This past year was a rough one for IT security. Hackers gained access to billions of sensitive records in 2012, using a mix of sophisticated new attacks and old techniques – as well as exploiting some big mistakes on the part of organizations.
In a year full of big data breaches and other incidents, these were 10 of the worst IT security mistakes organizations made in 2012:
1. ‘Human error’ exposes 800,000 records
In a March data breach that officials blamed on “human error,” information about roughly 780,000 people was stolen from a server at the Utah Department of Technology Services (DTS). That included 280,000 people who may have had their Social Security numbers compromised, along with 500,000 others who may have had less sensitive information — such as names and birth dates — accessed by hackers.
What were the errors in question? After the server was installed, DTS IT staff neglected to change the passwords from the factory-issued defaults and failed to keep the server behind the agency’s normal firewalls while it was being upgraded.
2. Unencrypted back-up tapes fall off a truck
Sometimes data is breached not through sophisticated computer hacking, but by stealing or finding physical documents. That’s what happened in a 2012 breach involving the California Department of Child Support Services. More than 800,000 health and financial records were lost after backup tapes fell off of a delivery truck — and the data wasn’t encrypted.
3. Hackers give Yahoo a wake-up call
In July, a group of hackers gained access to a file containing the email addresses and passwords of roughly 453,000 Yahoo accounts and posted them online. The breach affected users of Yahoo Voices, formerly known as Associated Content, a service that allows people to upload their own blog posts, videos and other content.
According to the hackers responsible, the attack was carried out to give Yahoo a “wake-up call” about its lax security practices. In this breach, Yahoo’s primary mistake was storing the addresses and passwords in a clear, unencrypted text file. Also, the company failed to notice that large amounts of data were being sent to outside networks during the lengthy breach.
4. Stolen laptop leads to $1.7 million fine
Healthcare information is a big target for hackers, and a common scenario in many health data breaches is that a portable device containing data is stolen or lost by a doctor or employee. One example from this year occurred when a hard drive full of unencrypted data was stolen from the car of an employee at the Alaska Department of Health and Social Services.
In June, the agency agreed to pay $1.7 million to settle possible Health Insurance Portability and Accountability Act violations, making it the second-biggest HIPAA fine ever issued.
5. Security software brings its own vulnerabilities
While there’s some debate about the worth of antivirus software in general, antivirus vendor Sophos in particular suffered two separate setbacks in September 2012. First, the company released an update to its antivirus software that caused the program to classify a malware definition update as malware by mistake. The update, other critical files and, in some cases, custom-built business applications were quarantined as if they were viruses.
Around the same time, a security researcher alerted Sophos that he’d found a number of critical flaws in the Windows, Linux and Mac OS X builds of the company’s antivirus applications.
6. SSNs exposed for 3 months
Tech experts agree that IT will never be able to prevent all security incidents from occurring and that organizations must have plans in place to quickly and effectively deal with problems that do arise. Failing to do so can be costly, as shown by a breach at the University of North Carolina at Charlotte.
Configuration errors allowed sensitive information to be publicly accessible — and then the hole was left open for an additional three months. Though there was no sign the information had been accessed and abused, a total of 350,000 Social Security numbers were exposed for that time period.
7. 10 million credit numbers put at risk
In another data breach lasting longer than a month, between Jan. 21 and Feb. 25, more than 10 million credit card numbers may have been stolen from payment processor Global Payments. The information stolen could have come from all major credit card brands and it was feared the data might be used to create counterfeit cards.
Hackers likely breached the company’s knowledge-based authentication (KBA) to gain access to an administrative account. KBA requires users to answer a series of questions to access a system — often personal questions answered by a user during registration, such as “What is your mother’s maiden name?” Security experts warn against relying on KBA, because the answers can often be guessed or learned by hackers through social engineering.
8. One user opens door to the whole network
In South Carolina, a large breach involving 3.3 million unencrypted bank account numbers and 3.8 million tax returns started with one simple mistake: One state government employee fell for a phishing scam, and hackers were able to use the credentials they stole to access all of the Department of Revenue’s systems.
9. Hi-tech agency makes simple gaffe
Sometimes, data breaches are notable because it seems that the people involved should know better. That was the case after personally identifiable information about 100,000 NASA employees was stolen.
Despite the agency’s technical prowess, the breach was caused by two common IT security mistakes: failure to use encryption and a lack of control over mobile devices. The breach occurred after an employee took home an unencrypted laptop, which was subsequently stolen from the person’s car.
10. Dropbox drops the ball
Companies’ concerns about the security of cloud computing services likely were assuaged after a data breach at popular cloud storage provider Dropbox allowed users’ email addresses to be stolen.
The cause of the incident was a simple password mistake computer users are frequently warned about: A Dropbox employee had a password stolen from an external site — and since the staffer used the same password for a work-related account, it was used to steal a document containing the email addresses.