The top 10 biggest security breaches of 2019 (so far)

Up to ten terabytes of data stolen from Citrix, ransomware outbreaks costing millions and software update systems compromised

Barely a week passes these days without reports of a major security breach - collections of credentials found for sale on the so-called ‘dark web', software update systems compromised, and companies subjected to ransomware.

Here's the ten biggest security breaches - that we know of - so far in 2019.

10) Collection #1 data breach

Strictly speaking, the Collection #1 data breach didn't occur in January 2019. Rather, it reflects a much larger collection of breached credentials uncovered for sale on the ‘dark web' by security specialist Troy Hunt.

However, as the title implies, Collection #1 was just part of a wider cache of compromised credentials being sold in blocks online, from a seller who would appear to be based in Russia.

Security journalist Brian Krebs followed up the story and spoke to the seller, who told him that "Collection #1 consists of data pulled from a huge number of hacked sites, and was not exactly his ‘freshest' offering. Rather, he sort of steered me away from that archive, suggesting that - unlike most of his other wares - Collection #1 was at least two-to-three years old.

"His other password packages [not available via his website] total more than four terabytes in size [and] are less than a year old."

9) South African electricity utility Eskom accused of ignoring CRM system compromise

What's worse than stumbling across a great, big cache of personal information being offered for sale on the internet? Stumbling across a seemingly insecure database being updated in real-time with data from a major utility, perhaps?

And what could be worse than that? Maybe the utility in question refusing point-blank to admit that it has even been compromised.

That was the curious case with South Africa's lackadaisical electricity monopoly Eskom. When South African security researcher Devin Stocks pressed the issue, it transpired that the database in question belonged to an Eskom partner company, EMS Invirotel, which admitted that it had been hacked (without going into too much detail about it) with the hackers opening up an unsecured port in the process.

EMS Invirotel supplies smart metering and utility account management systems to Eskom, so nothing to worry about for the 57 million South Africans who have no choice but to get their electricity from the corruption-riddled and chronically indebted state-owned utility.

8) Email marketing outfit exposes 809 million 'unique' personal records

MongoDB is the gift that keeps on giving - even years after the company behind it discontinued the naive habit of distributing the NoSQL database with security turned off by default.

The trove, belonging to a marketing company called Verifications.io, was uncovered by Security Discovery's Bob Diachenko. The leak includes 798 million email records, more than four million email addresses with phone numbers, and more than six million pieces of information identified as "businessLeads".

Diachenko cross-checked a number of the entries with Troy Hunt's nifty HaveIBeenPwned database. "I came to conclusion that this is not just another ‘collection' of previously leaked sources but a completely unique set of data," wrote Diachenko in a blog post.

The company behind the compromised database suggested that all the data in the database was "built with public information, not client data", yet nevertheless took it offline at the first whiff of bad publicity following Diachenko's discovery.

7) Gearbest left millions of customer details on an open server

Nobody really knows what happens with their personal and payment data after they click ‘buy'. But the hope is that, as a valued customer, the e-tailer will lovingly look after your name, address, email, payment details, inside leg measurements and whatever other information you gave up in order to satisfy your consumer urges.

Very often, though, it seems more like that information is dumped in a metaphorical skip in the car park - a poorly secured server - and left for all the world's assorted ne'er do wells to rummage through.

That might sound a bit harsh on Gearbest, a respectable purveyor of all kinds of electronics and assorted tat, based in China. Bt leaving a database full of customers' personal details - including names, addresses, email addresses, passport and ID numbers, and even hashed-out credit card details - is unforgivable, considering the company suffered a previous data breach in 2017.

Unfortunately for Gearbest, to better serve bargain-seekers across the world it now has warehouses within the European Union, which means it will be subjected to the bracing rigours of the General Data Protection Regulation in all its ‘fine' glory.

And GDPR fines, lest execs at Gearbest need reminding, are based on global turnover.

6) Hacker sent messages to thousands of Australians after compromising early warning system

"When you hear the air-attack warning, you and your family must take cover."

The UK's own four-minute warning - to warn of impending nuclear attack during the Cold War - might have been dismantled in 1992, but around the world early warning systems exist to alert people of floods, earthquakes and more.

These days, of course, rather than sirens blaring from bridges and lamp posts, alerts are sent via text message or email.

Even so, no-one expects to be woken-up late on a Friday night after an evening on the Castlemaine XXXX by a missive from the early warning system, as residents in the Australian state of Queensland were in January.

Lucky for them, perhaps, it was because the Queensland Early Warning Network was hacked, rather than anything more serious.

Fortunately, instead of sending residents into a state of apoplexy with a false warning over an imminent earthquake, tsunami or an incoming plague of frogs, the hackers instead warned about the poor security of the system.

The company responsible for the Network claimed that they quickly identified the compromise and dealt with it accordingly, adding that only a small number of Queenslanders had their post-pub slumbers disturbed.

[Next page: Iranian kittens hack Citrix, Chinese pandas are spotted by pharma firm Bayer and ransomware borks a major industrial company's production systems]

The top 10 biggest security breaches of 2019 (so far)

Up to ten terabytes of data stolen from Citrix, ransomware outbreaks costing millions and software update systems compromised

5) Iranian hackers nabbed over 6TB of data from Citrix

According to Crowdstrike, state-backed hacking has become so prevalent that certain naming conventions have been established to differentiate between hackers from different nations [PDF]. Russian state hacking groups are called ‘bears', Pakistani state hackers are called ‘leopards' and state-backed hackers from Iran are referred to as ‘kittens'.

