A busy few days on the IT security front once again.
First, news reports started appearing last Thursday that the game company Electronics Arts was hacked. Apparently, the intruders were able to penetrate a decade-old server that was supporting BioWare Edmonton’s Neverwinter Nights game forums. EA warned forum users on 15 June that it had discovered the day before that:
hackers may have obtained information such as user account names and passwords, email addresses, and birth dates of approximately 18,000 accounts—a very small percentage of total users. We have emailed those whose accounts may have been compromised and either disabled their accounts or reset their EA Account passwords. If you did not receive an email from us, or if your password still works for your EA account, your username and password were not compromised. Nevertheless, changing your password regularly is always helpful to protect your account.
And per usual, EA stated, "We take the security of your information very seriously and regret any inconvenience this may have caused you."
Our investigation shows that information such as user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates from accounts on the server system associated with Neverwinter Nights may have been compromised. If you linked your legacy Bioware account to an EA Account, then additional information that you associated with your EA Account (if any) may have been compromised as well. Such information could include your name, mailing address, billing address, language, game entitlements and games played, and other game-specific account information depending on your use of your EA Account. Hackers obtained access to unencrypted passwords of a relatively small number of users, who have been notified.
EA warned customers of possible phishing attacks using the compromised information and said forum users should change their passwords.
Next, PBS was hacked again last week and a " 'very small number' of administrative user names and encrypted passwords were stolen," CBS News reported on Saturday. PBS was first hacked in May, when it announced hackers had been able to publish "a fake news story on the PBS NewsHour's news blog, The Rundown, about late rapper Tupac Shakur being spotted alive in New Zealand."
In addition, a NATO-related website was apparently compromised last week. According to a very short and vague NATO statement dated last Thursday,
Police dealing with digital crimes have notified NATO of a probable data breach from a NATO-related web site operated by an external company. NATO’s e-Bookshop is a separate service for the public for the release of NATO information and does not contain any classified data. Access to the site has been blocked and subscribers have been notified.
More interesting was a NATO public relations statement that followed:
NATO’s Strategic Concept, approved last November, identifies cyber defence as one of the critical capabilities which the Alliance should develop to prevent, detect, defend against and recover from cyber-attacks. To deal with this growing threat, NATO defence ministers agreed this month on a cyber defence action plan. This action plan is already being implemented.
Why someone at NATO thought it was a good idea to link the two statements is beyond me.
Also, the hacking group LulzSec was able to penetrate, download, and release information from the Arizona Department of Public Safety's (DPS) computers, according to news reports like one last Thursday from ArizonaCentral.com. According to the ArizonaCentral.com story,
The DPS files, posted on LulzSec's web site, include personal information about officers and numerous documents ranging from routine alerts from out-of-state police agencies to videos and photos about the hazards of police work and operations of drug gangs. The names of the files are as innocuous as "resume" and "evaluation form" and as provocative as "cartel leader threatens deadly force on U.S. police."
LulzSec said it targeted the Arizona DPS because it was against Arizona's stand on the apprehension of illegal immigrants.
Interestingly, LulzSec posted a statement on its website on Saturday that it was now going to stop its 50 days of hack attacks. Numerous news outlets—like the Wall Street Journal—speculated on the motives behind the announcement; ideas have ranged from "Law enforcement is closing in on members of the group" to "The announcement was merely a ploy to take the heat off members while they went off and joined other hacker groups."
No one seriously expects, however, that the frequency of cyber attacks will suddenly fall off. What LulzSec demonstrated was just how easy it is to penetrate the IT systems of governments and big corporations alike and gain major publicity for doing so. More than likely LulzSec's efforts will only serve to encourage other hacking groups to redouble their efforts.
Almost on cue, the Ponemon Institute released a survey sponsored by Juniper Networks that, according to a press release, "found the threat from cyber attacks today is nearing statistical certainty and businesses of every type and size are vulnerable to attacks."
The Ponemon survey found that 90 percent of businesses had experienced a cyber security breach at least once in the past 12 months, with 59 percent of those organizations surveyed reporting two or more breaches in the past 12 months. In addition, 43 percent indicated they had experienced a rise in cyber attacks over the past 12 months.
Then there were also reports that budget hotel company Travelodge had been hacked and its customer names and e-mail addresses taken. The company said it takes the incident very seriously but hasn't yet disclosed how many of its customers were affected.
Finally, the Wall Street Journal reported on Saturday that Citigroup indicated to U.S. government officials that the hackers who breached its security were able to steal some US $2.7 million from 3400 customers, or about $800 per customer. The Journal story states that there were "$48 billion in identity fraud losses and 9.9 million customer victims" every year in the United States, amounting to a cost of about $4850 per victim.
Looks like Citigroup got off easy.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.