, a company has to hold onto your data to start. Today, that’s not a big ask: most companies keep at least some form of user data for marketing or sales tracking purposes. Based on how much data they collect and what they do with it, a breach could be an event that has only a few minor ripple effects, or it could be a disaster with a significant amount of fallout. It all depends on the exact situation.

For example, if a company only holds on to the first names and ZIP codes of its customers, a breach would only put a minimal amount of data at risk. Anyone who got their hands on a database with info like that wouldn’t be able to do very much with it at all. On the other hand, what if they kept a ton of info? What if they had your first and last names, your date of birth, and even your credit card numbers? Some organizations might even have reason to store your social security number, and of course, there are all the password databases out there to think about, too. In these situations, an intrusion that results in the theft of data could carry with it enormous ramifications.

Keep in mind, though, these are the two extreme ends of the spectrum. Though most companies store more than the minimum amount of data possible, they don’t often put all your eggs in one proverbial basket. There are some exceptions, though, which we’ll discuss further below. It’s not just about what the company in question stores, though: it’s how they store it that matters, too.

If the bad guys break in and make off with a password database that uses strong encryption which its administrators maintained with the best practices, it won’t do the intruders much good. They won’t be able to crack the code to get inside, so their prize is all but worthless in those cases. When these databases aren’t well maintained, though, or when they feature weaker security measures, the attackers get a one-way ticket to the jackpot. Some major breaches have even taken place because a company stored sensitive data in plain text — that’s like just handing the bad guys the keys to the place!

Okay, so we know that breaches depend on what a company holds onto and how they keep it safe, but how are the bad guys getting into these systems in the first place? That’s a good question. As you might imagine, there’s no shortage of different ways to try to break into a sensitive computer system.

Sometimes, an attacker goes straight to the source and gains physical access to a company network. This could be using an actual machine with someone else’s log-in information or by plugging an ethernet cable into the company network. Even an open or insecure Wi-Fi network within the business could serve as a possible point of entry for attack. In other cases, it’s a company insider who goes rogue and chooses to steal and sell the information of the company’s customers. Either way, these all belong in the class of “direct assaults.”

Sometimes, the bad guys will look to leverage flaws in web-connected company systems. That could mean an unpatched router, an insecure Internet of Things device, or even a poorly coded section of the business website. With these attack vectors, hackers have another array of options for establishing a firm foothold on the network. Once they do, they can start spreading tendrils outward to look for sensitive info — you don’t always end up on the machine with access to the data you want right at the start.

How do hackers find these holes? There are many “black hat” tools used for scanning servers on the Internet for vulnerabilities. Think of it as if you’re walking down a street and checking all the doorknobs of every house, looking for one that’s unlocked. Eventually, you’ll find your way inside. Some choose to use phishing attacks to dump malware onto a company network to make inroads instead. While some attacks on companies directly target their consumer information, often the intruders merely look for a target of opportunity. That’s why human error, such as leaving a sensitive laptop in a place where someone could steal it, often leads to data breaches, too.

A business might have excellent security on the outside, but more lax procedures internally. This is why software systems that can actively scan for suspicious internal connections can help to minimize the risk of intrusion. Otherwise, hackers who get past the main lines of defense can run wild inside a company’s network. So, what are some of the most notable breaches out there?

Notable data breaches

Way back in Episode 51, we covered five of the most prominent data breaches in history. Even though it hasn’t even yet been a full year since we put that episode together, that list is already out of date and many of them were supplanted by even bigger, broader data breaches. However, we’re not focusing solely on the “biggest” breaches today; instead, we’ll take a quick look at some that are notable for their timing and scope.

As we mentioned, sometimes breaches occur because the attacker has physical access to a business location. In the case of the 2007 TJ Maxx credit card data breach, access to a Wi-Fi network was enough for the bad guys to do their work. By exploiting the network to get into the company’s systems, the attackers were able to capture and record information for millions of credit card transactions the retail giant processed. TJ Maxx didn’t discover the breach until 2007, but by then it had already been ongoing for more than two years. In fact, as the company investigated, they realized that the intruders were able to access information on transactions that dated all the way back to 2003. In total, info on more than 45 million credit and debit cards were stolen by the attackers.

Home Depot suffered a similar breach which they uncovered in 2014; in that case, attackers grabbed about 56 million credit card numbers by hacking the point of sale software used to power both the hardware store’s cash registers and its self-checkout kiosks. These are good examples of how breaches that we find out about today could have been going on for years, unnoticed.  However, while it might sound like a major deal to have your credit card information stolen, it’s actually not the end of the world.

