It would seem that 2011 is certainly going to make its mark as a year of high profile breaches. As TJX became the highlight of every security presentation now Sony will take that place of honor.
In what has been a horrific year for the company, back in April, Sony announced that 77 million accounts were hacked through the Sony PlayStation network. Sony later on was subject to an additional breach were 2,000 records were stolen from its Canadian site. It was later revealed hackers had also gained access to data for an additional 25 million customers on its Sony Online Entertainment service, including emails, birth dates, phone numbers and addresses.
So far, no hacker group has claimed responsibility for the original PlayStation network attack. Sony has however said at the time they were subject to a DDOS attack from the hacktivist group known as Anonymous. Anonymous however has denied stealing the data.
Lulz Security broke into SonyPictures.com, where it claims to have stolen the personal information of over 1,000,000 users which was stored in plain text by using a fairly simply SQL injection attack. The group frequently posts updates on its Twitter feed, @LulzSec, providing updates and even taunting Sony. In late May, the hacker collective tweeted, “Hey @Sony, you know we’re making off with a bunch of your internal stuff right now and you haven’t even noticed? Slow and steady, guys.”
The Ponemon Institute say the cost of the original PlayStation breach may be somewhere around 24 billion dollars. The U.S. Department of Homeland Security is now involved in the resulting investigation.
The U.S. Senate’s Web site was first attacked in early June and then again on June15, and hacking group LulzSec claimed responsibility for that attack, saying “We don’t like the U.S. government very much.” On its website following the weekend attack, LulzSec wrote, “their boats are weak, their lulz are low, and their sites aren’t very secure.” LulzSec also announced on its Twitter account that it had targeted–and taken down–the Central Intelligence Agency’s Web site. The agency’s Web site was restored soon after.
LulzSec, whose name is derived from the text-messaging shorthand phrase LOL, or “laugh out loud,” originally gained notoriety for hacking PBS.org’s home page with an image of NyanCat. Other targets have included an FBI partner website, the website of videogame developer Bethesda Softworks, Nintendo and the website of the US non-profit Public Broadcasting Service.
The attack landscape has definitely changed with hacktivist activity growing and becoming more organized to the point of having their own presence complete with web site and press statements. Recently the two most well knows hacktivist groups – Anonymous and LulzSec – have announced plans to pool their resources and continue their electronic fight against the world’s governments. In a press statement, LulzSec said that in a new operation – Codenamed Operation Anti-Security – both organisations will “encourage any vessel, large or small, to open fire on any government or agency that crosses their path.”
It is not just governments however that have to fear hacktivist, banks have also been called out as targets and as the Sony attacks demonstrates public companies are also at risk.
The International Monetary Fund came under a ‘serious and sophisticated’ cyberattack early this year. The scale of the hacking is still unknown – but the confidential information held by the IMF has the potential to move markets and therefore in very valuable. How hackers were able to penetrate the IMF’s network is still unknown. But it appears the intrusion may have been the result of a spear phishing attack.
The personal details of about 360,000 CitiGroup cardholders were recently stolen after a security breach via Citi’s web portal. The malicious hackers were able to get away with cardholders’ names, account numbers, and contact information such as e-mail addresses.
2011 is already shaping up to be a year of data breaches. We are seeing breaches becoming much deeper and also targeted. The growth of hacktivism will result in governments, large corporations and banks to be extremely vigilant about their security.
By Sushila Nair, Product Manager, BT Counterpane