It was, apparently, an intrigue of kittens that was behind a 6TB heist of data from software firm Citrix in early March. CISO Stan Black admitted in a blog posting that the company had no idea it had been compromised until the FBI rocked up with a warning. He added that the attackers "may have accessed and downloaded business documents".

That may well be an understatement. According to Resecurity president Charles Yoo, who claims that it was his firm that notified the FBI of the compromise, the documents in question included information about NASA, aerospace contracts, Saudi Arabia's state oil company and the FBI.

The hackers, he added, had gained access to the company's networks via common-or-garden ‘password spraying', and worked their way up from there. Even worse, they may have been rummaging around Citrix's networks for up to a decade, Yoo claimed.

4) Pharma giant Bayer targeted by China-linked APT called 'Wicked Panda'

Normally, when cyber attacks hit the press, it's because a company's systems have been crashed, valuable information stolen, massive costs incurred, or an exciting combination of the three.

But in the case of the alleged Wicked Panda attack on pharma giant Bayer - Panda, of course, denoting that the group believed to be behind it have been linked to the Chinese state (see above) - the company claims it picked up the attack at an early stage, watched them in action, then moved-in to squash them when they got bored.

What makes it notable, though, is the fact that it's not the first time that the hacking group has been found targeting a major German company - presumably in an industrial espionage operation - with steel and engineering company Dax Group ThyssenKrupp having been attacked in 2016.

3) 540 million Facebook records exposed by app developers on insecure AWS server

It's hard to have too much sympathy over complaints of compromised Facebook data. After all, Facebook users are effectively publishing their entire lives online anyway, users described as "dumb fucks" by a 19-year-old Mark Zuckerberg, in the social media network's early days, for trusting him.

And it's not as if the company's reputation for playing somewhat fast and loose with user data and privacy isn't well known.

However, for the company to have let a developer to brazenly slurp up as many as 540 million records of Facebook users - a quarter of the daily active users that the company claims to have - looks like more than just carelessness.

The majority of the records come from Mexican media company Cultura Volectiva, which had a 146GB dataset containing more than 540 million records, including information such as account names, IDs and Facebook activity.

The second dataset belongs to the people behind the now-defunct app 'At The Pool' and, while it contains just 22,000 records, this included data such as users' passwords stored in plaintext.

These days, the vast majority of data breaches are the result of malicious actors, breaking-in to corporate networks, often taking advantage of lackadaisical security. However, in the case of Facebook, the data breaches appear to be facilitated by the company itself.

2) Asus' Live Update system breached to distribute malware to hundreds of thousands of users

Supply chain attacks targeting software update systems can be particularly pernicious - they enable hackers to attack thousands of companies at a time, via a trusted system. The most high-profile such attack, of course, was the NotPetya malware outbreak that originated from the poorly secured update server of a Ukrainian accounting software firm.

A number of big-name companies - including Maersk, Reckitt Benckiser, Cadbury and TNT Express among up to 2,000 organisations around the world - were badly affected by NotPetya: $300 million at Maersk, $400 million at TNT Express and at least £100 million at Reckitt Benckiser (and, maybe, one lost job).

Which makes the churlish response of Asus to claims that its own update process had been compromised all the more depressing - shameful, even.

The attack was first identified by Kaspersky Lab researchers in January 2019. The attackers breached had the backend of Asus' automated Live Update software between June and November last year, resulting in the installation of a backdoor called 'ShadowHammer' on a large number of Asus computers.

The Asus Live Update utility, which is pre-installed on most Asus systems, is used to automatically update a number of components, including UEFI, BIOS, applications and drivers.

However, the attackers did not attempt to infect every machine that could potentially have been compromised. Instead, Kaspersky researchers found that the attackers only targeted around 600 specific computers for a secondary malware payload, identified by their MAC addresses, from 57,000 infections picked up by its anti-virus software.

The finger of blame for the NotPetya outbreak had been pointed squarely at Russia. Perhaps the attackers in this case wanted to be a bit more discriminating in who they targeted? Either way, Kaspersky tentatively pointed the finger of blame not at Russia, but in the direction of Chinese state-backed hackers.

While there's almost certainly a lot more to be learned about this, Asus's response indicates that it is going to give nothing away: it hasn't responded to journalists' questions and didn't credit Kaspersky for identifying the threat.

1) Norsk Hydro ransomware losses estimated at $40m

Norsk Hydro is a big, $12.6 billion industrial company. So when its systems are taken offline in a ransomware attack it's a big (and expensive) deal. Indeed, the company estimates that the outbreak of the Lockergoga malware has cost it at least $40 million in terms of lost production and costs associated with dealing with it.

Initially, it had been believed that environmental activists had been behind it. In addition to running hydro-electric power plants in Norway, the company also produces aluminium around the world, and has been blamed for causing pollution at a plant in Brazil.

While that can't be ruled out, it should be considered worrying that such a large and well-resourced company could fall victim to such a cyber attack, with production systems affected.

What have we missed or omitted that you think we should've have included? Please tell us below.

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.