The Worst Corporate Hacks From Operation Shady RAT to Red October to WannaCry, hacks occur every day worldwide. Some of the largest and most influential companies have fallen victim to cyber-attack. We’ve assembled this Top 10 list together with an analysis of how the hackers infiltrated the systems and the damage caused. Additionally, we’ve included discussions of the practical measures to resolve and/or mitigate the risks—identifying key technologies your organization can use to protect you from falling victim to the next hack. Capital One 100 million records Access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information, according to the bank and the US Department of Justice. See Details and Resolutions Facebook 50M Users The latest hack of facebook was the largest in the company’s 14-year history. The hack exposed personal information of nearly 50 million users, including those of Mark Zuckerberg and Sheryl Sandberg. See Details and Resolutions Uber 57 million users A 2016 Uber breach affecting data for 57 million users was covered up by the company, including a $100,000 payment to the attackers to keep the incident quiet. See Details and Resolutions Equifax 143 million SSN It has been marked as the worst data breach in US history. Attackers stole half the US population's Social Security numbers from Equifax this spring, but the company only notified people in September. The fallout has been swift, with government agencies looking into the incident, class action lawsuits being filed, and consumers demanding free credit freezes. See Details and Resolutions Panama Papers 11.5M Records Stolen Email server of law firm Mossack Foneca hacked; documents leaked to media reveal money laundering schemes See Details and Resolutions Hollywood Presbyterian Personal Records Compromised Cybercriminals seize computer systems; demand $3.4 million ransom to release control. In this instance, the hack caused the hospital to return to pen and paper for its record keeping for a period of time. See Details and Resolutions DNC *Unknown During the 2016 presidential elections, Russian hackers infiltrated the Democratic National Committee's email system. Private conversations and information were exposed to influence public opinion of Secretary Hillary Clinton and the DNC, and influenced the results of the U.S. presidential election. See Details and Resolutions Anthem 80M Records Internal customer files breached. Hackers steal the names, birth dates, member IDs, SS#, emails, physical addresses, phones, employment info of patients and employees. See Details and Resolutions JP Morgan Chase 76M Records Periodic breaches access customer names, emails, physical addresses, phones, “internal” bank info. See Details and Resolutions Yahoo (2016) *Unknown Hackers infiltrate Yahoo for the second time and steal 500,000,000 user names and passwords, as well as other information from the user database for Yahoo.com This not only caused widespread problems because of the exposure of the user passwords, but also impacted the selling price of Yahoo to Verizon (Yahoo reduced its sell price $500 million). See Details and Resolutions Capital One 100 million records Hack Access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information, according to the bank and the US Department of Justice. How A criminal complaint says Paige Thompson tried to share the information with others online. The 33-year-old, who lives in Seattle, had previously worked as a tech company software engineer for Amazon (AMZN) Web Services, the cloud hosting company that Capital One was using, the Justice Department said. She was able to gain access by exploiting a misconfigured web application firewall, according to a court filing. Mitigation Thompson was arrested Monday in connection with the breach, the Justice Department said. Thompson's attorney could not be immediately reached for comment. Capital One (COF) said the hack occurred March 22 and 23. The company indicated it fixed the vulnerability and said it is "unlikely that the information was used for fraud or disseminated by this individual." However, the company is still investigating. Microsoft Technologies EM+S OMS Windows 10 with Defender ATP Visual Studio Team Services Other Technologies ServiceNow Close X Facebook 50M Users Hack The latest hack of facebook was the largest in the company’s 14-year history. The hack exposed personal information of nearly 50 million users, including those of Mark Zuckerberg and Sheryl Sandberg. How Hackers exploited a feature in facebook code to gain access to user accounts and potential take control of them. Attackers took advantage of two bugs in the site’s “View As” feature, which was originally intended to give users more control over their privacy. These flaws were compounded by another bug in the video-uploading program that allowed attackers to steal access tokens that allow access to an account. Mitigation This hack reinforces the importance of strong password controls, particularly the use of two-factor authentication to gain access to the network and to critical servers. This can use technologies like smart cards, biometric, and text-based two-factor auth. The presence of technologies for monitoring authentications would have helped detect the unusual activity, such as ATA and OMS. Microsoft Technologies Windows 10 with Defender ATP EM+S OMS Close X Uber 57 million users Hack Malicious actors stole personal data on hundreds of thousands of Uber drivers and 57 million Uber users. The company allegedly covered up the breach for one year and