For this latest edition of the Weekly Cybernote, we will first of all look at the data theft that took place last week at Orange, then go on to how a German hacker was able to prove that even the website of a giant such as the NSA can present obvious security flaws. To conclude, we will return to the topic of data theft, the cost of which has gone up by 9% in the US in 2014.
New data theft incident at Orange
Within the space of three months, customer data was stolen twice from the telecoms operator Orange in France. In all, at least 1.3 million people are affected by this incident of theft, compared to 700,000 in January. This incident does not affect just subscribers, but prospective clients and other service providers as well. The operator therefore had to activate a crisis communication procedure and inform all parties involved of the risks of phishing attacks that they might encounter. The fact that Orange chose to communicate on the subject was not for the sake of transparency, but simply because operators have a legal duty to notify the CNIL – the French data protection authority – of such thefts and inform the persons involved of the risks they are exposed to when their data is no longer anonymous. New regulations that will soon be in force in France and in Europe are expected to push companies to report data thefts to their clients on a more regular basis and to play the transparency card. Even though Orange was well aware that data had been stolen, many French companies, even the big ones, are not as well-versed in cybersecurity and fall victim to major attacks and data theft without even realizing it.
German hacker detected two vulnerabilities on the NSA website
It is amazing how you can be a giant in electronic intelligence, invest billions in technology and still have a poorly secured website! Matthias Ungethüm, a German security researcher, found and exploited two security flaws on the NSA’s homepage. The first vulnerability allowed him to inject code directly into the page, using cross-site scripting. By clicking on a link specifically created for that purpose, an internet user will not access the actual NSA page but a modified copy that looks exactly the same. As for the second vulnerability, it is more problematic. According to the hacker, it allows injecting SQL code in order to access databases relating to the web server, with the obvious purpose of siphoning them. To avoid attracting legal trouble, the hacker did not go further than just discovering the vulnerabilities. He simply confirmed that they indeed existed, while explaining that it does not take much technical expertise to exploit them. He did nonetheless alert the NSA, but has yet to hear from them.
The cost of data violation went up by 9% in the US in 2014
According to the 9th Cost of a Data Breach report published by the Ponemon Institute, the average cost of each data breach has reached 200 dollars in 2014 in the United States, an increase from $188 in 2013. The report therefore revealed an overall increase of 9% in terms of the cost of data violation in the United States, representing a total of 5.4 million dollars in 2014. 61 American corporations, representing 12 different activity sectors, participated in this survey and were exposed to this type of attack. More than 500 people were interviewed directly in the corporations involved and in government organizations. The industries that were most severely affected were healthcare, transportation, power production, financial services, communications, pharmaceuticals and the manufacturing sector.