The year 2014 has already been a banner period for cyber exploits with Home Depot, Neiman Marcus, JP Morgan Chase and many other organizations having been subjected to attackers' overtures. Recent data breaches at Kmart, Dairy Queen and MBIA not only add to that growing list of enterprise victims, but further show just how many ways sensitive information can leak out of an organization.
First reported last week by security journalist Brian Krebs, the data breach at MBIA Inc., the largest U.S. bond insurer, was the result of a misconfigured Oracle Reports data server. The server exposed large troves of sensitive data to the Web including customer accounts numbers, balances and even a list of administrative credentials, according to Krebs' report, all of which was found to be accessible via search engine by independent security researcher Bryan Seely.
The company quickly disabled the vulnerable Web domain, mbiaweb.com, after being notified of the situation, but not before Google had indexed hundreds of pages of documents pertaining to its Cutwater Asset Management unit, which is in the process of being acquired by BNY Mellon. MBIA has so far been unable to clarify who may have accessed the exposed data, though the potential damage of such an incident has been demonstrated in the past; earlier this year, the Department of Health and Human Services (HHS) issued the largest ever HIPAA violation to a pair of New York-based hospitals that exposed thousands of patients' health records through an employee's personal server.
According to Jonathan Cogley, CEO of Washington, D.C.-based vendor Thycotic, the episode reiterates why enterprises should more closely adhere to certain server security best practices, such as ensuring that servers don't contain clear text passwords in configuration files and that open ports and accounts are detected and closed on an ongoing basis.
"Application servers are just another part of a company’s essential IT infrastructure," said Cogley,"and should not be neglected when considering password policies, access control and monitoring."
While MBIA's breach may have been self-inflicted, fast food chain Dairy Queen Inc. and retailer Kmart, a subsidiary of previous breach victim Sears Holdings, are claiming their recently reported security incidents were caused by a more traditional source: malware.
In an 8-K filing submitted to U.S. Securities and Exchange Commission, Sears said that the breach of Kmart's payment systems was first discovered on Oct. 9, with the company blaming malware that was "undetectable by current anti-virus systems" for the leak of a still unknown quantity of credit and debit card numbers. Sears also stated that no PINs, email addresses or other personal information were exposed as part of the leak, and that the suspect malware has since been removed.
Dairy Queen, meanwhile, indicated in a statement on its website that the infamous Backoff malware was behind the recent theft of payment card data at nearly 400 of its 4,500 U.S.-based locations. Dairy Queen said that customer names, payment card numbers and expiration dates were present on the targeted systems, but stated that there is no evidences PINs, social security numbers and other personal information were also stolen.
The Backoff campaign was the subject of a Department of Homeland Security advisory in August, when the government agency linked the point-of-sale malware family to attacks against more than 1,000 businesses. Though Dairy Queen has not clarified how the malware infiltrated its payment systems, the advisory noted at the time that the attackers spreading Backoff targeted the user credentials of employees that worked remotely, using remote desktop applications like Splashtop to install the malware on corporate systems.
Greg Martin, CTO of Redwood City, California-based vendor Threatstream, said that Backoff is one of the more active strains of malware targeting point-of-sale systems, and that more companies have likely been victimized and have either yet to discover a breach or haven't publically announced details.
"What can consumers do? Having a separate credit card for retail and online shopping is a common practice, making sure you have protection from your bank on your type of card from this type of cyber theft," said Martin. "Practicing good password protection and changing out your card number every six months is now a helpful practice."