Learning from real-world cloud security crises

Industry: Financial Services Industry

Effect: US$101 million stolen

A group of internationally-based hackers attempted to steal nearly US$1 billion from Bangladesh Bank after identifying some security vulnerabilities. They compromised the bank’s network, observed how transfers were done, and used this to gain access to the bank’s credentials for payment transfers. They then used the credentials to authorise their own bank transfers, to the tune of US$951 million.  Similar attacks have been seen at the Banco del Austro in Ecuador (US$12 million stolen) and the Tien Phong Bank in Vietnam (unsuccessful).

Result

US$101 million of transfers were successfully completed by the thieves; US$63 million was never recovered.

Industry: Professional services

Effect: 117 million accounts

In 2012, LinkedIn’s database was breached, releasing user email addresses and hashed passwords. The data was put up for sale online.

Originally, it was thought that just 6.5 million accounts were affected, and LinkedIn asked that those users reset their passwords. Later, 117 million user account details were put up for sale online, and it is thought that the data came from the same breach. If that’s the case, then it is possible that each of those user accounts has been vulnerable since 2012.

Result

Up to 117 million user email/password combinations exposed, giving potential access to financial data; ramifications for users who use the same combination on other sites.

Industry: Higher Education

Effect: 146,000 students

The names, addresses, and Social Security Numbers of a large number of Indiana University students and graduates were stored on an unprotected site. The lack of protection meant that several data mining applications not just accessed, but downloaded all the data files.

Result

Students and credit reporting agencies had to be notified; ongoing risk for financial fraud and identity theft, and associated liability.

Industry: Transport

Effect: Tens of thousands of customers

British Airways frequent flyer account details were accessed, most likely by an automated program seeking vulnerabilities.

Result

Service disruption meaning club members could not use their points; reputational damage.

Industry: Financial Services Industry

Effect: 9000 customers

Tesco Bank had monitoring and security mechanisms in place. However, Tesco Bank data such as credit card verification had to be accessed by the parent company Tesco, which does not appear to have been as secure. Security is only as strong as the weakest link in the chain, and in this instance, money was stolen and customers defrauded.

Result

Customers defrauded to the tune of 2.5 million pounds. The bank had to pay associated costs, and manage associated brand damage.

Industry: Communication

Effect: 100 million users

VK.com, a Russian-style Facebook, was allegedly breached sometime between 2011–2013, and user details later released. The data included full names, email addresses, phone numbers, and plain-text passwords.The data was put up for sale for around US$570 in total.

Result

VK denied the hack.

Industry: Financial Services Industry

Effect: 78.8 million

Anthem suffered a cyberattack in late 2014, with information accessed potentially including names, home addresses, email addresses, employment information, birth dates, and income data. The FBI investigation found that the attacks were conducted by international parties who were curious about the American healthcare system.

Almost all of Anthem’s product lines were impacted.

Result

Anthem had to pay US$115 million to settle a class action litigation suit as a result of the breach. They also provided up to four years of credit monitoring and identity protection services to affected customers.

Industry: Communication

Effect: 15 million users

Telegram is a messaging service not dissimilar to WhatsApp, which is known for its end-to-end encryption. When signing up, users verify their phone number via use of a text message. These messages can be accessed by the phone company, and bad actors with access to that information can add devices to a user’s account. This means they can read a user’s chat histories and messages. 15 million user accounts in Iran were compromised.

Result

Telegram recommends use of a strong password and verification email address, in addition to the SMS. They cannot guarantee the security of third-party service providers, such as a phone company.

Industry: Government

Effect: 55 million users

Weaknesses in COMELEC’s network and data security meant hackers were able to access the full database of all registered voters in the Philippines. The database contained personal details many of which were stored in plain text, and included fingerprints, passport numbers and expiry dates, and potentially voting behaviour.

Result

The data could be used for extortion, phishing, or blackmailing purposes, and related hacks may lead to election manipulation.

Industry: Communications

Effect: up to 1.5 billion accounts

Yahoo’s security was breached twice, in 2014 (500 million accounts stolen by a state-sponsored actor) and 2013 (1 billion accounts). Information included user names, telephone numbers, birth dates, and encrypted passwords.

Result

Yahoo’s sale price to Verizon was reduced by some US$350 million as a result of the hacks.