10 Most Known Cyber Security Incidents: What To Learn From Them


High-profile cyber security incidents have always received major coverage by the media and attention from the public alike. The recent controversial and politically charged theft of emails from the Democratic National Committee is still a major topic of discussion, with investigations continuing at the highest levels.

However, the history of cyber security incidents affecting private companies and government organizations and costing millions in damages goes all the way back to the late 90s and early 2000s.


Here’s the thing – from the massive attack on Solaris systems, conducted by the Iraqi government in 1998, to Melissa virus of 1999, that ended up costing companies $80 million in damages to the AOL breach of 2006 that affected 20 million user accounts, the internet has long been a turbulent place. The only difference now is that such attacks and breaches have become even more frequent and damaging.


We get that reading such news as a business executive is terrifying, because you never know if your company could be next. On the internet, everybody is vulnerable and every company, no matter how small, is a target. The best we can do is to analyze any given IT security incident, learn from it and then incorporate this knowledge into a solid cyber security incident response plan that will help our companies avoid similar fates.


With these thoughts in mind, we’ve decided to compile a list of some of the most well-known, highly publicized and relevant examples of data breaches, examining in brief the story of each incident coupled with relevant statistics.


We’ll try to look into why these breaches happened and try to use these top 10 of most well known cyber security incidents in order to understand what businesses need to do to reduce the risks of facing a similar fate.


1. Office of Personnel Management Data Breach

2. Target Breach

3. Morrisons Breach

4. Vodafone Breach

5. JPMorgan Chase Breach

6. Sony Playstation Network Hack

7. Yahoo Breaches of 2013 and 2014

8. Panama Papers Leak

9. Dyn DDoS Attack

10. NSA Leak by Edward Snowden

Ekran System is a great user action monitoring tool for detecting and investigating malicious attacks


Office of Personnel Management Data Breach


More details here


Let’s start our list by talking about the biggest data breach the US government has faced in its entire history – the Office of Personnel Management breach of 2014.


Discovered almost a year later in 2015, the breach was first estimated to have affected 4 million people, but eventually the victim toll rose to 21 million, including current and former government employees, as well as people who passed background checks but weren’t hired.


The perpetrators of this attack were able to steal valuable valid credentials and personal information, including real names, addresses, Social Security numbers, and even biometric data, such as 5.6 million sets of fingerprints.


What’s even more frightening is that accounts with high levels of security clearance that were stolen by the perpetrators could allow them to penetrate other systems and gain access to state secrets and other valuable information. Suspected to be a government-sponsored attack by Chinese hackers, the investigation into this breach continues to this day.  


What can we learn from it


Probably the biggest takeaway from this breach is that anybody can be a target. No matter how big or small your company is, and what sensitive data you possess, there’s a good chance that there’s somebody out there, that will try to steal it.


The kicker is that the Office of Personnel Management had been warned multiple times about their security vulnerabilities, such as weak authorization protection, insufficient testing of existing security controls and an inadequate cyber security incident response plan. If the organization had maintained a proper level of cyber security at all times, there’s a good chance that such a breach could have been avoided.


Target Breach


More details here


You would be hard-pressed to find someone who hasn’t heard about this famous breach that affected Target and its customers in December of 2013.


Full contact information including names, addresses, emails, and phone numbers, as well as debit and credit card numbers of more than 70 million customers were stolen. It’s estimated that the breach could have affected up to 110 million people.


The reason for the Target breach was a compromise of the company’s card payment readers by malware. Highly publicized in the press, this breach resulted in several class action lawsuits and significant remediation fees, but what's more important, is that it resulted in significant losses for customers. Target’s profits dropped a staggering 40% in 2014 while customers refused to shop at its stores.


What we can learn from it


While we all can agree that the best way to avoid damage is to reliably protect data and to ensure that there are no leaks or breaches, you can’t forget about remediation. Information security breaches can be extremely costly, but a solid remediation plan can go a long way toward mitigating some of this cost.