Generally, the law protects you from liability on fraudulent charges made to your card as a result of a breach or identity theft. Once you know that your info has probably been stolen, it is a simple matter to remedy. Just request a new card number from your issuing bank if they don’t beat you to it once a breach becomes public. What if it’s not your credit card number that gets stolen, though, but the info you used to apply for the card in the first place?

That’s what fell into the wrong hands with the 2017 Equifax breach, perhaps one of the biggest and most far-reaching security events we’ve seen in recent years. It was a true worst-case scenario, where attackers got their hands on full names, birthdays and addresses, driver license numbers, and even complete Social Security numbers. It was a treasure trove with more than enough info to commit identity theft against tens of millions of people. If you missed that story or you’d like to learn more about what went down, we covered it in detail in Episode 54 of The Checklist.

Finally, what if someone leaked your most vital information in a data breach? It might sound more like a nightmare scenario out of a show like Black Mirror, but that is what happened in 2015 when the Office of Personnel Management was breached. Attackers made off with 22 million records for current and former employees of the US government, and the dataset included far more than just names and social security numbers. Instead, fingerprint data for about 5.6 million people was also stolen, along with all the information contained in 127-page long questionnaires used to determine security clearances for employees.

These questionnaires contained all kinds of highly personal responses, from information on personal substance abuse and sexual histories to financial data, psychiatric care records, and more. OPM kept this data for a reason, as it can be important when determining who can handle state secrets, but its loss opens millions of people to the potential for blackmail. That’s definitely data one would want to have if you needed leverage over someone — luckily, the average person probably doesn’t have this level of info floating around in a database somewhere.

What you (personally) can do to minimize the risk of a data breach

Of course, we don’t want to end on such a depressing note as the potential for widespread blackmail — so why not focus on some productive things you can do instead? We want to talk about the fact that not all hope is lost: while we can’t go out and fix the way companies collect and handle our data, that doesn’t mean we can’t do anything to protect our info. The more steps we take now, the more we can minimize our risk of exposure in a data breach.

For starters, remember this important fact: in general, companies will only have as much data as you allow them to have. With recent Facebook scandals notwithstanding, this is something upon which you can usually rely. In other words, monitor what you’re handing over to businesses as you sign up for accounts online. For example, what if you’re filling out an online form? Only fill in the fields you’re required to complete. If the site doesn’t require you to submit your phone number, why give it to them? It only heightens your risk and increases your level of exposure to threats.

Watch out for Autofill, too. While handy, it won’t check to see which fields are required and which aren’t — it just plugs in the data it has wherever it thinks it should go. Delete the info you don’t want to submit, or don’t use Autofill at all. Some sites, such as e-commerce locations, will try to capture the information you type into a field even if you don’t submit it. While not widespread, it is something to consider and to know.

The next tip is one very familiar to our listeners. We’ve said it before, but we’ll say it again and again: do not reuse passwords, ever! It can be a convenient time saver, but it exponentially increases your risk in a breach. It only takes one compromised website for the bad guys to grab that password, and if you use it everywhere, guess what? You’ve just given them a skeleton key to get into all your online business. Use a password manager to make it easier to generate passwords of an appropriate length and complexity. This way, even if the site’s password database does end up stolen and they did a poor job protecting it, it will take longer to crack your password. And if you didn’t choose to re-use it? It’s useless outside of that service.

Staying up to date on security news, especially stories involving data breaches, can let you spot the signs that your data might end up swept up in an intrusion into a company’s servers. However, the mainstream media tends only to report on the most prominent and worst breaches, which means it takes time for those stories to filter out to those organizations. Instead, follow prominent security researchers on Twitter, such as Brian Krebs (@BrianKrebs) for an inside look at both the world of information security and tips on the latest incidents.

Want to know if you’ve already been swept up in a breach? You can use a website such as haveibeenpwned.com, which searches through a vast dataset comprised of many of the biggest compromised databases. You can plug in your email address or username and quickly find out in which breaches your data can be found. While this does depend on the data held by the site operators, they’re often quite good at staying up to date on the latest data.

In fact, they now even offer another service, PwnedPasswords, to allow you to determine whether any of your passwords are out there on the Internet. Password manager app 1Password recently collaborated with the Pwned team to create a proof of concept app for tracking the current integrity of your passwords. The app makes a hash of the first five characters of your vaulted passwords, then sends them securely to Pwned. Pwned then sends back all the hashes that match, allowing the app to hash the remainder of your password to check and see if the same string exists in a breached database. Pretty cool!

With that said, it’s time to bring this week’s episode to a close. Next week, in part two, we’ll look at this same issue, but from the business side of things. What’s it like for the companies who must contend with these breaches, and what are they doing to guard against them? We’ll answer that and more when we return.

Join our mailing list for the latest security news and deals