The 3 worst software security breaches of 2016 (and how to avoid them in your company)

| 7 min. (1423 words)

If 2016 taught us anything about technology, it was about the damage software security breaches can cause. And it’s not just a company’s reputation that suffers. We can measure the losses of the worst software security breaches in _billions_ of dollars.

Industries across the board from finance to government came under scrutiny from the press amid claims of fraud, leaked data and compromised private information.

What happened?

Is it that companies were just lax? Could the worst of 2016’s biggest security breaches have been prevented by more rigorous security measures? After all, it only takes one breach to bring down a company’s reputation and cause dollar values to plummet. Luckily, we can live and learn from the mistakes of others.

We can learn a lot from large companies like Sage and FACC (both of which we will cover). We’ll also take a look at Yahoo which fell victim to one of the largest software security breaches. Luckily, there are a few preventative measures that will allow your company to avoid the same pitfalls.

The largest software security breach in history (so far): Yahoo

2016 was a bad year for Yahoo. Two security breaches were made public, including the biggest known data breach in history.

In 2013, account information of 1 billion Yahoo accounts were taken in an assumed cookie-based attack, and in 2014, account information of 500 million users were taken. The attack method of the latter has not been confirmed.

Yahoo features in Raygun's worst software security breaches of 2016

User information taken in both breaches were similar; passwords, usernames, security questions and answers, birth dates and phone numbers. Perhaps more surprisingly, the security breaches were only made public in late 2016, years after they occurred.

It’s inconceivable how Yahoo let this happen. As soon as Yahoo knew of the breaches, they should have let users know immediately. It would have been easy to mitigate further risk by advising users to update their security information immediately.

This meant Yahoo users were susceptible to the following:

  • Accounts for other services and sites that used the same username and password combinations could have become compromised
  • Password recovery information for other services and sites being sent to the compromised accounts
  • Personal information in emails made available – including credit card and bank accounts
  • Financial impact on Yahoo

    We can’t accurately measure the personal impact the 1.5 billion instances of compromised data had, or the damage to Yahoo’s reputation.

    We can however measure the financial impact on Yahoo. They recorded a 6.5% share price fall after the second breach was publicized. Verizon had been slated to acquire Yahoo for US$4.8 billion. After news of the breach became public, Verizon was seeking a US$1 billion discount, adding more salt to the wound. 

    How you can avoid compromised data

    Here are a few action points and preventative measures.

  • As soon as you find a potential security breach, let everyone know as soon as possible
  • Use a different username and password combination for each personal and work-related account
  • Use Two Factor Authentication (2FA)  where you can
  • ‘Have I been pwned?’ is a free online tool created by eminent security expert Troy Hunt. Type your email address into the search bar to check if your personal email has been compromised
  • Use a monitoring software like Raygun to help prevent security breaches. An error monitoring software can pick up early warning signs like data collection pages throwing errors, unusual errors, and unusual spikes in the the amount of errors
  • The fake president incident: FACC

    ‘Fake president’ scams are where an identity is imitated to convince an employee to transfer funds to a third party.

    Of 2016’s most well-known ‘fake president’ frauds, a heavily publicized incident happened to Austrian company FACC, a supplier to Boeing and Airbus.

    FACC was in Raygun's list of the three worst software security breaches of 2016

    Almost a year ago, FACC became the victim of a fraudulent email that looked as if it was sent from the FACC CEO. The email instructed an employee to transfer around US$55 million to an account for a non-existent acquisition.

    Because this type of scam echoes emails we sometimes receive from our long lost relative wanting to give us an inheritance, it can be easy to scoff at such a seemingly rookie mistake.

    Emails used by the fake president scams often contain detailed, company-specific information in their subject line and body. An authoritative tone combined with a sense of urgency can make the email seem even more authentic.

    Although this incident doesn’t win the prize for the most money stolen in a security breach (that goes to the US$81 million bank heist at Bangladesh’s central bank) this case is crucial due to the rising cost and frequency of fake president scams.

    Financial impact on FACC

    The CEO and Chief Financial Officer of FACC were fired shortly after the incident, and FACC’s share price fell by 19%. FACC also recorded a US$25 million loss, whereas FACC would have recorded a US$20 million profit if the company didn’t fall for the scam.

    Lastly, we can’t forget the stolen US$55 million.

    How to avoid email scams

    The FBI issued a warning last year about the rise in business email scams which resulted in losses of more than US$2.3 billion globally over three years. We can have the most advanced security systems, but unfortunately the weakest part of the security equation are most often people. However, there are steps you and your company can take to avoid, or at least minimize, the risk of falling for a social engineering-type attack:

  • Check to see if your outbox includes any mail you definitely have not sent
  • Have solid accounting procedures in place and respect them
  • Verify the email request 
  • Verify financial requests in person or calling them on a number not used in a potentially fraudulent email
  • Insider threat: Sage 

    Sage is an accounting and HR software provider and the only software company on the FTSE 100. Sage released a statement mid-2016 that private customer information may have been stolen via unauthorized access from an internal login

    The data that may have been compromised was said to include employee information – salary and bank account details – from around 280 businesses. This incident is not remarkable in the amount of data stolen, it’s on our list because insider threats are arguably a bigger risk than external breaches. Internal breaches make up a whopping 91% of software security breaches.

    Sage was in Raygun's list of the three worst software security breaches of 2016

    The fact is that most insider breaches – about 71% of them – are unintentional. As developers, we can contribute directly to software security breaches through our code. 

    Writing perfect code is a myth. Think of the times you deployed code to production and found a bug originating from your code. Bugs happen – but they aren’t the worst thing in the world. You can check out a new git branch, write new unit tests, test the branch in another environment, then deploy to production.

    If you start to think of every single bug as a potential chink in your company’s armour, you’ll start to look at bugs differently. Using this lens it’s easy to see how every developer is a potential insider threat, no matter how pure our intentions are.

    Impact on Sage

    Sage’s reputation is largely intact, mostly due to the fact Sage notified their customers straight away. The breach affected only 1% of their customers. Insider threats are notoriously difficult to predict and guard against. Sage’s share price fell momentarily by 4%, but have since recovered.

    How to avoid internal breaches

    Here are a few action points and preventative measures against internal threats:

  • Provide a healthy work environment where employees feel safe to speak up
  • Have regular one-on-ones with employees
  • Write unit tests and test code thoroughly
  • Security training for your staff 
  • Conclusion

    The worst software security breaches are preventable. Ensure you have solid business and security procedures in place which are followed rigorously, and make it easy for your employees to report suspicions. If the worst does happen, follow Sage’s lead and let everyone know what steps they need to take to stay protected – even after a security issue!

    As mentioned in this article, an error and crash reporting software like Raygun is beneficial as an early warning system. The Raygun platform detects software errors and broken scripts that can be a sign of a security breach in your software. If you’d like to see how Raygun can make your software safer, take a free trial here.

    How Raygun keeps big data safe

    Mobile application development trends from 2016

    Maintain visibility through the entire software build process

    Rails security: dropping your code into shark infested waters!