Learning From Data Hacks – Part 1

A few weeks ago, Brian Krebs at KrebsOnSecurity wrote a somewhat alarming piece that mostly flew under the radar. In it, he details how a website specializing in the sale of Social Security numbers and other pieces of sensitive personal information gained access to some of the biggest data brokerage firms in the world.

The entire article is worth a read, but a few points stand out. In particular, it’s worth noting how the data was gleaned from these firms in the first place, and also how the security practices at those firms made it so easy for them to be hacked.

According to the article, the sensitive information was taken from the databases at three separate data brokerage firms - LexisNexis, Dun & Bradstreet, and Kroll Background America. Between the three firms, more than 4 million American citizens had their data compromised. 

The culprit of this attack was a now-apparently-defunct website called ssndob.ms. Using this site, clients could order reports containing huge databases that included customer SSNs, credit card information, addresses, dates of birth, and far more. In short, this site was an identity thief’s paradise, and it was used to generate more than 1,300 separate reports containing personal information.

But how did they get access to the data in the first place? The answer lies within a tiny program running on a small number of systems within each company. A tiny, nearly unnoticeable program called “nbc.exe” ran in the background on systems at LexisNexis, Dun & Bradstreet, and Kroll. This program turned the infected systems into a small but powerful botnet that gained access to millions of customer records and turned them over to outside sources on request.

The botnet operated on these systems for months - reports indicate that the nbc.exe program was installed on the computers at least as far back as March and April of 2013. That means that the computers were passing along information for six-plus months - information that was meant to be secure and carefully monitored. What this breach exposes more than anything else is the need for a comprehensive data security solution in any system that handles sensitive data.

These breaches were almost completely invisible, and could have gone undetected for a much longer time if the ssndob database hadn’t been hacked itself, exposing its sources. The nbc.exe file passed numerous virus scans, and the systems themselves were presumed to be secure until the nature of the breach became apparent. Any system, including the ones in your business, could be infected with a similar program and you would likely never know. 

So what can you do to keep yourself and your data safe? Your first step should be to implement a data security solution that secures all of the data inside your system. Encryption and tokenization are two ways to get that level of security, both of which we’ve talked about before. Without using some sort of system to lock down your data, you’re basically asking for it to be stolen.

Along with implementing stronger security, though, comes education. Your employees need to understand how your security system works and where it’s most vulnerable. At LexisNexis, officials stated that the breach was due to “a law student ID that was being misused.” If your employees don’t know the signs to watch out for or how to prevent mistakes before they occur, no security solution in the world can keep your data safe.

There aren’t ways to prevent hackers and thieves from trying to access the data you possess - but there are ways to keep the data safe in the event of an attack. Pay attention to your security and your systems - your customers will certainly thank you for it.

Topic(s): data security

Keep Up With Our PCI & Privacy Blog