IT Security Breach Roundup: Big Names and Big Numbers

It’s tough to decide where to start with the January IT Security Breach Roundup. We’ve got a major-league Internet retailer getting hacked (and sued), yet another security company suffering a breach and a large community college finding out malware has been collecting personal data – for more than a decade.

Zappos Suffers Security Breach – and Promptly Gets Sued

We’ll give top (dubious) honors to Zappos, given its high profile, many customers and the fact that it’s owned by Internet giant Amazon. As redOrbit reported on Jan. 16:

Online clothing retailer Zappos.com announced to its 24 million customers in a mass emailing Sunday that an intruder had gained unauthorized access to the company’s online servers.
The retailer said hackers may have accessed customers’ names, email addresses, billing information, phone numbers, and the last four digits of their credit card numbers in the recent attack. The announcement appeared on Zappos’ website late Sunday night. The company assured its customers that full credit card numbers were not stolen, because they were stored separately.

Zappos also took a rather unusual but prudent step in response, as CEO Tony Hsieh explains:

“For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password … We also recommend that you change your password on any other web site where you use the same or a similar password.”

Seemingly 20 minutes after the Zappos announcement, a Zappos customer sought to drag the company and its parent into court. As BusinessWeek reports:

Amazon.com Inc. was accused in a lawsuit by a customer of its Zappos.com unit of violating federal consumer credit laws by failing to protect her personal information after the company said hackers stole account numbers and other data.

Theresa Stevens, a resident of Beaumont, Texas, said that as a result of the breach, she and other Zappos customers are more likely to receive e-mails from spoof websites and unknowingly give away personal information to hackers, according to her complaint filed Jan. 16 in federal court in Louisville, Kentucky. The customers will also incur expenses for credit monitoring and suffer emotional distress and loss of privacy, according to the complaint.

After Breach, Symantec Tells Customers to Quit Using its Product

Security companies apparently are favorite targets of hackers. We had the RSA breach last spring, the attack on Stratfor Global Intelligence last month and now Symantec, makers of the very software that is intended to identify hackers and their malware. This one was bad enough that Symantec took a highly unusual response, as reported by BetaNews:

It’s not often when a developer tells you outright not to use its software, but that is exactly what Symantec is forced to do in light of the theft of source code. Last month, Hacktavist group Anonymous bragged that it had possession of code that powers several applications, including Norton Antivirus Corporate Edition, Norton Internet Security; Norton SystemWorks and pcAnywhere.

Symantec says the code theft originally occurred in 2006. While at first security experts believed the theft to only be a black eye for the company’s reputation, it now appears that the incident is far more serious. Symantec recommends users of pcAnywhere stop using the software immediately until there is a solution to address any security concerns.

Symantec soon patched things up and says pcAnywhere is now once again safe to use.

Data Breach at San Francisco School May Affect 100,000 Students and Staff

City College of San Francisco, a community college that serves some 100,000 students and has 3,000 employees, in November discovered the existence of malware that has been collecting data and transmitting it overseas. As MSNBC reports:

They determined the problem was widespread and that such viruses had been lurking in its computers for more than a decade.

“We looked in the system and discovered these things were all over the place,” John Rizzo, president of the college’s Board of Trustees, told The Associated Press…The malware, which is commonly used by organized crime to steal personal data, had recorded keystrokes and took screen shots to capture user information and sent the data to China, Russia and other countries, Rizzo said.

Every day after 10 p.m., at least seven viruses were trolling the school’s networks and sending data to sites abroad, officials said.

Recording keystrokes and sending pictures overseas – for more than a decade. We’re no lawyers, but that one sounds like a better bet for a lawsuit than the Zappos breach.

Fallout from Stratfor Breach Reaches UK

Expect continued fallout from the Stratfor breach we mentioned earlier, and reported on last month. By early January, repercussions were already being felt in the UK, as The Guardian reported:

Thousands of British email addresses and encrypted passwords, including those of defence, intelligence and police officials as well as politicians and Nato advisers, have been revealed on the internet following a security breach by hackers.

Among the huge database of private information exposed by self-styled “hacktivists” are the details of 221 British military officials and 242 Nato staff. Civil servants working at the heart of the UK government – including several in the Cabinet Office as well as advisers to the Joint Intelligence Organisation, which acts as the prime minister’s eyes and ears on sensitive information – have also been exposed.

The hackers, who are believed to be part of the Anonymous group, gained unauthorised access over Christmas to the account information of Stratfor, a consultancy based in Texas that specialises in foreign affairs and security issues. The database had recorded in spreadsheets the user IDs – usually email addresses – and encrypted passwords of about 850,000 individuals who had subscribed to Stratfor’s website.

Some 75,000 paying subscribers also had their credit card numbers and addresses exposed, including 462 UK accounts.

RSA Sees Silver Lining in its Breach

Finally, we’ll close with what we see as a positive coming out of the aforementioned RSA breach last year. Network World reports on its interview with Executive Chairman Art Coviello:

Last year’s industry-shaking RSA Security breach has resulted in customers’ CEOs and CIOs engaging much more closely with the vendor to improve their organizations’ security, according to the head of RSA…”If there’s a silver lining to the cloud that was over us from April through over the summer it is the fact that we’ve been engaged with customers at a strategic level as never before,” Coviello says, “and they want to know in detail what happened to us, how we responded, what tools we used, what was effective and what was not.”

While the company was roundly criticized for not doing enough right away to reassure customers once it made the breach public, Coviello characterizes RSA’s response as rapid and effective.
“When we go into detail about the attack I think people are actually impressed with the speed with which we were able to see the attack in progress,” Coviello says.
“We were still unable to keep [hackers] from getting away with at least something,” he says. “But we were able to minimize the damage, and more importantly, get to our customers timely enough so they could protect themselves to mitigate risk associated with the damage.”

As long as the bad guys are out there and the good guys are fighting them off, we’ll keep letting you know about the top stories. Subscribe to Carousel Connect today to stay up to date with all the latest thinking on enterprise network technology.