Anyone who follows cybersecurity is aware of the steady drumbeat of data breaches and attacks. So, an attack needs to really stand out to earn the name “disaster.”
We’ve assembled eight truly disastrous IT security failures over the past decade, with the goal of finding not just clever hacks, but real mistakes on the part of the victims. Hopefully you’ll come away with some ideas on how not to suffer a disaster of your own.
2012: Court Ventures gets social-engineered
Hieu Minh Ngo proved that you don’t need a lot of technical know-how to breach the security of an important data broker and get access to a lot of people’s private information. Sometimes all it takes is some brazen misrepresentation and social engineering skills. While still in his early 20s, Ngo convinced Court Ventures, a data broker later purchased by Experian, that he was a private investigator in Singapore. He then purchased personally identifying information (PII) from Court Ventures as part of his “work.”
This data became the basis for an elaborate data marketplace that he promoted to identity thieves. All in all, he made nearly $2 million before he was arrested and pled guilty. While Ngo did in fact get his start as an ordinary hacker, his “non-technical” scam proved to be his most profitable.
2014: Mt. Gox collapses
Today, we’re used to all sorts of hacks and skullduggery and mistakes in the crypto realm (does “all my apes gone” ring a bell?). But 2014 was relatively early in the crypto era, and the world was riveted by the drama at a Japanese Bitcoin exchange called Mt. Gox. Originally developed as a site for trading Magic: The Gathering cards, by 2013 Mt. Gox was handling something like 70% of all Bitcoin transactions.
Mt. Gox had a problem with a hack in 2011 and managed to fix things in a way that satisfied most customers. But in 2014, the company rapidly became insolvent, cutting millions of dollars in bitcoin value off from their rightful owners. While the full story of what happened is still not entirely clear, it appears the 2011 hack never truly ended, that bitcoins were being skimmed off by attackers for years, and the company may have been essentially operating as a pyramid scheme, only able to pay for withdrawals with new deposits, by as early as 2013. Inside the company, a variety of terrible security and management practices were causing an implosion, with no version control system in place for software updates and all changes going through the corporate CEO, meaning security patches might take weeks to roll out. You’d think that this all might cause people to think twice about putting millions of dollars into unregulated crypto-based financial institutions, but that has not turned out to be the case.
2014-7: The big Chinese hacks: Starwood, OPM, and Equifax
The mid ’10s saw three major institutions hit by data breaches: the reservation systems for the upscale Starwood hotel brands in 2014; The U.S. Office of Personnel Management, the agency that manages the government’s civilian workforce, in 2015; and Equifax, one of the big three credit rating agencies, in 2017. All three attacks were the result of multiple security failures at each institution, the details of which were acutely embarrassing when they came out. For instance, OPM had confidently completed a “big bang” system reset that they thought had purged the attackers from their network, unaware that the same group had gained another foothold elsewhere; Equifax wasn’t able to spot encrypted data being exfiltrated by their attackers because they had forgotten to renew an SSL certificate; and the Starwood hack wasn’t detected until four years after it happened, after the company had been bought by Marriott.
All of these data breaches resulted in millions of people’s PII being stolen by the attackers, and in the case of the OPM and Equifax breaches, a lot of it was quite sensitive. The hacked organizations provided credit monitoring to affected individuals—and prepared for a big onslaught of identity theft that never came. Authorities now believe that the attacks were perpetrated by hackers employed by the Chinese government looking to build up a “data lake” of individuals associated with the U.S. government.
2016: The Clinton campaign hack
If there’s one thing we can remember about the Hillary Clinton 2016 campaign, is that it was about emails, somehow, and the emails were bad. The emails in question seemed to twist and turn as the campaign went on—originally they were stored on her personal server while she was Secretary of State even though they should’ve been kept safer on government computers. But in the weeks leading up to the election, the emails dominating the news were the ones from inside her campaign, full of insider gossip that made embarrassing headlines when they were publicized by Wikileaks.
And how did they become public? Thanks to a classic phishing scam, combined with one of the most consequential typos in U.S. political history. By 2016, Clinton had moved from her homebrewed server to a Google-hosted service, and campaign manager John Podesta received an email that looked like it was from Google, saying that someone had tried to access his account and he should reset his password by clicking on a shortened bit.ly link. Campaign tech staffer Charles Delavan, in his telling, tried to send Podesta a message saying “this is not a legitimate email”—but unfortunately left out the “not”. Adding to the confusion, he then urged Podesta to reset his password anyway, just as a precaution, and while Delevan’s message included the appropriate link to do so, Podesta clicked on the bit.ly link in the original email instead, and handed his login credentials over to Russian intelligence.