reportedly paid the attackers $100,000 to keep quiet. How According to new CEO Dara Khosrowshahi, the Uber breach was due to two malicious actors accessing "a third-party cloud-based service" -- reportedly GitHub and Amazon Web Services (AWS) -- in late 2016 and downloading files containing names and driver's license information on 600,000 U.S. Uber drivers and other personal information addresses and phone numbers for 57 million Uber customers from around the world. Mitigation This is an example of the necessity of using modern development practices, with automated testing (especially automated security testing), using Visual Studio Team Services in conjunction with external tests with Application Insights and other external testing tools. If the additional development work was built into the system to include automated testing and release, the attack could have been prevented. This is also an example of where an organization chose to build their own user identity solution vs. leverage something like Azure AD B2C, which would mitigate issues like this. Microsoft Technologies EM+S Visual Studio Team Services Application Insights Azure Active Directory B2C Close X Equifax 143 million SSN Hack Besides amassing data on nearly every American adult from Equifax, the hackers also sought information on specific people. It's not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value. Eventually the intruders installed more than 30 web shells, each on a different web address, so they could continue operating in case some were discovered. How Equifax was exposed due to a lone employee error, says Former CEO, Richard Smith. CERTS notifications on Apache Struts flaws went unheeded. The IT team failed to deploy patches and scans for lingering vulnerabilities and compromised data was not encrypted. It is also believed that hackers may have had help from an Equifax insider. Mitigation The vulnerability that attackers exploited to access Equifax's system was in the Apache Struts web-application software, a widely used enterprise platform. Equifax confirmed that attackers entered its system through a web-application vulnerability in May of 2017 that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn't. Experts point to an Equifax web portal for handling credit-report disputes from customers in Argentina used the embarrassingly inadequate credentials of "admin/admin." Ongoing discoveries such as these increasingly paint a picture of negligence—especially in Equifax's failure to protect itself against a known flaw with a ready fix. What went wrong? EM+S OMS Windows 10 with Defender ATP Installing of patches Close X Panama Papers 11.5M Records Stolen Hack In early April, 2016, the International Consortium of Journalists leaked a wealth of sensitive documents known as the Panama Papers. The leak consisted of 2.6 terabytes of data from the Panamanian law firm Mossack Fonseca, and linked 140 world leaders from more than 50 companies to secret offshore accounts in 21 different tax havens. Hackers broke into Mossack Fonseca's sytems through their website which was using an outdated and vulnerable version of WordPress 4.1. How There is limited information on "how" the Panama Papers were hacked, with exception that an "email server" was compromised. Some researchers have also suggested that older versions of Wordpress / Drupal were to blame for the initial access. Mitigation The mitgating factors for this are very similar to other scenarios, especially the ability to spot lateral movement within the network and security around endpoints. Microsoft Technologies EM+S OMS Windows 10 with Defender ATP Visual Studio Team Services Other Technologies ServiceNow Close X Hollywood Presbyterian Personal Records Compromised Hack In February 2016, attackers took computers belonging to the Hollywood Presbyterian Medical Center in Los Angeles hostage using a piece of ransomware called Locky. Computers were offline for more than a week until officials caved to the extortionists’ and paid the equivalent of $17,000 in Bitcoin. How The hackers used a type of malware to capture access to critical information in the application infrastructure. This ultimately prevented access to critical systems from the IT administration and end users until the incident was resolved. The lack of ability to recover quickly was unavailable as a mitigating factor, then causing the hospital to give in to some of the demands. Mitigation In addition to client-side protections (such as Defender ATP) to mitigate the risk and server-side mitigations (such as OMS) the organization's gap was an inability to recover the critical systems and data without giving in to the hackers. This is very common, as recovery is expensive. Newer recovery systems such as Azure Site Recovery, or more real-time backup solutions built into SQL, etc. could have enabled recovery with little downtime and without the need to risk paying the hackers. Microsoft Technologies Windows 10 with Defender ATP Exchange ATP (online protections) EM+S OMS Azure Site Recovery (ASR) Close X DNC *Unknown How Relied on Crowd Strike which was executed through the back door using PowerShell. This allowed the hackers to launch malicious code after a certain period of time so they could connect to the system and transfer out information without detertion. At campaign rallies, hackers used a "pineapple" to hack cell phones and other devices to get access to authentication and passwords. Mitigation For the Data Center hack, if they were leveraging OMS, there would have been a feature to detect malicious