| Date | Company | How Breached | Company URL | News Article |
|---|---|---|---|---|
| 2013-12-19 | Target | Malware on Point-of-Sale systems | Target | Target Data Breach – CNBC |
| 2014-09-02 | Home Depot | Malware in point-of-sale systems | Home Depot | Home Depot Confirms Breach – KrebsOnSecurity |
| 2017-09-07 | Equifax | Exploited a vulnerability in website software | Equifax | Equifax Data Breach – The Guardian |
| 2013-12-21 | Adobe | Cyber-attack, exposed user data | Adobe | Adobe Hack – Forbes |
| 2018-03-30 | Improper sharing of user data by third-party apps | Facebook-Cambridge Analytica Scandal – The Guardian | ||
| 2018-09-25 | Marriott | Unauthorized access to the Starwood guest reservation database | Marriott | Marriott Data Breach – BBC |
| 2012-06-06 | Stolen passwords through a cyber-attack | LinkedIn Data Breach – Forbes | ||
| 2016-09-22 | Yahoo | Stolen account information and passwords | Yahoo | Yahoo Data Breach – The New York Times |
| 2017-03-15 | Uber | Hackers stole personal data of 57 million users | Uber | Uber Data Breach – Reuters |
| 2017-07-29 | HBO | Cyber-attack, data of unreleased episodes leaked | HBO | HBO Hack – Variety |
| 2019-07-29 | Capital One | Exploited a vulnerability, exposed credit card data | Capital One | Capital One Data Breach – The Washington Post |
| 2018-07-12 | Ticketfly | Website vulnerability, exposed customer data | Ticketfly | Ticketfly Data Breach – TechCrunch |
| 2014-08-31 | JPMorgan Chase | Cyber-attack, compromise of customer data | JPMorgan Chase | JPMorgan Data Breach – CNN |
| 2016-08-02 | Dropbox | Breach through a third-party service | Dropbox | Dropbox Data Breach – The Guardian |
| 2019-07-18 | Capital One | Insider threat, exploited a misconfigured firewall | Capital One | Capital One Breach – Forbes |
| 2014-11-24 | Sony Pictures Entertainment | Cyber-attack, leaked confidential information | Sony Pictures | Sony Pictures Hack – BBC |
| 2019-05-31 | First American Financial Corp | Unsecured access to sensitive documents | First American | First American Data Leak – KrebsOnSecurity |
Data breaches have become an unfortunate reality for businesses, and individuals alike and can be prevented with the epnoymous – internal network pentest. These incidents not only compromise sensitive information but also raise concerns about the security measures in place. In this article, we’ll delve into 12 notorious data breaches, exploring how they occurred and drawing insights from network penetration testing – a crucial practice for identifying and addressing vulnerabilities.
Introduction – Breaches are a failure of good Internal Network Pentest
Data breaches have significant consequences, ranging from financial losses to reputational damage. Understanding the mechanics of these breaches is essential for improving cybersecurity strategies. Network penetration testing, commonly known as pentesting, involves simulating cyber-attacks on a computer system, network, or web application to identify vulnerabilities before malicious actors can exploit them.
1. Target (2013)
How It Happened:
The Target data breach in 2013 was a wake-up call for the retail industry. Attackers gained access to Target’s network through a third-party HVAC contractor. They exploited vulnerabilities in the network, installing malware on point-of-sale (POS) systems. The breach exposed 40 million credit and debit card records.
Pentest Insights:
A simulated pentest of Target’s network might involve probing third-party connections for weaknesses. Using a tool like Nmap, testers could scan for open ports and services, mimicking potential entry points for attackers.
nmap -p 80,443,22,21 third-partycontractor.com2. Equifax (2017)
How It Happened:
Equifax, one of the major credit reporting agencies, suffered a massive data breach in 2017. Attackers exploited a vulnerability in the Apache Struts web application framework. This allowed unauthorized access to sensitive information, compromising the personal data of 147 million people.
Pentest Insights:
Pentesters would scrutinize web applications for vulnerabilities. Using OWASP’s ZAP tool, they might identify and exploit weaknesses in the web application similar to the Apache Struts vulnerability.
# Example ZAP script for identifying vulnerabilities
./zap.sh -quickurl http://equifax.com -quickprogress -quickexit3. Uber (2017)
How It Happened:
Uber faced a significant data breach in 2017 when hackers stole the personal information of 57 million users. The company paid a ransom to keep the breach quiet. The attackers gained access to Uber’s GitHub repository, where they found credentials for the company’s AWS environment.
