Capital One, CafePress, Suprema data breaches and their root causes

Oct 15, 2019 • Ioana Rijnetu

Categories:

In this article, we discuss some of the most recent data breaches, what are their root causes and how to better secure your most valuable personal information and other digital assets.

In a time when personal information is more and more valuable, we keep hearing about the sheer scale of data breaches and the impact they have on everyone. No company or home user is immune to data breaches. Everyone and everything seems to be on the radar of hackers seeking to get their hands on data.

To put things into context, we looked at the data breaches’ statistics and analyzed three recent data breaches to understand why they keep happening.

Agenda:

Data breaches: key statistics and numbers

Data breaches represent the fourth biggest global risk, along with climate change and natural disasters, according to a report from the World Economic Forum. They don’t expose only home users’ sensitive information worldwide, but also companies suffer brand reputation damage and huge financial losses.

Data breaches’ impact is mostly reflected in numbers, so we reviewed some key statistics that might alarm us enough to take action and be more proactive:

If you want to read other interesting data breaches stats and numbers, and also tackle the real implications of these threats, we recommend checking out this list.

Capital One, CafePress and Suprema root causes

Looking at these staggering stats, 2019 is set to be a landmark year for data breaches that continue to skyrocket and leak users’ most valuable data. We are no longer in the position of asking when the next breach will happen, but how we can better prevent it.

Here’s a quick rundown of the most relevant security breaches that happened so far in 2019, and their root causes.

Capital One data breach

One of the largest US financial institutions suffered a massive data breach in July 2019 and is considered to be one of the biggest hacks in history.

Number of affected customers: Over 100 million users in the US and approximately 6 million in Canada have been impacted. According to the company’s official statement, about 140 million social security numbers belonging to credit card customers and 80.000 bank account numbers have been stolen in this breach. In addition to this, around 1 million social insurance numbers of Canadian customers were also compromised in this incident.

What happened: Page Thompson, formerly working as a security engineer for Amazon Web Services, which hosted the Capital One database, has been accused of stealing “multiple terabytes of data” from more than 30 companies, institutions, and other entities.

Ms. Thompson used her expertise to download nearly 30 GB of the company’s credit application data from a rented cloud data server, as described in the criminal complaint against her.

According to the FBI, Capital One learned about the breach from a tipster who sent an email in which he alerted the company that some of the bank’s data has been leaked and posted on a GitHub page.

The root cause of this large breach seems to be a misconfigured AWS S3 bucket that allowed the attacker to gain access to sensitive data through a firewall vulnerability.

The FBI stated in the court papers that Ms. Thompson performed three commands for this hack:

  1. gain the security credentials (using AWS Web Application Firewall),

  2. did a list of bucket contents, and then

  3. sync the data

This type of vulnerability exploited by the hacker is a well-known method called SSRF (Server Side Request Forgery) attack, which seems to fit this particular breach. For more in-depth technical details, you can read two analysis here and here.

Lesson learned: While Capital One said that they “immediately fixed the configuration vulnerability”, there’s a primary key lesson that should be learned from this breach: perform periodic reviews and check that firewalls and WAFs are properly configured.

CafePress data breach

CafePress, a well-known T-shirt and merchandise website, was another victim of a data breach in February 2019, but reported in August 2019.

Number of affected customers: Hackers accessed the personal details of more than 23 million of their customers, and some records included names, physical addresses, and phone numbers. You can use the “Have I been pwned?” breach tracker site to verify if your email address has been compromised in this breach.

What happened: Customers were informed about this breach through email notifications received from Have I Been Pwned (HIBP). Separately, We Leak Info also alerted them about it.

After news of the CafePress data breach started circulating, Troy Hunt, owner of HIBP contacted the security researcher Jim Scott - who had helped him before - to investigate this. Jim Scott commented that:

“Out of the 23 million compromised users, roughly half of them had their passwords exposed encoded in base64 SHA1, which is a very weak encryption method to use especially in 2019 when better alternatives are available”.

