Three Data Breaches You Have Never Heard Of

Data breaches happen all the time for several reasons, a company gets hacked, poor security, an inside job, a device was stolen (laptop or USB stick), or a technical issue creates a vulnerability. Many of us know of the big ones, Cambridge Analytic, Snowden, Panama Papers, and Yahoo to name a few. But have you heard of RootsWeb’s leaky server? Or when Newegg unknowingly let hackers skim credit card information for over a month? How about the U.S. Custom and Border Protection losing thousands of photos of people’s faces and licence plates? Read on to learn more. 

RootsWeb: Leaky Server 

The Details 

Back in 2000, Ancestry bought RootsWeb a free online community that was used for genealogy research, message boards, sharing family trees, surname list, and mailing lists. Ancestry hosted a dedicated RootsWeb server as a favour to the community. Unfortunately, in 2017 it was discovered that it had a leaky server that exposed 300,000 passwords, email addresses, and usernames to the public internet. The exposure was brought to Ancestry’s attention when Troy Hunt, the founder of the data breach repository HaveIBeenPwned.com, reported the existence of the public file on RootsWeb’s server. Thankfully, this server did not contain any sensitive information such as credit card data or social security numbers that the Ancestry server contained.  

What Did Ancestry Do? 

Ancestry’s Information Security Team reviewed the details of the file Troy Hunt provided them and started a forensic investigation of the RootsWeb’s system to determine the source of the data and identify any potential exploitation of the system. They found the information was legitimate but also quite old. The file contained 300,000 emails, usernames, and passwords, when they cross referenced their Ancestry sites, they found that only 55,000 were usernames and passwords used on both with many being inactive accounts. They also discovered that 7,000 of the password and email address combinations matched credentials for active Ancestry customers. If you have taken any cybersecurity courses, you would know it is not the safest idea to use the same username and password combinations for multiple sites. Ancestry locked all the impacted accounts, forcing any of those users to create a new password and took RootsWeb offline to resolve the issue and improve the site’s overall security and infrastructure.  

Thanks to Ancestry’s quick response and having qualified professionals on their Information Security Team, no one’s data was maliciously exploited. Interested in becoming a qualified professional? Look into CompTIA A+ certification training or CompTIA Network+ training to start your journey. 

Don’t let this happen to you, make yourself more secure online by changing a few online behaviours.  

Newegg: Magecart Attack 

The Details 

In 2018, Newegg suffered a month long magecart attack between August 14th and September 18th. A magecart is a “consortium of malicious hacker groups who target online shopping cart systems…to steal customer payment card information” (David Strom, CSO online). On Augst 13th, 2018, Magecart operators registered a domain name called neweggstats.com, their intent was to blend in with Newegg’s primary domain. The domain initially pointed to a standard parking host, a web hosting service to store (park) domain names before they get used. A few days later, it was changed to a Magecart drop server where skimmer backend runs to receive skimmed credit card information. The hackers managed to integrate the 15 lines of code into the checkout process, meaning customers were only on a compromised page when they put their payment information in, the pages before and after were uncompromised Newegg web pages. This server even used a HTTPS certificate to blend in, looking at the URL you probably didn’t notice anything wrong. This malware was not noticed by Newegg, an incident response firm Volexity discovered and reported the malware.  

What Did Newegg Do? 

Newegg sent out an email apologizing to its customers and told them to keep an eye on their bank accounts for any suspicious activity. Unfortunately, there is not much else that Newegg could do, the skimmer code was recognizable in the British Airways incident and the Ticketmaster incident that occurred within the same few months a highly disguised and devasting attack. Active monitoring and penetration testing of all networks and servers seems to be something that online retailers need to prioritize. Become a cybersecurity specialist and help lessen the effects of these attacks, start with CompTIA Security+ training and then move on to CompTIA CySA+ certification training to become an expert in the field of cybersecurity.  

U.S. Custom and Border Protection: Subcontractor Blunder 

The Details 

The U.S. Customs and Border Protection (CBP) confirmed a data breach has occurred in May 2019, that exposed 100,000 photos of people’s faces and licence plates that crossed the US border. It was confirmed to be a malicious attack on a federal subcontractor. The weird part was that the CBP did not give the authorization for the subcontractor to transfer copies of these images to their servers in the first place, it violated mandatory security and privacy protocols outlined in their contract. The images should have never been there.  

Just Because You Can, Does Not Mean You Should  

Many federal agencies in the United States are starting to use automated license-plate-reading devices and facial recognition technologies, specifically in airports. We must ask ourselves, is this technology necessary? Are our laws up to date to handle these technologies? And are we ready for the implications these security and surveillance devices bring? The privacy concerns and debates with this topic, along with the issue of racial profiling and much more makes me think no.  

Honourary Mentions 

Check out a few more interesting data breaches: 

• Over 2.7 million recorded calls to 1177 health advisory number available freely online 
• A surveillance company gets hacked, hacker expresses disdain for recent changes in surveillance legislation. Steals data, but does not expose date 

What other breaches have you heard of or were you surprised by? 

Disclaimer

The information contained in this post is considered true and accurate as of the publication date. However, the accuracy of this information may be impacted by changes in circumstances that occur after the time of publication. Ashton College assumes no liability for any error or omissions in the information contained in this post or any other post in our blog