activity on their servers. This activity would have been detected due the payload they were using on the server. For the WiFi hack- they should have moved away from pre-shared keys and use of certificate based WiFi. The pineapple allowed them to set up a fake network to which people connected unknowingly and surrendered all of the information flowing through that network. Microsoft Technologies EM+S OMS Configure VPN Other Technologies ServiceNow Close X Anthem 80M Records Hack In January 2015, hackers broke into the health insurance giant’s records and pillaged names, Social Security numbers and other sensitive information for up to 80 million customers. How In this case, the information was retrieved from unencrypted fields in a database leveraging an existing administrator's credentials. The adminstrator credentials were used to bypass security protocols. The intruder was present for an extended period before the IT organization noticed the database had been compromised. Assuming additional controls were placed around the users, database encyryption could be used to limit access to sensitive information. Mitigation This hack reinforces the importance of seperation of administrative access from normal user access, increased scrutiny around administrator accounts, and JEA (Just Enough Administration) techniques to limit access. Monitoring servers through tools like OMS, and authentication with ATA would help identify the lateral movement and look for "non-typical" authentications which could also be used to detect these scenarios. Microsoft Technologies OMS EM+S Close X JP Morgan Chase 76M Records Hack The largest bank in the nation was the victim of a high-profile cyberattack during the summer of 2014. The breach compromised the data of 76 million households—more than half of all U.S. households—and 7 million small businesses. How Hackers stole the login credentials of an employee, allowing access to the internal network. The bank did not use two factor authentication through the channel used by the attackers. After gaining access, the attackers were able to access over 90 servers over an extended period of time. Mitigation This hack reinforces the importance of strong password controls, paticularlly the use of two-factor authentication to gain access to the network and to critical servers. This can use technologies like smart cards, biometric, and text-based two-factor auth. The presence of technologies for monitoring authentications would have helped detect the unusual activity, such as ATA and OMS. Microsoft Technologies OMS EM+S ATA Close X Yahoo (2016) *Unknown Hack In September 2016, YAHOO disclosed an enormous 500 million-account breach. Hackers used forged cookies to bypass security protections and access users’ accounts without a password. Yahoo says that it believes this situation is connected at least in part to the allegedly state-sponsored hackers. How Hackers were able to access a critical system within Yahoo's network responsible for account management. This access allowed the hacker to perform a "cookie minting" measure to facilitate access to accounts within the Yahoo offerings and persist for over a year inside the network, until discovered in 2016. Mitigation This could have been mitigated through technologies like OMS (detecting malicious activity on servers and communication between servers that is abnormal), ATA (authentication that is abnormal), and network segmentation (preventing lateral movement). The presence of a more sophisicated incident response process might have also allowed better detection over time. Finally JEA (Just Enough Administration), multi-factor authentication to critical systems, and jump-servers to administration networks would have provided a substantial difference. The idea of "redeployability" to regularly bring systems back into the correct state using declarative infrastructure also would have made a difference, especially if it put in place additional security controls. Source https://www.bloomberg.com/news/articles/2017-03-16/here-s-how-russian-agents-hacked-500-million-yahoo-users Microsoft Technologies EM+S OMS Windows 10 with Defender ATP Visual Studio Team Services Other Technologies ServiceNow Close X Maximize your IT security investment. Get started right now. First Name Last Name Business Email Business Phone Company
Capital One 100 million records Hack Access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information, according to the bank and the US Department of Justice. How A criminal complaint says Paige Thompson tried to share the information with others online. The 33-year-old, who lives in Seattle, had previously worked as a tech company software engineer for Amazon (AMZN) Web Services, the cloud hosting company that Capital One was using, the Justice Department said. She was able to gain access by exploiting a misconfigured web application firewall, according to a court filing. Mitigation Thompson was arrested Monday in connection with the breach, the Justice Department said. Thompson's attorney could not be immediately reached for comment. Capital One (COF) said the hack occurred March 22 and 23. The company indicated it fixed the vulnerability and said it is "unlikely that the information was used for fraud or disseminated by this individual." However, the company is still investigating. Microsoft Technologies EM+S OMS Windows 10 with Defender ATP Visual Studio Team Services Other Technologies ServiceNow Close X
