Case Studies and Examples
Security breaches can have serious consequences for an organization. They can rely on lax physical security, inadequate logical access controls, or a combination of both. In this section, we look at case studies of breaches that occurred in the private sector, the public sector, and in critical infrastructure applications.
Private Sector Case Studies
The following case studies highlight examples of failures in both logical access controls and physical security.
LexisNexis
LexisNexis is a major information clearinghouse of newspaper, magazine, and legal documents. Customers can search the system for basically any published information. In early 2005, a number of teenage hackers were able to gain access to the system. They exposed personal information of over 300,000 individuals. Names, addresses, and SSNs were exposed in the breach. This was a failure in logical access controls on a major level.
The breach started with the account of a police officer in Florida. One of the teenagers, posing as a 14-year-old girl in a chat session, convinced the officer to download and open a Trojan horse file, claiming it was a photo. This gave the hackers access to the officer’s system. While browsing his files, they discovered a logon into a LexisNexis subsidiary, called Accurint, a law enforcement information database. The hackers started to search the database for themselves and celebrity information.
The hackers realized that they needed more access to effectively explore the system. They called Accurint and, posing as administrators with LexisNexis, they got account logins and passwords for an account with enhanced rights.
They used their new access to create accounts for friends and search the system. They were able to pull at least 30,000 accounts, possibly as many as 300,000, gaining names, addresses, phone numbers, and SSNs. Luckily the teens were “joyriding,” and none of the information was sold or utilized in identity theft, but the possibility was there. There were at least 57 separate breaches connected to this incident.
LexisNexis had to offer identity theft monitoring to all of the affected customers. In addition, they claimed to strengthen their customer account and password administration to make sure a breach could not happen again. LexisNexis went so far as to claim their new system was watertight.
Bank One
Bank One, a major Midwest bank that is now owned by JPMorgan Chase, lost around 100 employee laptops due to a failure in physical access controls. The office had one access point that was controlled with an RFID badge system. The badge system was slow, taking around 30 seconds to a minute to unlock the door. This led to impatient employees at this location assisting each other by piggybacking at the door. Employees would badge in and then hold the door open for the other employees behind them. This security flaw was further exacerbated by a lack of security cameras at the door. Most employees were using laptops at this location, with no security cables or locking docking stations.
In the early 2000s, during an all-hands off-site meeting, thieves gained access to the office and stole approximately 100 laptops. After the incident, measures were taken to enhance the physical access controls at the location. Cameras were added at the entry point, and the badge system was modified so that employees had to badge in and out of the building. Policy changes were also enacted. The act of piggybacking was banned, and this was added to the code of conduct.
Public Sector Case Study
Sometimes, security breaches happen not because of external attacks but due to internal failures. Let’s take a look at an example from the United Kingdom (U.K.).
On November 22, 2007, the U.K. government admitted that one of its departments, Her Majesty’s Revenue & Customs (HMRC), had lost in the mail two CDs containing the unencrypted personal details of 25 million U.K. residents.
In response to a request by the National Audit Office (NAO), a junior member of HMRC’s staff was instructed to send details of child benefit recipients to the NAO. The details were burned onto two CDs as unencrypted files and then sent to the NAO using regular mail. At the time, this was standard procedure at HMRC. To compound the security lapses, HMRC decided it was too costly to remove unneeded information from the files before they were sent. This included addresses and bank account information. NAO explicitly requested that the bank account information be removed, and HMRC ignored the request.
The U.K. Data Protection Act of 1998 specifies that if information is to be sent, it must be subject to safeguards, and only the necessary data required for processing may be sent. In this case, HMRC violated both points of this law.
Once the data loss became apparent, HMRC started an investigation of the loss. They attempted to track down the CDs and contacted law enforcement for assistance. Instead of immediately reporting the data loss to the public, HMRC waited 10 days, plenty of time for accounts to get compromised.
The fallout from this breach has been major: The Information Commissioner’s powers have been expanded, his office can now audit departments at will, and they have enforcement powers. Due to the loss of public confidence in the HMRC, other projects have been put on hold, most notably the national ID card program. There was also the cost of the search for the disk and affected citizens needing to close existing bank accounts.
Critical Infrastructure Case Study
Security breaches do not always come from targeted attacks. Untargeted, general attacks can also cause a security breach in an organization. Let’s look at the CSX Corporation virus incident of August of 2003.
The SoBig computer virus infected CSX Corporation’s computer network at its headquarters in Jacksonville, Florida. These infected systems flooded the internal network with infection attempts and spammed the equivalent of an internal DDoS attack. No critical systems were infected, but the network congestion disrupted signal dispatching and other mission critical systems.
Freight trains were delayed. At least 10 Amtrak long-distance trains were canceled or delayed up to 6 hours, and commuter trains in Washington D.C. were canceled. Half-hour delays continued for the next few days. The initial damage ran into the millions in late delivery penalties and customer refunds, and millions more were spent updating and expanding the antivirus and network systems to mitigate any further issues.