Make sure that there are people in place who know exactly what to do and who will be capable of putting a remediation plan into action as soon as necessary. Another factor to consider is IoT devices and how widespread they've become. This is a topic that we’ll come back to down the line.


Morrisons Breach


More details here


British supermarket chain Morrisons was another in the long list of retail store chains that suffered from data breaches in 2014. However, this time around the cause was not malware, but rather an insider attack.


How did it happen? A disgruntled employee with legitimate access to the system stole and leaked online the database containing information about the company’s entire workforce. The breach affected more than 100 000 employees and resulted in a class action lawsuit, filed by over 2000 employees, as well as a round of bad publicity and a significant hit to the company’s reputation.


What we can learn from it


This breach shows that insider threats are not something that should be ignored.


Disgruntled employees trying to get back at your company for a perceived injustice is only one type of malicious insider who may attack your sensitive data. In order to avoid insider attacks, you need to take the necessary steps to protect yourself from insider threats.


Take all the necessary actions to make sure that your data is safe from malicious insiders, from conducting background checks upon hiring to having security policies and access controls in place that make it as difficult as possible to conduct insider attacks and employing solutions that allow you to detect and investigate such incidents.


Vodafone Breach


More details here


Another breach caused by a malicious insider hit the German division of Vodafone in 2013. The perpetrator was able to gain access to names, addresses, bank account numbers, and birth dates of more than 2 million German Vodafone customers.


Luckily, the perpetrator was unable to access information such as phone numbers, PIN numbers, and passwords.


However, the personal details that were leaked can still be used as a means to construct more sophisticated and personalized phishing emails that can allow perpetrators to steal valuable information.


The good news is that German police were able to quickly identify and apprehend the suspect. It was not a Vodafone employee, but rather a person working at the company as subcontractor who carried out the attack. As a third-party subcontractor, the perpetrator had all the necessary credentials and insider knowledge to gain access to sensitive information.


What we can learn from it


The main thing to remember is that third party vendors and subcontractors are another subset of potentially malicious insiders who can easily compromise your sensitive data due to their broad access.


In order to avoid this, you need to control the level of privileges they have by employing the principle of least privilege or by using temporary credentials, and also make sure that your authorization procedures are strong enough by using, for example, two-factor authentication.


Apart from that, an ability to detect, investigate, and prevent insider attacks is necessary. One of the best way to do this is to employ user action monitoring software.


JPMorgan Chase Breach


More details here


American bank JPMorgan Chase suffered a very large breach in 2014. Involving over 76 million households and over 7 million small businesses, the hack resulted in a total theft of over 83 million accounts, and is one of the largest attacks on a US financial company in history.


While the perpetrators weren’t able to gain passwords, or Social Security numbers that could be used for direct fraud, they were able to obtain names, emails, phone numbers and mailing addresses that can easily be used in phishing attacks.


What we can learn from it


If you work in finance, than you probably know that financial institutions are among the most frequent targets out there, together with education and healthcare organizations. These institutions carry a very large amount of sensitive data and usually don’t have the best security at hand – particularly smaller companies.


Therefore, if you’re operating within one of these industries, make sure that your protection is up to snuff both with regard to secure perimeters, as well as with regard to potential insider threats.


Sony Playstation Network Hack


More details here


In 2011, the Sony Playstation Network suffered a devastating hacking attack that compromised 77 million accounts and resulted in service being offline for 24 days.


The Playstation Network is an online service for Sony video game consoles as well as Sony Online Entertainment and the streaming service Qriocity.


Unknown hackers were able to breach the network, compromising millions of accounts, including 24.6 million Qriocity and Sony Online Entertainment accounts, as well as stealing credit card information from 23 400 Sony Online Entertainment users.


Remediation for the breach was estimated to cost $171 million, and included fighting 65 class-action lawsuits.


