Millions of online accounts have been compromised so far this year alone. The growth of data stored online is unprecedented, but data security is not keeping pace. The data breach deluge of 2011 is swelling larger than ever before and calls for better security measures to be implemented by all online services from gaming to banking.
Just how bad is it? Really bad. I will include links to references so that you can see for yourself the impact and nature of these breaches. Let’s take a look at breaches just in the past few months:
- 1.29 million Sega accounts
- 100 million or more Sony accounts
- Potetnailly the email accounts of over 2,500 companies serviced by Epsilon
- 360,083 bank accounts at Citigroup
- Tens of thousands of accounts at Codemasters
- 25,000 accounts or more at Square Enix
- 280,000 accounts at Honda
- 1.2 million accounts at the Texas Comptroller’s office
- 10,000 credit cards at the St. George Bank in Australia
- 114,000 accounts of iPad 3G owners
- 200,000 accounts or more at Bethesda Softworks
- $500,000 worth of Bitcoin currency
- 8.63 million patients’ information at the National Health Service Facility in London (UK’s largest employer)
- 18,000 Bioware accounts
- 40 million or more RSA SecurID tokens issued by EMC to over 30,000 companies and government agencies, including half of US banks that use SecurID tokens
This list doesn’t even include the numerous other sites and companies that have been attacked in this time period as well: the Labour Party, CNN, Automatic Data Processing (ADP), Lockheed Martin, the US Senate, the CIA, the IMF, PBS, Epic Games, L-3 Communications, Google, and almost 50 others.
The personal information compromised in these breaches include anything from social security numbers to credit card numbers to just email addresses, usernames, and passwords. Covering up these blunders costs companies millions. The case of the Texas comptroller alone has already cost $1.8 million. As one states, 2011 is set to be the worst year ever for security breaches.
The groups Anonymous and LulzSec have been linked to a number of recent attacks, though certainly the network of hackers is much larger. In response to the significant amount of online plundering, legislation known as the Data Security and Breach Notification Act will require companies to notify authorities and customers within 24 hours of a breach. Hopefully, new legislation will be a catalyst to better security policies.
It has been said that the only secure computer is one that is not on a network. Though it is true that most businesses could not sustain sophisticated attacks, like the one on EMC’s RSA, most of the attacks are not sophisticated. The majority of attacks focus on basic loopholes like SQL injection, security loopholes in servers that haven’t been upgraded (Sony), unencrypted data (Sony, Citigroup, etc), and passing data insecurely through URLs (Citigroup).
Even keeping up to date on the latest security breaches on Yahoo Pipes, the Web Hacking Incident Database, or the DataLossDB, can give network administrators insight into what security loopholes to look for in their own networks. To avoid a PR nightmare and a huge cleanup bill, organizations need to take their online security much more serious.