Biggest data security breach yet in the US

Read an article today about a data breach that hit a number of financial institutions and retail centers that handle credit card information (Please see Five Indicted In New Jersey For Largest Known Data Breach Conspiracy).  The institutions, in total, breached ~160M credit cards among other confidential information.

The hackers were from Russia and Ukraine and used an “SQL injection” attack with malware to cover their tracks. SQL injection appends SQL commands to the end of an entry field which then gets interpreted as a valid SQL command that can then me used to dump an SQL database.

This indictment documents the largest data breach in US judicial history.  However, Verizon’s 2013 Data Breach Investigation Report (DBIR) indicates that there were 621 confirmed data breaches in 2012 which compromised 44 million records and for the nine year history collected in VERIS Community Database over 1.1Billion records have been compromised. So it’s hard to tell if this is a World record or just a US one. Small consolation to the customers and the institutions which lost the information.

Data security to the rescue?

In the data storage industry we talk a lot about data encryption of data-in-flight and data-at-rest. It’s unclear to me whether data storage encryption services would have done anything to help mitigate this major data breach as the perpetuators gained SQL command access to a database which would normally have plain text access to the data.

However, there are other threats where data storage encryption can help. Just a couple of years ago,

• A commercial bank’s backup tapes were lost/stolen which contained over 1 million bank records containing social security information and other sensitive data.
• A government laptop was stolen containing over 28 million discharged veterans social security numbers.

These are just two examples but I am sure there were more where proper data-at-rest encryption would have saved the data from being breached.

Data encryption is not enough

Nevertheless, data encryption is only one layer in a multi-faceted/multi-layered security perimeter that needs to be in place to reduce and someday perhaps, eliminate the risk of losing confidential customer information.

Apparently, SQL injection can be defeated by proper filtering or strongly typing all user input fields.  Not exactly sure how hard this would be to do, but if it could be used to save the security of 160 Million credit cards and potentially defeat one of the top ten web application vulnerabilities, it should have been a high priority on somebody’s to-do list.

Comments?