Facebook 50M Users Hack The latest hack of facebook was the largest in the company’s 14-year history. The hack exposed personal information of nearly 50 million users, including those of Mark Zuckerberg and Sheryl Sandberg. How Hackers exploited a feature in facebook code to gain access to user accounts and potential take control of them. Attackers took advantage of two bugs in the site’s “View As” feature, which was originally intended to give users more control over their privacy. These flaws were compounded by another bug in the video-uploading program that allowed attackers to steal access tokens that allow access to an account. Mitigation This hack reinforces the importance of strong password controls, particularly the use of two-factor authentication to gain access to the network and to critical servers. This can use technologies like smart cards, biometric, and text-based two-factor auth. The presence of technologies for monitoring authentications would have helped detect the unusual activity, such as ATA and OMS. Microsoft Technologies Windows 10 with Defender ATP EM+S OMS Close X
Uber 57 million users Hack Malicious actors stole personal data on hundreds of thousands of Uber drivers and 57 million Uber users. The company allegedly covered up the breach for one year and reportedly paid the attackers $100,000 to keep quiet. How According to new CEO Dara Khosrowshahi, the Uber breach was due to two malicious actors accessing "a third-party cloud-based service" -- reportedly GitHub and Amazon Web Services (AWS) -- in late 2016 and downloading files containing names and driver's license information on 600,000 U.S. Uber drivers and other personal information addresses and phone numbers for 57 million Uber customers from around the world. Mitigation This is an example of the necessity of using modern development practices, with automated testing (especially automated security testing), using Visual Studio Team Services in conjunction with external tests with Application Insights and other external testing tools. If the additional development work was built into the system to include automated testing and release, the attack could have been prevented. This is also an example of where an organization chose to build their own user identity solution vs. leverage something like Azure AD B2C, which would mitigate issues like this. Microsoft Technologies EM+S Visual Studio Team Services Application Insights Azure Active Directory B2C Close X
Equifax 143 million SSN Hack Besides amassing data on nearly every American adult from Equifax, the hackers also sought information on specific people. It's not clear exactly why, but there are at least two possibilities: They were looking for high-net-worth individuals to defraud, or they wanted the financial details of people with potential intelligence value. Eventually the intruders installed more than 30 web shells, each on a different web address, so they could continue operating in case some were discovered. How Equifax was exposed due to a lone employee error, says Former CEO, Richard Smith. CERTS notifications on Apache Struts flaws went unheeded. The IT team failed to deploy patches and scans for lingering vulnerabilities and compromised data was not encrypted. It is also believed that hackers may have had help from an Equifax insider. Mitigation The vulnerability that attackers exploited to access Equifax's system was in the Apache Struts web-application software, a widely used enterprise platform. Equifax confirmed that attackers entered its system through a web-application vulnerability in May of 2017 that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn't. Experts point to an Equifax web portal for handling credit-report disputes from customers in Argentina used the embarrassingly inadequate credentials of "admin/admin." Ongoing discoveries such as these increasingly paint a picture of negligence—especially in Equifax's failure to protect itself against a known flaw with a ready fix. What went wrong? EM+S OMS Windows 10 with Defender ATP Installing of patches Close X
Panama Papers 11.5M Records Stolen Hack In early April, 2016, the International Consortium of Journalists leaked a wealth of sensitive documents known as the Panama Papers. The leak consisted of 2.6 terabytes of data from the Panamanian law firm Mossack Fonseca, and linked 140 world leaders from more than 50 companies to secret offshore accounts in 21 different tax havens. Hackers broke into Mossack Fonseca's sytems through their website which was using an outdated and vulnerable version of WordPress 4.1. How There is limited information on "how" the Panama Papers were hacked, with exception that an "email server" was compromised. Some researchers have also suggested that older versions of Wordpress / Drupal were to blame for the initial access. Mitigation The mitgating factors for this are very similar to other scenarios, especially the ability to spot lateral movement within the network and security around endpoints. Microsoft Technologies EM+S OMS Windows 10 with Defender ATP Visual Studio Team Services Other Technologies ServiceNow Close X
