If you can believe it, 2013 is already halfway over. With summer here, businesses everywhere are feeling the heat in their IT organizations – as they fight a growing array of security concerns, threatening their profitability and reputation alike.
Perhaps the greatest security measure of all is simply learning from others’ mistakes and misfortunes. So, take a look at seven of the biggest security “oops” moments so far this year.
Accidents as Threats
Last month, the French government’s SAP-based accounts payable system, Chorus, was down for four days and suffered an unrecoverable loss of AP data. According to the French State Financial Computing Agency, the outage wasn’t the work of cyber criminals but rather the result of a user’s error.
A sub-contractor working for Bull, the company that hosts Chorus, accidentally triggered the fire extinguishing system in the server room in the Bull data center. The result? Immediate damage to major components of a storage bay holding Chorus data, which could not be recovered even though the disks were configured in a fault-tolerant RAID 6 array.
The Risk of Carelessness
Sometimes, cyber criminals are really just lax IT policies. At the Idaho State University’s Pocatello Family Medicine Clinic, server firewall protections were disabled for a period of at least 10 months, resulting in the breach of electronic protected health information for 17,500 patients. The university’s lapse also resulted in a fine of $400,000 payable to the U.S. Department of Health and Human Services (HHS) to settle alleged violations of the HIPAA Security Rule.
What happened at the clinic? Basically, the university got lazy. To comply with HIPAA Privacy and Security Rules, it’s required to provide health information technology systems security at Pocatello. But for over three years, the HHS found the university’s risk analyses and assessments to be incomplete and to inadequately identify potential risks or vulnerabilities.
Motivation: Money
In New York, federal prosecutors charged an alleged, global cyber theft ring with stealing $45 million from banks around the world. The ring is accused of using prepaid MasterCard debit cards, hacking into the systems of the issuing banks to drastically increase the amount available on the cards and then withdrawing that money at banks globally.
While some cyber criminals will go straight for the money, others will take an indirect route. When the Associated Press (AP) Twitter account was hacked and a fake tweet reported two explosions at the White House and President Obama was injured, the Dow Jones Industrial Average plummeted 143 points in a matter of seconds. The “flash crash” represented a loss of about $200 billion. The market recovered that loss in a matter of minutes, but anyone who knew about the hack in advance could have taken advantage of the market manipulation, either shorting stocks or purchasing them at the low, panic-driven prices.
Motivation: Mayhem and Revenge
Of course, not every hacker is motived by cash. Four British men associated with the LulzSec hacker group received prison sentences of up to 32 months for their roles in cyber attacks to disrupt computer operations at government and corporate websites including the CIA, FBI, News Corp., Nintendo, Sony and others. The motive? Have fun and cause a bit of mischief.
Meanwhile, one disgruntled employee in New York hacked into and corrupted his former employer’s network, causing approximately $90,000 in damages. Why? Because he was passed over for a promotion.
A Threat Too Big to Ignore
Admittedly, you’d have to be living on Mars to have missed this last story, but no compilation of interesting security snafus of 2013 would be complete without Edward Snowden. When he blew the whistle on the National Security Agency (NSA) and its domestic spying/monitoring, the resulting fallout drew – and continues to draw – international attention.
To recap: It turns out that information many of us previously assumed to be private, if not exactly secure, is being scrutinized by the NSA. This includes phone records of Verizon customers in the U.S. (and possibly customers of other U.S. phone companies) as well as app downloads, emails, chat sessions, videos and VoIP calls and other user data from sites such as Apple, Facebook, Google, Skype and others.
Whether viewed as a threat to U.S. citizen’s civil liberties, a threat to national security or a threat to both, this story forces us to rethink the privacy and security of our own electronic actions and what steps, if any, we can take to restore that security.
Of course, these are just my picks of some of the most interesting security stories during the first half of 2013. Certainly, the Edward Snowden controversy promises to deliver many more headline-grabbing revelations, and unfortunately, plenty more IT security teams will be burned in the next six months too.
Have you been the target of a cyber threat? Let me know in the comments below.
Raj Sabhlok is the president of Zoho Corp., which is the parent company of Zoho.com and ManageEngine. Follow him @rajsabhlok.