Set to Be Worst Year Ever for Security Breaches

Sony, the data-security firm RSA, Lockheed Martin, the email wholesaler Epsilon, the Fox broadcast network, NASA, PBS, the European Space Agency, the FBI, the British and French treasuries — and, just this morning, the banking and insurance giant Citigroup. What do all these organizations have in common? Along with dozens of other companies and government agencies, they were victims of massive network security breaches in the first six months of this year. "In the last 10 years, I don't think we've seen breaches that have affected consumers at this scale," said Ondrej Krehel, information security officer for Scottsdale, Ariz.-based Identity Theft 911. "It's been the worst year in a decade." [Behind the Cybercrime Surge: Smarts, Laziness and Cool] Tim Armstrong, malware researcher for the Russian security firm Kaspersky Lab, agreed. "It's only June," Armstrong said, "but it has already [been an] impressive year for breaches." Sony, RSA and Epsilon usher in the season The worst three cybersecurity incidents of the year so far have involved RSA, Epsilon and Sony. In mid-March, Boston-based cryptography firm RSA suffered a massive network intrusion that resulted in the theft of information related to its SecurID tokens. Forty million people use the tokens to access the internal computer networks of 25,000 corporations, government organizations and financial institutions. Two months later, defense contractor Lockheed Martin had its own networks penetrated by attackers who used "cloned" RSA tokens made with data taken in the original breach.Unconfirmed reports named defense contractors Northrop Grumman and L-3 Communications as other victims. In early April, hackers penetrated the internal networks of Epsilon, a Texas-based firm that handles email communications for more than 2,500 clients worldwide. The companies affected by the Epsilon hack included Ameriprise Financial, BestBuy, Capital One Bank, Citi, JPMorgan Chase, TiVo, U.S. Bank and dozens more. Last (but not least in the eyes of some gamers) is Sony. Since early April, the Japanese entertainment and electronics giant has been fighting different groups of hackers. One group stole the personal information of 102 million registered users of the PlayStation Network (PSN) and other online gaming services. "I believe that the PSN breach has made it [penetrating a network] somewhat fashionable," Armstrong said. "Despite the obvious negative implications, the recent compromises have a 'hacktivism' ring to them that engenders support and even motivates some that may not normally cross the line." Who else has been hacked? Other organizations who've had their security compromised in 2011 include NASA's Goddard Space Flight Center, which lost confidential satellite data in an April hack, and InfraGard, an FBI affiliate that was compromised by the hacking group LulzSec, which also attacked PBS, Nintendo and Fox. To this list we can also add the European Commission, blogging platform WordPress, the Institute of Electrical and Electronics Engineers (IEEE), TripAdvisor, Gawker Media, speed trap warning service Trapster and the Pentagon's official credit union. Chet Wisniewski, senior security advisor with the security firm Sophos, suggested that major companies, especially ones that store large amounts of sensitive consumer data on their networks, simply aren't taking security seriously enough. That lax attitude, coupled with cybercriminals who are technologically savvy enough to perform sophisticated network intrusions, has made 2011 a year dozens of major companies will remember — and hopefully never repeat. Where do we go from here? The security forecast for the rest of the year, security experts say, is not looking too sunny. "I see the trend getting worse," Armstrong said. "Due to the lax security posture of many large-scale global companies, it has now become almost trivial for a motivated group or individual to find a way in. "Add to that the potential of gaining huge amounts of valuable information, and I think we see a trend that can only grow until companies finally make more effort." "It's not over yet," Wisniewski said. Although these sophisticated network intrusions have all targeted companies and governmental organizations, it’s the individual consumer's personal information that ultimately is the most valuable to a cybercriminal. "We should be conscious of the fact that we cannot trust companies to protect our data properly and be cautious who we give our information to," Wisniewski said. "Do we really need to provide our full name, postal code, birth date, etc. to get a frequent shopper card at the supermarket?" [How to Disappear Almost Completely … and Protect Yourself from Data Breaches] To keep your identity and data safe, Krehel advises people to prepare a list of institutions to contact in the event your personal data is stolen. It's also important to never divulge non-essential information such as your mother's maiden name, which can be used to steal your identity, and to use a different password for each online account.