Hollywood Presbyterian Personal Records Compromised Hack In February 2016, attackers took computers belonging to the Hollywood Presbyterian Medical Center in Los Angeles hostage using a piece of ransomware called Locky. Computers were offline for more than a week until officials caved to the extortionists’ and paid the equivalent of $17,000 in Bitcoin. How The hackers used a type of malware to capture access to critical information in the application infrastructure. This ultimately prevented access to critical systems from the IT administration and end users until the incident was resolved. The lack of ability to recover quickly was unavailable as a mitigating factor, then causing the hospital to give in to some of the demands. Mitigation In addition to client-side protections (such as Defender ATP) to mitigate the risk and server-side mitigations (such as OMS) the organization's gap was an inability to recover the critical systems and data without giving in to the hackers. This is very common, as recovery is expensive. Newer recovery systems such as Azure Site Recovery, or more real-time backup solutions built into SQL, etc. could have enabled recovery with little downtime and without the need to risk paying the hackers. Microsoft Technologies Windows 10 with Defender ATP Exchange ATP (online protections) EM+S OMS Azure Site Recovery (ASR) Close X
DNC *Unknown How Relied on Crowd Strike which was executed through the back door using PowerShell. This allowed the hackers to launch malicious code after a certain period of time so they could connect to the system and transfer out information without detertion. At campaign rallies, hackers used a "pineapple" to hack cell phones and other devices to get access to authentication and passwords. Mitigation For the Data Center hack, if they were leveraging OMS, there would have been a feature to detect malicious activity on their servers. This activity would have been detected due the payload they were using on the server. For the WiFi hack- they should have moved away from pre-shared keys and use of certificate based WiFi. The pineapple allowed them to set up a fake network to which people connected unknowingly and surrendered all of the information flowing through that network. Microsoft Technologies EM+S OMS Configure VPN Other Technologies ServiceNow Close X
Anthem 80M Records Hack In January 2015, hackers broke into the health insurance giant’s records and pillaged names, Social Security numbers and other sensitive information for up to 80 million customers. How In this case, the information was retrieved from unencrypted fields in a database leveraging an existing administrator's credentials. The adminstrator credentials were used to bypass security protocols. The intruder was present for an extended period before the IT organization noticed the database had been compromised. Assuming additional controls were placed around the users, database encyryption could be used to limit access to sensitive information. Mitigation This hack reinforces the importance of seperation of administrative access from normal user access, increased scrutiny around administrator accounts, and JEA (Just Enough Administration) techniques to limit access. Monitoring servers through tools like OMS, and authentication with ATA would help identify the lateral movement and look for "non-typical" authentications which could also be used to detect these scenarios. Microsoft Technologies OMS EM+S Close X
JP Morgan Chase 76M Records Hack The largest bank in the nation was the victim of a high-profile cyberattack during the summer of 2014. The breach compromised the data of 76 million households—more than half of all U.S. households—and 7 million small businesses. How Hackers stole the login credentials of an employee, allowing access to the internal network. The bank did not use two factor authentication through the channel used by the attackers. After gaining access, the attackers were able to access over 90 servers over an extended period of time. Mitigation This hack reinforces the importance of strong password controls, paticularlly the use of two-factor authentication to gain access to the network and to critical servers. This can use technologies like smart cards, biometric, and text-based two-factor auth. The presence of technologies for monitoring authentications would have helped detect the unusual activity, such as ATA and OMS. Microsoft Technologies OMS EM+S ATA Close X
Yahoo (2016) *Unknown Hack In September 2016, YAHOO disclosed an enormous 500 million-account breach. Hackers used forged cookies to bypass security protections and access users’ accounts without a password. Yahoo says that it believes this situation is connected at least in part to the allegedly state-sponsored hackers. How Hackers were able to access a critical system within Yahoo's network responsible for account management. This access allowed the hacker to perform a "cookie minting" measure to facilitate access to accounts within the Yahoo offerings and persist for over a year inside the network, until discovered in 2016. Mitigation This could have been mitigated through technologies like OMS (detecting malicious activity on servers and communication between servers that is abnormal), ATA (authentication that is abnormal), and network segmentation (preventing lateral movement). The presence of a more sophisicated incident response process might have also allowed better detection over time. Finally JEA (Just Enough Administration), multi-factor authentication to critical systems, and jump-servers to administration networks would have provided a substantial difference. The idea of "redeployability" to regularly bring systems back into the correct state using declarative infrastructure also would have made a difference, especially if it put in place additional security controls. Source https://www.bloomberg.com/news/articles/2017-03-16/here-s-how-russian-agents-hacked-500-million-yahoo-users Microsoft Technologies EM+S OMS Windows 10 with Defender ATP Visual Studio Team Services Other Technologies ServiceNow Close X