The Top-Ten Biggest Security Breaches and Blunders of 2009

Perimeter E-Security
January 13, 2010 | COMMENTS

Below is a list of the top-10 information security blunders in 2009—all of which could have been avoided. Last year was full of data breaches, compromises, and exposures all around cyber-criminality.

“These incidents could have been prevented by adopting basic security standards and embracing a culture of security,” says Perimeter chief technology officer Kevin Prince. “Most companies actually know exactly where they lack security and where their gaps and exposures are. But knowing this, they still ‘play with fire' and hope that they won't get burned. Now is the time for everyone to reconfigure their network protection systems to prevent these mishaps from happening to them.”

No. 10: Malicious Codes' Extended Stay

Hackers broke into web servers owned by a major domain registrar and hosting provider and planted rogue malware that resulted in the compromise of more than 573,000 debit and credit card accounts. The malicious code was in place for over three months. This type of “extended stay” of malicious code is a negative trend that showed progress in 2009.

No. 9: Easy Hacking of CEO's Mailbox

A significant hosted e-mail provider offered a $10,000 prize to anyone who could hack into its CEO's mailbox. The company used the authentication method, providing one-time pin code and even gave usernames and passwords. Hackers successfully broke in, bypassing the second factor authentication using a cross-site scripting vulnerability.

No. 8: Jealous Boyfriend

You can't forget the man who sent spyware to his girlfriend, who then opened the e-mail on her work computer, resulting in a data security breach on a major children's hospital network. The hospital could have used a web content filtering solution, but even that wouldn't completely eliminate the problem. This particular breach shows that some health-care organizations can still be apathetic towards information security.

No. 7: Macking

Media hacking or “macking” has become quite popular in 2009. Macking, characterized as the lowest of the low-hanging fruit, can be very profitable for cyber criminals in this day in age where search engines can be easily manipulated, botnets can send billions of e-mail messages, and social network sites have worms that can spread messages.

No. 6: Insiders Everywhere

This year was also the year of insider breaches. A temporary telecom company employee was arrested on charges of stealing personal information and then pocketing more than $70,000 by taking out short-term payday loans. Even one of the world's leading anti-virus and Internet security provider had an international office employee steal customers' credit card numbers. Insider breaches will continue to be a rising threat for 2010 and beyond, as long as companies don't have the proper policies in place to prevent them.

No. 5: 160,000 California University Records Hacked

At one of California 's most esteemed universities, personal information of 160,000 current and former students and alumni may have been comprised. The breach was discovered April 21, 2009, but the database had been illegally accessed by hackers over six months prior in October 2008. Organizations must be constantly tracking and aware of hackers setting up shop on one or more of their systems.

No. 4: Virginia Department of Health Professions Blackmail

The FBI and Virginia State Police have been hunting down hackers who demanded that the state pay $10 million dollars ransom for the return of millions of personal pharmaceutical records that claimed to have been deleted and stolen from the Prescription Monitoring Program. The alleged “deleted data” was backed up and secured within days of the ransom demand. Modern hackers are becoming more bold and fearless.

No. 3: Google

In 2009, Google had its fair share of data breaches in its Google apps, Google AdWords, Google Docs, Gmail, and more. As one of the biggest Internet organizations, it's also one of the most targeted by hackers and other malicious threats. 

No. 2: Social Networking Sites

Twitter was hacked so many times in 2009 we could have a top-10 Twitter breach article by itself. Whether it is individual accounts being compromised like Britney Spears, Twitter employees, or Twitter third parties, Twitter has equal opportunity exploitability. Facebook, YouTube, and MySpace aren't any better. Social networking sites have had a tough year as far as data breaches and blunders are concerned and it's not going to be much better in 2010.

No. 1: Nation's Largest Payment Processor Is Poster Child of Breaches

One of the nation's leading payment processor is 2009's new poster child of data security breaches. The official court proceedings report that 130 million records were compromised. The company processes credit cards for over a quarter of a million merchants nationwide. They have had 31 separate lawsuits filed against them as a result of the breach and about 700 banks announced losses as well. The good news is that the bad guys were caught: Albert “Segvec” Gonzalez has been indicted by a federal grand jury in New Jersey along with two unnamed Russian conspirators.

Perimeter is a provider of information security services. Reprinted with permission.