Countdown: The Ten Worst Cyberecurity Fails of 2017
2017 seemed to be the year that everyone got breached. We know that not everybody is perfect, and most companies, despite their best efforts, will experience a security incident of some sort. However, there is no excuse for the oversights, negligence, or in some cases outright stupidity that led to the incidents that made our list of the ten worst cybersecurity fails of 2017.
In July, Verizon announced that records of over 14 million of its customers had been compromised when a server was accidentally configured to allow external access. Fortunately, names, phone numbers, and call logs were the only data that was compromised. Verizon’s incident response time was extraordinarily slow - it took them over a week to secure the server after being notified of the vulnerability.
9. Apple #RootGate Vulnerability
In November, twitter user @lemiorhan tweeted at @AppleSupport about a vulnerability that allowed anyone with physical access to a Mac running OS High Sierra to login as root user without a password. Apple released a patch the following day. Unfortunately, their next OS update (10.13.1) undid that patch and reinstated the vulnerability.
Deloitte was formerly named the “best cybersecurity consultants in the world”, which makes their cybersecurity fail that much worse. In September, it was revealed that Deloitte had experienced a “cyber incident,” though sources claim the breach may have dated back as early as 2016. Deloitte failed to enable two-factor authentication, leading to a breach of their email system. They claim that only a small portion of their clients were affected, but such an obvious mistake from a prominent cybersecurity company earns them a spot on our countdown.
Just before Christmas, marketing analytics firm, Alteryx, failed to properly secure an AWS S3 bucket containing extensive data on over 123 million American households. The bucket was accessible to anyone with an AWS account. The data for each household was broken down into 248 specific categories, including email addresses, number of children, ages, incomes, and type of mortgage. Though no names were associated with the files, This data could easily be used by threat actors in combination with other leaked information to target American families.
6. Deep Root Analytics
Deep Root Analytics was hired by the RNC last year to to gather information about U.S. voters. Naturally, they stored this data on an Amazon cloud server without enabling a password. 198 million records, including names, birth dates, addresses, phone numbers, and voter registration details were exposed.
5. NSA/Kaspersky Labs
Though this happened some time between 2014 and 2016 (the details are a bit fuzzy), it came to light in September, and perfectly highlights how one (or five) dumb cybersecurity mistakes can wreak havoc on an entire organization. A U.S. National Security Agency contractor allegedly took his work computer, containing weapons-grade, classified hacking tools, home with him. He installed a home antivirus program from Russian-based security firm Kaspersky Labs. The program initially discovered and flagged some of these tools as malware, at which point the NSA contractor disabled the antivirus software. However, in October he re-enabled it after accidentally downloading malware with a pirated version of Microsoft Office. The antivirus again flagged the hacking tools as malware, but this time uploaded them to Kaspersky Labs for analysis. Kaspersky Labs then turned the files over to the Russian government.
WannaCry targeted computers running Windows back in May. It was propagated by the same EternalBlue exploit as NotPetya and 2016’s Locky ransomware. The main failure of WannaCry was not in the exploit itself - Microsoft quickly released a patch - but rather in the sheer number of organizations that either did not install the patch or that were running older, unsupported systems.
NotPetya was disastrous for infected users, but was also a fail for the hackers responsible, leading to utter chaos as hundreds of thousands of devices were infected and encrypted. Though NotPetya started as a ransomware attack in June, within a few days of operation, the email address associated with the bitcoin ransom was shut down by Posteo, leaving users with no way to decrypt their data, and the threat actors with no reward other than spreading pandemonium. It is estimated that NotPetya cost businesses close to 10 billion USD.
Talk about an uber-fail. After compromising the data of over 57 million users some time in May or June of 2016, Uber attempted to cover up the breach by paying $100,000 to destroy evidence of the attack through a bug bounty program. After attempting to hide the breach, Uber finally got around to alerting victims and regulators - a year later! Names, emails, phone numbers, and in some instances driver’s license numbers were compromised. Though their handling of the incident was enough on its own to make our list, what really sealed the deal was allegations that Uber had been stealing trade secrets from competitor Waymo. The combination of their handling of the breach and what appears to be fairly damaging evidence of corporate espionage raises big questions about their ethics surrounding data security.
The Equifax breach was the 2017 dumpster fire of cybersecurity failings. Equifax was made aware of the Apache vulnerability that ultimately led to the breach in March, but inexplicably did not install available patches to fix it. In May, they announced that personal data - including names, birthdates, social security numbers, and even credit card numbers - of over 143 million people was compromised. This data had been stored on Equifax’s network in plain text format. After alerting the public to the breach, Equifax’s incident response was another massive fail, as they directed potentially compromised individuals to enter sensitive information on other compromised sites. Failure to patch. Failure to encrypt. Failure to disclose. Failure to respond. With top fails across the board, Equifax is hands down the number one security fail of 2017.
That wraps up the biggest cybersecurity fails of 2017. Here's looking ahead to 2018, and hoping that it will be the year companies finally start taking data protection more seriously.