Four different information security breaches in the last 12 months:
Confidentiality Breach Example: US Navy Submarine Espionage Event (October 2021)
Company URL: www.navy.mil
Breach Details: https://news.clearancejobs.com/2021/10/10/fbi-busts-u-s-navy-nuclear-scientist-and-spouse-attempting-to-sell-nuclear-submarine-technologies/
In October of 2021 the FBI and Department of Justice announced that they had arrested a husband-and-wife team for attempting to sell restricted information and documents regarding the design of US nuclear submarines. The scientist in question was authorized to access the data that specifically related to propulsion systems, operating parameters, and performance characteristics. He had created a package of documents, an SD card with communications and encryption instructions, and printouts and digital media of operating manuals and performance reports. The couple had been unknowingly engaged with an undercover member of the FBI for the duration of their negotiations to sell the information.
This is an example of a Confidentiality breach in that a US nuclear scientist that was authorized to access restricted and top-secret data regarding the design of nuclear-powered submarines proceeded to download that data to a USB drive and then attempted to sell the data to another nation state who was not authorized to that data.
Integrity Breach Example: Microsoft Exchange Malicious Code Injection (January 2021)
Company URL: www.microsoft.com
Breach Details: https://www.npr.org/2021/08/26/1013501080/chinas-microsoft-hack-may-have-had-a-bigger-purpose-than-just-spying
In January of 2021, a flaw in Microsoft on-premises Exchange mail server instances was discovered that allowed the Chinese government to access mail servers at multiple companies and then plant code in the existing application code base that tricked Exchange to request information including emails, documents, and other attachments from any other email server as a legitimate request from the trusted requesting mail server. Unfortunately, the full impact of the breach may never be known, although the hacking group that wrote and executed the malicious code is known to target government agencies, medical companies, and universities.
This is an example of an Integrity breach in that the root application code for Microsoft Exchange was altered and corrupted to allow unauthorized access to data. With proper checks built within the code any changes should not have been allowed. The identified and exploited vulnerability allowed the root application code to be altered without hash changes or other data integrity safeguards.
Availability Breach Example: Colonial Pipeline Ransomware Event (June 2021)
Company URL – www.colpipe.com
Breach details – https://www.vox.com/recode/22428774/ransomeware-pipeline-colonial-darkside-gas-prices
In June of 2021 Colonial Pipeline Company, the largest oil pipeline company in the United States was attacked via ransomware and was forced to take several internal systems offline and disable pipeline operations for 5 days. This pipeline supplies roughly half of the gasoline, jet fuel, and other petroleum products used on the East Coast, and led to shortages, panic buying, and price spikes in several states.
This is an example of an Availability breach in that the ransomware that was installed on the company’s ERP system. Data access by employees was removed for that system until the data was restored and/or decrypted. No data was lost or exfiltrated from the organization, it was simply inaccessible.
Privacy Breach Example: T-Mobile Customer Data Breach (August 2021)
Company URL – www.t-mobile.com
Breach Details – https://www.t-mobile.com/news/network/additional-information-regarding-2021-cyberattack-investigation
In August of 2021 a 21-year-old hacker gained access to the servers that hosted T-Mobile customer data and extracted the personally identifiable information of more than 50 million existing and previous customers of their service. This information included social security numbers, dates of birth, names, and the identification numbers for cell phones and SIM cards associated with the accounts. The hacker came forward and detailed how easily he accessed the data to show the general public how “awful and amateur their security practices are.”
This is an example of a Privacy breach in that the hacker released the PII of over 50 million customers, and those details could easily allow other threat agents to both identify a specific customer to conduct forms of identity theft and also attempt to target and access their specific cell phones or other devices.