Chapter 20
IN THIS CHAPTER
Looking at the Marriott breach disclosed in 2018
Understanding the Target breach
Lessons from the Colonial Pipeline and JBS hacks in 2021
Gaining knowledge from other breaches
Learning from the experiences of others can save people from unnecessary pain and suffering. In this chapter, I discuss seven breaches that teach several important lessons. I specifically chose these breaches because they directly impacted either myself or a member of my family and, due to the breaches’ respective magnitudes, are likely to have impacted you and yours as well.
In November 2018, Marriott International disclosed that hackers had breached systems belonging to the Starwood hotel chain as far back as 2014 and had remained in the systems until September 2018 — about two years after Marriott acquired Starwood.
At the time of the disclosure, Marriott estimated that the breach may have impacted as many as 500 million customers and that the data compromised ranged from just the name and contact information for some customers to far more detailed data (including passport numbers, travel data, frequent traveler numbers, and so on) for others. Marriott also estimated that 100 million people’s credit card numbers — along with expiration dates, but without CVC codes — were compromised, but that data was in an encrypted database, and Marriott saw no clear indication that the hackers who had obtained the data were able to decrypt it.
Evidence suggests that the attack against Marriott was carried out by a Chinese group affiliated with the Chinese government and was launched in an effort to gather data on U.S. citizens. If such an attribution is correct, the Marriott breach would likely be the largest known breach to date by a nation-state funded organization of personal, civilian data.
In July 2019, the Information Commissioner's Office of the United Kingdom (ICO) announced that it intended to impose a fine of the equivalent of $123 million on Marriott as a penalty for the failure to properly protect consumer data as mandated by the European Union’s General Data Protection Regulation (GDPR). (See Chapter 10 for more on GDPR.) According to an SEC filing by Marriott, the firm intends to appeal the penalty once the fine is formally filed, which had not happened at the time of writing.
While many lessons can be learned from the Marriott incident, two stand out:
When anyone acquires a company and its information infrastructure, a thorough cybersecurity audit needs performed. Vulnerabilities or active hackers within the acquired firm can become a headache to the new owner, and government regulators may even seek to hold the acquiring company responsible for the failures of a firm that it acquires.
As the UK’s Information Commissioner, Elizabeth Denham, put it: “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”
Don’t rely on acquired companies to disclose cybersecurity problems; they may not be aware of potentially serious issues.
In December 2013, the giant retail chain Target disclosed that hackers had breached its systems and compromised about 40 million payment card numbers (a combination of credit and debit card numbers). Over the next few weeks, Target revised that figure. Altogether, the breach may have impacted as many as 110 million Target customers, and the information accessed may have included not only payment card information, but other personally identifiable information (such as names, addresses, telephone numbers, and email addresses) as well.
Hackers entered Target by exploiting a vulnerability in a system used by a third-party HVAC contracting company that was servicing Target, and that had access to the retail company’s point-of-sale systems. As a result of the breach, Target’s CEO and CIO both resigned, and the company estimated that the breach inflicted about $162 million of damage to the firm.
Two lessons from the Target incident stand out:
In November 2014, a hacker leaked confidential data stolen from the Sony Pictures film studio, including copies of as-of-yet-unreleased Sony films, internal emails between employees, employees’ compensation information, and various other personal information about employees and their families. The hacker also wiped many computers within Sony’s information infrastructure.
The leak and wiping occurred after hackers had been stealing data from Sony for as long as a year — potentially taking as much as 100 terabytes of material; Sony’s executives also apparently dismissed as spam various demands that the hackers had communicated via email. Sony’s cybersecurity plan, procedures, and countermeasures either did not detect the large volume of data being transferred out, or took grossly insufficient action upon detection.
After the breach, a party claiming to be the hackers threatened to carry out physical terrorist attacks against theaters showing Sony’s then-upcoming film, The Interview, a comedy about a plot to assassinate North Korean leader Kim Jong-un. With the attackers’ credibility and capabilities clearly asserted via the breach, cinema operators took the threat seriously, and many major American movie theater chains stated that they would not show The Interview. As a result, Sony canceled the film’s formal premiere and theatrical release, instead offering the film only as a downloadable digital release followed by limited theatrical viewings.
