Fortune 500 breaches seem to be a theme this week. As the Yahoo attacker responsible for the company’s 500 million-account data breach has been sentenced, Coca-Cola disclosed an insider stole the information of 8,000 employees.
A Canadian man who pleaded guilty last year to a “hacking-for-hire” spear-phishing operation of Yahoo employees was sentenced to five years in prison on Tuesday by a federal judge in San Francisco. Karim Baratov (only one of his aliases) was also ordered to pay a $250,000 fine, which “encompasses the rest of his assets,” according to the U.S. Department of Justice.
According to the DoJ announcement, Baratov was part of a conspiracy in which two Russian Federal Security Service (FSB) intelligence officers hired him to collect information on webmail accounts between January 2014 and December 2016. The efforts resulted in the heist of a half-billion Yahoo user accounts, part of a massive breach ultimately totaling 3 billion accounts.
“It’s difficult to overstate the unprecedented nature of this conspiracy, in which members of a foreign intelligence service directed and empowered criminal hackers to conduct a massive cyberattack against 500 million victim user accounts,” said FBI Special Agent in Charge, John Bennett.
In the attack, first disclosed in 2016, the hackers were able to steal a proprietary process Yahoo uses to create authentication cookies. They were then able to use this process to themselves forge cookies and access internal accounts without the need for authentication; from there, they were able to lift information from the company’s user account database.
While the attack was state-sponsored – a reality that Yahoo talked up in the aftermath – the company still came under fire for internal security failings. It also admitted that it knew in 2014 attackers were on its network and at the time had stolen data from a half-billion accounts. Congress then demanded answers from CEO Marissa Mayer, calling the two years between the attack and disclosure “unacceptable.”
“All of these breaches come back to a fundamental problem – companies are not managing and controlling their critical data; companies are very, very sloppy about data management,” said Eric Cole, CEO of Secure Anchor Consulting, in an interview. “It’s a widespread lack of visibility and control.”
Data control is at the heart of the Coca-Cola incident. The Americana icon has issued notifications to about 8,000 employees, saying that their personal data walked off in September 2017, thanks to a former employee at a Coke subsidiary that stole an external hard drive.
“Our investigation identified documents containing certain personal information for Coca-employees and other individuals that was contained in the data held by the former employee,” the company said in a notification letter to workers. It didn’t specify what information was compromised.
The soda-and-water giant said that it discovered the breach only after it was notified by law enforcement officials, who recovered the drive. It also defended its decision not to disclose the breach for eight or so months, saying the delay was at the request of authorities investigating the breach.
“The thing that strikes me with the Coca-Cola breach is that they didn’t detect it themselves,” Cole said. “Their intrusion detection systems of choice are the FBI. It sums up the three major trends in data breaches: Companies don’t know where data is and they leave it in an exposed state; they do not do timely detection of attacks; and they often rely on third parties like law enforcement to let them know they’ve been breached.”
Coke has seen information physically walk away in the past: In a 2014 incident, several laptops containing unencrypted personal data were stolen from its Atlanta headquarters, affecting about 74,000 current and former employees.
“I often joke that most companies have employees that are carrying around million-dollar laptops, because the average machine has a 2TB hard drive that likely has a lot of sensitive information on it, that has no business being stored there,” Cole said.
Coke didn’t immediately say how many workers were affected, but clarified the scope of the problem to Bleeping Computer.
“The part that worries me is that breaches are becoming the norm,” Cole said. “I talked to some folks about the Coke breach and the sentiment was that it’s ‘only’ 8,000 people. So unless it’s a million people or more, we have a tolerance level? Instead of putting pressure on companies to be better, we’re accepting it as business as normal.”
Image courtesy of Coca-Cola Co.