2016: The Bangladesh Bank heist
The SWIFT system for international bank transfers is meant to be unhackable—but of course, that’s an impossible goal. In SWIFT’s case, the weak spots hackers target can be found in the government-run central banks of developing nations, where security is often underfunded. A group of hackers—almost certainly North Korea’s Lazarus Group—tried to pull off an audacious heist at the Bangladesh Bank, crafting custom malware to breach the bank’s systems and eventually get access to the SWIFT terminal, which, contrary to recommended practice, was not segregated from the rest of the network. They also cleverly timed their attack so that as few human eyes as possible were on their movements: Bangladesh’s weekend is on Friday and Saturday, whereas New York (where the Federal Reserve Bank that handles most SWIFT transactions is located) has Sunday off; on the particular weekend when they planned the heist, banks in the Philippines, where much of their ill-gotten cash was headed so it could be laundered through casinos, were going to be closed for the Lunar New Year. There was no such thing as a “hotline” between the banks that could serve as a conduit of communications outside of regular hours.
But as clever as the robbers were, they were tripped up by some elementary errors and dumb luck. Their goal was for the transactions to complete automatically before any humans got a look at them, but one of the intermediary banks they were transferring some of their cash through had “Jupiter” in its name, which happened to also be the name of a shipping company under sanctions for trading with Iran, and so the transfers triggered an automatic alert and were inspected by someone in New York. And once a person looked at the details, they were obviously suspicious: the Bangladesh Bank had never initiated transactions of this magnitude, and there were also numerous misspellings and other errors in the documentation that didn’t hold up to scrutiny. The cyberthieves ended up getting away with $20 million, but could have ended up with nearly a billion if they hadn’t been tripped up. Turns out automated security can only do so much.
2016: Mirai and Dyn attacks
On October 21, 2016, huge swaths of the internet were unavailable for hours for users in much of Europe and North America. Initial worries were that a hacker group or nation-state was launching an attempt to bring down the internet entirely. In fact, the reason for the attack was much more absurdly surreal, and the reasons it succeeded illustrate the weak spots that still exist throughout our internet infrastructure.
DDoS attacks rely on botnets, large collections of hacked computers that can all be commanded to try to access a single website at once, bringing it down with a wave of web traffic. With PCs increasingly well protected by built-in security software, hackers are turning to IoT devices, which tend to be neglected and not updated. The Mirai botnet package was written by a Rutgers undergraduate and had a dead simple and clever means of propagation: it searched the internet for devices with open telnet ports and attempted to log in using a hardcoded list of 61 default usernames and passwords that ship with various IoT devices.
The army of gadgets—mostly CCTV cameras, it turned out—thus assembled was enlisted in a war most people don’t know is being fought: various Minecraft server hosts attempting to knock each other offline in order to poach each other’s customers. The first wave of Mirai attacks targeted sites selling tools offering protection against DDoS, somewhat ironically. Within days, though, the Mirai source code had been posted online, and another attacker used it against Dyn, which provides DNS services to some game servers but also dozens of other sites. This is what brought the fight out of the Minecraft world and into real life.
2021: Parler betrays its users
Parler was launched as a Twitter-style site aimed at conservatives who felt their political views were censored by “big tech.” Its hands-off moderation policies quickly made it a magnet for far-right users, and in the aftermath of the January 6th attack on the U.S. Capitol—during which many of the attackers coordinated and documented their activities on Parler—Apple and Google moved to pull the app from their stores, and Amazon kicked it off their AWS servers.
A hacker known as donk_enby tried to preserve as much data from Parler as she could before it was shut down completely, a task that was made surprisingly easy by Parler’s truly atrocious security posture. It’s still not clear if Parler’s API had no authentication at all or just very easily bypassed authentication, but donk_enby was able to use it to scrape 99% of Parler’s content before the AWS shutdown. And that content was a real treasure trove. It turns out that the delete function didn’t actually work (content was labelled as deleted but not actually removed from the database) and metadata wasn’t scrubbed from image or video content (much of which recorded individuals committing crimes during the aforementioned attack on the Capitol).
2021: Colonial Pipeline has a complex (and obfuscated) crisis
In 2021, Colonial Pipeline, a company responsible for distributing as much as 45% of all gasoline and other forms of fuel on the U.S. east coast, was struck by a ransomware attack and shut down for six days, causing a cascade effect of gas shortages and price spikes. Colonial Pipeline was initially somewhat cagey on what systems were affected, and the assumption in the immediate aftermath of the shutdown was that the ransomware had closed down the operational technology systems that ran the pipeline itself.
However, once the problem had been resolved, more details emerged, and insiders revealed that the ransomware hadn’t affected the physical systems at all; instead, it had hit the company’s billing systems. In other words, while Colonial was physically capable of delivering fuel, it wouldn’t have been able to properly charge anybody for it, which from a corporate point of view was just as bad, leading to the shutdown. This was cold comfort to everyone who needed gas during that chaotic week, which may have been why Colonial was cagey about it. The incident ended up illustrating the interdependence of operational and information technology, and how complex systems have many potential points of failure that someone with a purely engineering perspective might not see at first.
Copyright © 2022 IDG Communications, Inc.