While some cybersecurity experts were at least initially skeptical about the attribution, the United States government blamed North Korea for the hack and subsequent threats and, in September 2018, brought formal charges against a North Korean citizen that it claimed was involved with carrying out the hack while working for the North Korean equivalent of the Central Intelligence Agency.
Here are two lessons that stand out:
In June 2015, the U.S. Office of Personnel Management (OPM), which manages personnel processes and records for the U.S. federal government, announced that it had been the victim of a data breach. While the office initially estimated that far fewer records were compromised, the eventual estimate of the number of stolen records was more than 20 million.
The stolen records included personally identifiable information, including Social Security numbers, home addresses, dates and places of birth, and so on, of both current and former government employees, as well as of people who had undergone background checks, but who were never employed by the government. While the government initially believed that the contents of sensitive SF-86 forms — which contain all sorts of information used in background checks for security clearances — were not compromised, it ultimately disclosed that such data may have been accessed and stolen, meaning that the attackers may have obtained a treasure trove of private information about people with all sorts of security clearances. The OPM breach is believed to actually be a combination of more than one breach — one likely began around 2012 and was detected in March 2014 and another began in May 2014 and was not detected until April 2015.
Many lessons can be learned from the OPM incident, but two stand out:
In February 2015, Anthem, the second-largest health insurer in the United States, disclosed that it had been the victim of a cyberattack that had compromised personal information of almost 80 million current and former customers. Data that was stolen included names, addresses, Social Security numbers, dates of birth, and employment histories. Medical data was not believed to have been pilfered, but the stolen data was sufficient to create serious risks of identity theft for many people.
The breach — likely the largest in the history of the American healthcare industry — was believed to have initially taken place sometime in 2014, when one worker at a subsidiary of the insurer clicked on a link in a phishing email.
Two lessons stand out:
In May 2021, in a world already suffering from the COVID-19 pandemic, two major companies suffered significant ransomware breaches, both of which yielded significant societal impacts.
On May 7, 2021, Colonial Pipeline, a major operator of fuel pipeline infrastructure in the United States and a carrier of fuel to almost half of the United States’ East Coast, was hit with a ransomware attack. Technologists at the firm quickly realized that the malware infection might have potentially adversely impacted various computer systems used for managing pipelines. Therefore, for safety reasons, Colonial Pipeline shut down its operations, stopping the flow of fuel to several heavily populated portions of the U.S. East Coast. The shutdown led to fuel shortages in numerous areas, and fuel prices, already on the rise, spiked upward. In some cases, airlines even had to change schedules as a result of fuel procurement issues.
Colonial Pipeline — possibly acting under the direct guidance of law enforcement — paid a ransom of almost $4.5 million in Bitcoin to the criminals operating the ransomware, and the evildoers released a decryption tool to the company. Shortly thereafter, the FBI recovered a large portion, but not all, of the payments made to the hackers.
The immediate aftermath of the Colonial Pipeline ransomware attack led the President of the United States, as well as the Governor of the U.S. state of Georgia and the Federal Motor Carrier Safety Administration to declare states of emergency. Later in 2021, the federal government offered a $10 million reward for information leading to the capture of those responsible for the attack. While law enforcement has strong suspicions as to the identities of those responsible, as of the time this book went to print, the parties responsible for the Colonial Pipeline attack remain at large.
On May 30, just a few weeks after the Colonial Pipeline attack, JBS S.A., a Brazilian meat-processing company that supplies approximately 20 percent of the world’s meat for human consumption through itself and its international subsidiaries, was hit with a ransomware attack that disrupted beef and pork production in multiple countries, including the United States, Canada, and Australia. The attack caused meat shortages in some places, and the forced the U.S. government to delay its release of data about wholesale beef and pork prices. JBS paid $11 million in Bitcoin as a ransom and resumed operations on June 2.
One great lesson learned from these two high-profile ransomware attacks stands out:
18.191.150.2