Pentest Insights:
A simulated pentest might involve evaluating the security of code repositories. Pentesters could use tools like Gitrob to search for sensitive information in public repositories.
gitrob -github-token <your_token> -v <organization/repo>4. Capital One (2019) – Network Pentest
How It Happened:
Capital One experienced a breach in 2019 due to a misconfigured web application firewall (WAF). An insider exploited this vulnerability, gaining unauthorized access to sensitive customer data, affecting over 100 million people.
Pentest Insights:
Pentesters might examine WAF configurations and conduct tests to ensure proper security measures. Tools like ModSecurity provide a web application firewall that could be tested for misconfigurations.
# Example ModSecurity rule for testing WAF
SecRuleEngine DetectionOnly5. Marriott (2018)
How It Happened:
In 2018, Marriott faced a data breach stemming from unauthorized access to the Starwood guest reservation database. The attackers had access since 2014, compromising personal details of approximately 500 million guests.
Pentest Insights:
Simulated pentests could involve testing for database vulnerabilities. Tools like SQLMap can identify and exploit SQL injection vulnerabilities.
sqlmap -u "http://marriott.com/reservation?id=123" --dbs6. Yahoo (2016) – Network Pentest
How It Happened:
Yahoo’s 2016 data breach exposed the account information and passwords of 3 billion users. Attackers exploited a weakness in the company’s security infrastructure.
Pentest Insights:
Pentesters might examine authentication mechanisms, simulating attacks using tools like Hydra to test password strength and integrity.
hydra -l <username> -P <password_list> -e nsr -t 16 -w 30 -V -f -o results.txt smtp://yahoo.com7. Facebook-Cambridge Analytica Scandal (2018)
How It Happened:
In 2018, Facebook faced scrutiny for allowing the improper sharing of user data with third-party apps, notably in the Cambridge Analytica scandal.
Pentest Insights:
Simulated pentests could involve assessing the permissions and data access of third-party applications, similar to Facebook’s Graph API. Tools like Burp Suite can be used for comprehensive testing.
# Burp Suite example
./burpsuite.sh -project /path/to/project.burp -scan "https://facebook.com/app?app_id=123"8. LinkedIn (2012) – Network Pentest
How It Happened:
LinkedIn suffered a data breach in 2012 when attackers stole passwords through a cyber-attack. Weak encryption and inadequate password storage practices were major contributors.
Pentest Insights:
Pentesters might assess password storage mechanisms. Tools like John the Ripper can be used for testing password hashes.
john --format=md5 --wordlist=passwords.txt hashed_passwords.txt9. Adobe (2013)
How It Happened:
In 2013, Adobe experienced a cyber-attack that exposed user data. Attackers accessed Adobe’s internal systems, compromising sensitive information, including user IDs and encrypted passwords.
Pentest Insights:
Simulated pentests could involve testing for server vulnerabilities. Tools like Nessus can scan for potential weaknesses.
nessus -q -T html -X -i target_ip -p 1-6553510. Dropbox (2016)
How It Happened:
Dropbox faced a data breach in 2016, revealing that over 68 million user accounts were compromised. The breach occurred through a third-party service with weak security.
Pentest Insights:
Pentesters might assess third-party integrations. Tools like Metasploit can simulate attacks on services that may have weak security configurations.
msfconsole
use auxiliary/scanner/http/smb/ms17_010_eternalblue
set RHOSTS <target_ip>
run11. JPMorgan Chase (2014) – Network Pentest
How It Happened:
JPMorgan Chase faced a significant cyber-attack in 2014, compromising the accounts of 76 million households and 7 million small businesses. The breach exploited vulnerabilities in the bank’s security systems.
Pentest Insights:
Simulated pentests could involve testing for network vulnerabilities. Tools like Wireshark can be used for analyzing network traffic and identifying potential threats.
wireshark -i eth012. Ticketfly (2018) – Network Pentest
How It Happened:
Ticketfly’s 2018 data breach occurred due to a website vulnerability. Attackers exploited a weakness in the company
‘s online ticketing platform, exposing customer data.
Pentest Insights:
Pentesters might assess web application vulnerabilities. Tools like OWASP Zed Attack Proxy (ZAP) can identify and address security issues in web applications.
# OWASP ZAP example
./zap.sh -quickurl http://ticketfly.com -quickprogress -quickexitConclusion
These 12 data breaches provide valuable lessons for organizations aiming to strengthen their cybersecurity posture. Network penetration testing, when conducted regularly and comprehensively, helps identify and mitigate vulnerabilities before malicious actors can exploit them. The ever-evolving threat landscape demands constant vigilance and proactive measures to safeguard sensitive information. By learning from past breaches and incorporating effective security practices, businesses can better protect themselves and their users from cyber threats.
Leave a Reply