What we can learn from it


A severe server outage was probably the worst thing that happened as the result of an attack. Sony’s online service was out for almost a month. Not only did this result in lost profit, but also in very bad publicity and severe dissatisfaction from consumers.


In order to make sure that the same will not happen to your online services, make sure that cyber security inside your company is top notch.


Constant risk assessments and evaluations of existing controls, as well as thorough access control and encryption of all valuable data are only some of the necessary steps that you need to take to make sure that your data is protected.


Yahoo Breaches of 2013 and 2014


More details here


It’s no secret that services provided by the internet giant Yahoo have been gradually losing popularity, but it still stores more than a billion user accounts it has accumulated over its many years in business.


In 2016 Yahoo disclosed a series of major data breaches, that resulted in the compromise of a huge number of user accounts, making it one of the largest breaches ever. It turns out that unknown perpetrators stole the names, email addresses, phone numbers and passwords of more than 1 billion users in 2013, and more than 500 million users in 2014.


Is there a connection between these two attacks? this is a reasonable question to ask. However, while the two incidents are considered to not be connected, investigations are still ongoing and there are no clear conclusions as to how exactly the perpetrators got into the system.


As a result of this breach, recent plans for the sale of Yahoo to Verizon were stalled and the deal only recently went through, with Verizon negotiating a lower price.


What we can learn from it


The most important fact about these two breaches is that they were only discovered two to three years after they happened. Late discovery leads to much higher damages and remediation costs and makes it harder to investigate an incident.


A great tool to facilitate the discovery of information security incidents in a timely fashion and to make investigations much easier is a user action monitoring solution, which you definitely should employ. Such system provides you with clear insights into user actions, allowing you to see all operations with sensitive data as well as all changes to critical systems.


Panama Papers Leak


More details here


Panamanian law firm Mossack Fonseca suffered a devastating leak in 2015 that exposed details of 214 488 offshore entities. The leaked data contained more than 4.8 million emails, 2.1 million PDF files and 1.3 million images and text files.


This leak exposed details of more than 70 political figures, both currently active and retired, prompting public outcry and political scandal.


It’s still unknown how exactly such a devastating leak could have happened. The perpetrators copied and stolen more than 1.6 terabytes of data, which is not a trivial feat. Credential theft by an external attacker (which may even have been state-sponsored) or an insider attack are among the speculated reasons for this breach.


What we can learn from it


Mossack Fonseca stored a lot of data, including very old digitized documents, some of which were 30 to 40 years old.


Probably the biggest takeaway from this leak is that you need to limit the amount of data you store and not store anything unnecessarily. Dispose of potentially sensitive data as soon as it’s no longer necessary, and make sure that it’s heavily encrypted and stored in a secure, well protected location.


Other than that, controlling access to data and employing the principle of least privilege will allow you to protect your data, while user action monitoring software will help to detect breaches and conduct investigations.


Dyn DDoS Attack


More details here


US domain registrar Dyn provides a popular DNS service that’s used by many major companies in US and around the world including Amazon, Twitter, Shopify, GitHub, and Etsy,.


On October 21, 2016, all of those websites were unavailable due to a large-scale distributed denial of service attack (DDoS), that was aimed at Dyn’s DNS service.


This DDoS attack involved a botnet of an unprecedented scale – more than 20,000 IoT devices all taken over by the malware that combined them into a single network with the sole purpose of flooding the victims with traffic and making them unable to service valid requests.


Such large botnets became possible due to Mirai – malware that automatically scans the internet for IoT devices and then uses a list of factory default credentials in order to log in to those devices and take them over.


You wouldn’t know if your own device were infected, because Mirai lies dormant, and device behaves no differently than the uninfected one, until it receives a command to conduct an attack. The Mirai source code is freely available on the internet, prompting hackers to develop various clones and forks, which undoubtedly will result in large-scale DDoS attacks in the future. 


What we can learn from it


DDoS attacks are becoming more dangerous and more widespread. This means that in order to keep their services online tomorrow, companies need to start preparing today.