According to the same security researcher these passwords are base64 encoded tokens, and not the user-chosen passwords.

A research conducted by BleepingComputer showed that a “dehashed CafePress database of approximately 493,000 accounts was being sold on hacker forums”. However, there’s no evidence of this being related to this breach.

Although CafePress was hacked in February 2019, there were no formal disclosures or notification emails that mention this security incident.

Initially customers were only informed about password policy updates and given instructions to reset their passwords. Almost two months later, the company admitted that “an unidentified third party accessed a CafePress database and customer data”.

Lesson learned: This is a reminder of how strong password hygiene can help both companies and home users to better secure their web applications and online accounts, respectively.

As a user, to strengthen password security, it’s always recommended to use strong and unique passwords and even consider using a password manager app that keeps them encrypted.

Suprema data breach

Suprema, a top-leading biometric and security technology provider company, saw its web-based biometric security smart lock platform, BioStar 2, breached by hackers in early August 2019.

Number of affected customers: According to vpnMentor’s security team, they had access to

over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, over 1 million fingerprint records, including facial recognition data (face photos of users) unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.

The breach affected users and organizations worldwide, including the USA, UK, Germany, and other countries.

What happened: Two Israeli security researchers, Noam Rotem and Ran Locar, discovered this massive database while working on a project to scan ports looking for familiar IP blocks. These blocks were used to identify security holes in companies’ systems that could lead to data breaches.

The root cause of this breach was an unprotected database containing mostly unencrypted user data. Most of the accounts found had simple and easy to guess passwords, like “Password” or “abcd1234”, which could let malicious hackers launch account takeover attacks. Regarding the theft of facial recognition and fingerprint data, the damage is permanent once they are stolen.

Unlike passwords, this type of data can’t be updated to regain the security lost after a breach.The database stored users’ actual fingerprints, instead of saving a hashed version of them, which could not be copied and used for malicious activities.

Even for users who did create strong and complicated passwords, the researchers were able to access them across the BioStar 2 database, because they were kept in plain text files, instead of being securely hashed.

What is concerning about this data breach is its massive size and impact. The platform is popular and widely used, having over 1.5 million worldwide installations, which could potentially be exposed to this leak.

Lesson learned: Companies should implement proper access rules on their databases and secure the servers in the best way possible. Also, they should not save actual actual fingerprints of users, but a hash version of it, which can’t be used by hackers for malicious purposes.

Essential security measures for companies and home users to apply

While it is difficult to foresee when data breaches will happen, we can always take mitigation actions to prevent becoming the next victims.

To minimize the risks of breaches and strengthen data security, we recommend home users to go through this protection checklist:

  1. Verify your banking account and other financial details, including credit information, frequently. If you notice any suspicious activity on your personal cards, contact your bank as soon as possible.

  2. Use online services like Have I have Been Pwned or We Leak Info to verify if any of your online accounts have been compromised.

  3. Use strong and unique passwords and add extra layers of security like two-factor authentication or password management tools to secure your online accounts.

  4. Make sure you apply the latest patches available for your apps and software programs to cover security holes exploited by malicious actors

  5. Foster a cybersecurity first mindset and educate yourself about the basic security measures.

Companies are advised to take some basic security precautions to avoid becoming an easy target:

  1. Implement and prioritize cybersecurity training and education for their team members to avoid future breaches, be prepared and know what to do in case they occur.

  2. Perform internal audit logging and constant review of system operations for a better security posture and to keep track of potential security breaches.

  3. Have cyber hygiene processes in place that will better protect the customers affected by a breach.

  4. Maintain clear and transparent internal communication within departments and inform customers about the data breach in a timely manner.

  5. Use strong protection measures for your servers, networks, and other assets.

  6. Always store the customers’ sensitive data in a strong encryption format.

Conclusion

Tomorrow we’ll probably read about another data breach exposing millions of personal information. And it will not be the last one. What we can do, as consumers and organizations alike, is to be proactive and implement basic security measures to better protect our valuable data.

Stay safe!