A Brief History of the Worst IT Computer Security Mistakes
Read about some of the most embarrassing security goofs — and learn how to avoid a similar fate.
So you thought the world was going to end when you lost that company smartphone at the bar after work on Friday night? Feel better: When it comes to security breaches, there are horror stories that make yours look enviable.
After you’ve done a remote wipe of that smartphone, learn about some of the worst gaffes from recent years along with tips for avoiding a similar fate.
ESTsoft
In July 2011, attackers managed to get malware onto the update servers at ESTsoft, a South Korean application development company. Every site that used the firm’s apps was affected, and in a chain reaction, those machines also spread the malware.
As a result, the personal information of about 35 million South Koreans was exposed, which represents a majority of the country’s population. The breach was so severe that one international newspaper called it a “hackocalypse.”
Avoidance tip: Even if your company’s networks don’t directly link to so many people, you should still be cautious about what goes out past the firewall. Regularly examine security logs that are issued from the system. These logs, along with automatic security controls, represent the first line of defense. If you’re using Windows, look for multiple Logon Failure errors (also known as 529 events), since those could indicate someone is trying to hack the system.
PlayStation Network
Gamers met hackers in an ugly standoff in April 2011, when an attack on PlayStation Network took the service offline for 44 days. The company spent $170 million to restart and win back customer trust. In the meantime, 77 million accounts were exposed, including users’ credit card information.
The attack was done by Lulz Security (sometimes abbreviated as LulzSec), a hacker group that claims responsibility for other high-profile takedowns including a CIA website crash. The group believes it’s fostering more security by drawing attention to insecure systems and showing people the dangers of password reuse.
Avoidance tip: Unless you run a government agency or a major technology firm, LulzSec isn’t likely to come after you. However, their message about password protection shouldn’t be ignored, either.
Password reuse is a very common security problem, because people tend to choose the same username/password combination for multiple devices and websites.
RSA Security
You might think a security firm would be immune to large-scale breaches, and that’s probably what RSA Security thought, too. But in March 2011, the company’s reputation took a major hit when attackers found a way into their networks and exposed 40 million employee records.
The hackers used “spear phishing” to launch their attacks, employing sophisticated email fraud to get unauthorized access to data. About a year later, RSA’s president noted the breach cost the company $66 million in reparations and left RSA scrambling to regain customer trust.
Avoidance tip: Spear phishing has been a regular occurrence ever since companies began introducing their employees to email. In order to prevent these types of problems, be sure to do a regular training with employees about security threats. Be sure to emphasize this message: Don’t download anything from someone you don’t know, even if it seems safe.
If a virus has gotten into the system through inadvertent download, the system will usually run slower or start issuing more error messages. For more information, check out our video on virus detection: “Curious Intern Mucks Up Office PC Security.”
Monster.com
Since this one happened in 2007, it’s considered an oldie in Internet time. However, it still holds valuable lessons for today. Monster.com took a hit when hackers obtained legitimate keys to the system, most likely by guessing passwords that belonged to recruiters.
Although it affected 1.3 million job seekers, the breach wouldn’t have been notable if it hadn’t been for Monster’s delay in announcing the issue. While the company waited several days to tell users, the hackers were sending out scam emails to users and phishing for personal financial data. Monster received more criticism for their hesitation to admit the breach than for the breach itself.
Avoidance tip: When a security issue crops up, inform affected users immediately. As the situation with ESTsoft demonstrates, a breach can quickly become a chain reaction that affects multiple sites and numerous users. It's better to suffer from temporary user disappointment than to lose customer and employee trust long-term.
Gawker Media
Gawker Media got slammed in December 2010, when hackers exposed the email addresses and passwords of about 1.3 million blog commenters. As if that weren’t bad enough, the attackers also nabbed the source code for Gawker’s content management system, which meant they could publish whatever they wanted on the Gawker family of sites.
A group called Gnosis claimed responsibility, noting they’d done the attack because Gawker founder Nick Denton had told hackers to “bring it on.”
Avoidance tip: Don’t challenge hackers to attack your system. It’s just not a good idea.
In general, no human-designed system is 100 percent secure, and any company can suffer from security breaches. The companies mentioned here all had strong controls in place and still got socked.
To avoid their fate, the best you can do is implement multiple levels of security, conduct regular antivirus and intrusion-detection checks and make sure you have that smartphone the next time you're leaving happy hour.