The first thing you need to do is to make sure that your own IoT devices are not part of the botnet.


Make sure to change all default credentials of IoT devices to something new and completely unique as soon as possible. Apart from that, having backup DNS providers and setting up filters to distinguish fake traffic from real traffic are some of the things a company can do to protect itself from a similar DDoS attack.


NSA Leak by Edward Snowden


More details here


Probably the most famous leak of all time, and arguably the one that had the biggest repercussions with regards to the data revealed and the damage done is the leak of secret National Security Agency documents by its previous employee Edward Snowden.


Snowden, working as an IT subcontractor for the NSA in Hawaii used his security clearance to copy more than 1.7 million top secret documents that he eventually released to the press, disclosing global surveillance by the NSA tools it used and operations it conducted.


While the effect this leak has had on US society and US counter-intelligence operations abroad are still a subject of heated debate, we should focus on this leak from a cyber security standpoint and make sure that we learn the right lessons that will allow us to strengthen our own data protections.


What we can learn from it


Probably the most important thing about this leak from a cyber security standpoint is that Edward Snowden was able to copy sensitive documents for more than a year, and this activity was never discovered.


This illustrates how extremely difficult discovering insider threats can be. Criminal activity by a malicious insider can be indistinguishable from everyday work routines, making it impossible to detect an attack without full insight into user actions.


The only way to receive such insights is to employ user action monitoring software.


Such software can provide you with full recordings of everything users do, coupled with relevant additional data allowing you to easily detect incidents and conduct all necessary investigations.


User action monitoring is a necessary part of any solid insider threat detection and prevention strategy, and incorporating it into your own cyber security strategy will help you strengthen the protection of your data and your overall security posture.


Ekran System is a great user action monitoring tool for detecting and investigating malicious attacks


The list above makes it clear that insider threats pose one of the biggest challenges to data security, being responsible for a number of very prominent leaks and breaches out there.


What’s more, to combat insider threats you need a completely different set of measures than the regular creation and protection of a secure perimeter from outsider attacks.


You need a tool that will allow you to gain clear insights into user actions, providing you with the ability to detect incidents, investigate them, and respond to them on time.


One such tool that is both powerful and affordable, offering cost-effective deployment for both large and small companies is Ekran System. The main advantages, offered by Ekran System are the following:


  • Complete monitoring of all user actions – Ekran System records everything users see on their screens into an indexed, easily searchable video format, coupled with relevant metadata, allowing you to easily find and review any particular incident

  • Privileged user monitoring – Ekran System monitors user actions regardless of level of user privilege. Driver-level agent protection ensures continuous monitoring

  • Third party monitoring – Ekran System can monitor any user session regardless of the applications or protocols used. It can be used to effectively monitor third-party vendors and subcontractors, allowing you to detect any malicious actions on their part

  • Alerting and incident response functionality – Ekran System provides a set of predefined alerts that cover the most frequent incidents encountered by our clients, as well as the ability to create custom alerts to make sure that alerts reflect the specific needs of your company

  • Access control functionality, including two-factor authentication and one-time passwords – Ekran System includes a set of basic access control features in order to distinguish between users of shared accounts and to help you strengthen your own login procedure. Among the features included are additional authentication, including one-time passwords and two-factor authentication.

  • Flexible licensing scheme – Ekran System employs a licensing scheme that makes it cost effective for small and medium-sized businesses as well as large enterprises. The price of Standard license in based solely on the number of monitored endpoints, while large companies can also consider an Enterprise license, that includes an additional fixed charge for a web control panel and provides a set of additional features, developed specifically for large companies, such as high availability and SIEM and ticketing system integration.


The bottom line is that insider threats are dangerous and there’s no better way to deal with them than with user action monitoring software. While most of such software is fairly expensive, Ekran System provides a rich set of features for an affordable price, making it a great offer for both small and large companies alike.