2015 Cyber Security: A Year in Review
Wow! What a year 2015 has been for cybercrime! If there was any doubt whether we should be concerned about cyber security in 2014, I think we can all agree that 2015 has surely hit us on the head enough times with headlines related to it.
Ranging from large, multinational organisations to small web companies to independent businesses to security companies themselves, it seems like no one can feel completely safe as we enter 2016! We should also remember that a large percentage of cyber breaches go unreported, sometimes even unnoticed. So while the big headlines should help us sit up and take notice, what should be keeping you awake at night is that the actual breaches are probably ten-fold of that number.
Let’s take a look at some of the major attacks in 2015:
The most prominent one that comes to mind is probably the TalkTalk hack, here in the UK. Shockingly, they got attacked thrice in the past year. In February, TalkTalk sent out emails to customers asking them to be wary of scammers using their personal information to fraud them due to a previous attack in which customer data got stolen. In August, their mobile sales site was targeted and breached by a "a sophisticated and co-ordinated cyber attack, along with a number of other similar websites", leading to further loss of customer data.
And finally in October, they suffered a Distributed Denial of Service (DDoS) attack, followed by another significant data breach, losing yet hundreds of thousands of customers’ data.
One of the biggest hacks of the year was the breach of the Office of Personnel Management in the U.S. Hackers, reportedly from China, compromised and maintained their presence in their networks for over a year. Over 21 million people were affected by this hack, having their sensitive data (including government security clearances) compromised.
The hackers also got hold of the fingerprint files of about 5.6 million federal employees, many holding classified clearances to secured facilities. SF-86 forms, questionnaires used for background checks for security clearances which contain a wealth of sensitive data, were also compromised.
One of the flashier attacks took place on AshleyMadison.com. Attackers made away with gigabytes of internal company emails and documents as well as customer details of about 32 million accounts, which included names, passwords, addresses and phone numbers. Seven years’ worth of credit card and other transaction details were also exposed.
After the company did not shut down as per the attackers’ request, they made good on a threat to release all the sensitive data and released more than 30 gigabytes worth.
Since then, the company has been hit with several lawsuits from current and former customers accusing them of negligence in protecting confidential data.
As reported earlier, the personal details of 656,723 customers of pub chain JD Wetherspoon were stolen in June. Details such as names, dates of birth, email addresses and telephone numbers had been stored on an old website which got breached.
To put this data breach in a better perspective, the TalkTalk hack affected 156,959 customers, or almost a quarter of this one.
The company notified customers when it discovered the attack, warning them to be careful of social engineering attacks and misuse of their personal information.
If you’ve never heard of Gemalto, they are a Dutch firm and one of the leading makers of mobile phone SIM cards. I am including this because the attack was disclosed this year, even though it took place 2010 and 2011. Attackers targeted the company’s huge cache of cryptographic keys, unsuccessfully, according to the company. If the hackers were able to obtain the keys, they would have been able to wiretap and decipher encrypted phone communications of any mobile handset. Over 400 phone companies in 85 countries use Gemalto’s SIM cards, so the implications of such a hack are huge.
Hackers themselves had a breach this year when the Italian hacking company Hacking Team got breached. The company buys and sells exploits and surveillance software to governments and intelligence agencies around the world. Their activities were always legally dubious, but were fully exposed when the attackers exposed nearly 400 gigabytes of company emails and documents.
The documents contained information on the company’s software being used against activists and political dissidents in Morocco, UAE, etc.
Even a password managing service with claims to impeccable security wasn’t spared in 2015. Lastpass’ network got breached by attackers who accessed email addresses, encrypted master passwords and reminder words users use to remind themselves of their master password. To its credit, Lastpass stated it used strong hashing and salting functions to secure customers’ master passwords. However, the company stated that customers with relatively simple master passwords might be susceptible to attack.
While that is a long list of attacks, many more have been left out in the interest of brevity. The past year also saw attacks on Carphone Warehouse, Kaspersky Lab, Xbox Live, exploits for both Mac and Windows and even the root servers of the Internet itself!
I hope this serves as a stark reminder to all of us to be ever careful and vigilant for attacks against our business systems as well as personal devices. The sheer breadth and variety of attacks portrays that not even the experts can guarantee absolute security.
If you want to know more about how you can secure your business or are struggling with security in general, please feel free to contact me at firstname.lastname@example.org or on 0208 584 1400.