This year has seen some major cyber-security breach cases that brought to the general attention the fact that nobody is generically safe. From private companies to government agencies, cyber-attacks threaten all entities that handle sensitive data. Taking into consideration the cyber-data black market and its illegal yet prosperous transactions, cyber-data is menaced by its potential merchandise status as well as by its target quality on the cyber war front.
What would be a remarkable 2015’s seven in terms of data breaches?
First, we should consider the notorious attacks that hit government agencies.
-
The Office of Personnel Management (OPM) breach
The breach took place twice between December 2014 and February 2015 and it was disclosed only in the summer of 2015. The affected numbers were of 4.2 million, respectively 21 million people. Stolen data included personal identifiable information (PII), detailed background information related to security clearance elements and fingerprints, since the OPM collected and stored this kind of personal in-depth information on its employees.
The intrusion showed up when using the United States Computer Emergency Readiness Team (US-CERT)’s program for intrusion detection. The Einstein program is just a hypothesis, while other voices claim that the breach appeared during a product demonstration for CyFIR, a cyber-forensic product. Anyways, the attack remained undetected for 343 days.
Due to the nature and quantity of stolen data, the OPM breach is resonant and represents an important warning of the cyber-risks wherever critical data is involved. The presumed intruders are Chinese cyber-attackers. The incident triggered the resignation of OPM’s director, Katherine Archuleta, as well as the hiring of security advisers in order to upgrade the agency’s cyber defense system.
-
The FBI breach
Although the FBI declined to officially comment on the alleged 2015 hack that was orchestrated by the same persons that managed to access the private email of the CIA director John Brennan, this event appears in the online media. This November 2015 breach regards the agency’s online portal destined for intelligence sharing and suspects’ arrests and the data of hundreds of thousands of users who possess login credentials.
Deemed as one of the largest outsider breaches that affected a law enforcement entity, this successful attack doesn’t have many details to comment upon, yet it is worth mentioning.
-
The IRS breach
This breach took place in February 2015. The records of 330,000 taxpayers got compromised in a 2015 attack enabled by stolen credentials that lead to false authentication. The attack itself went undetected, but as a result the IRS received a huge number of tax returns requests. The Service assumed they were under a DDoS attack and launched an investigation, which unveiled the true nature of the attack – previously stolen data turned into fraudulent refund requests.
This attack stood out because the attackers employed previously mined (or purchased) data in order to get into the system – it wasn’t a breach per se as it represented the fruition of other data-retrieving illegal actions. The losses were estimated at approximately $50 million (according to an article that mentioned only 100,000 affected accounts).
Secondly, 2015 featured clever cyber-attacks that let hackers access stored authentication data. This types of attacks targeted companies that handled important data as part of their activity – centralizing login credentials.
-
The LastPass breach
In June 2015 the well-known password manager LastPass was (ironically) the victim of a cyber-attack. The cloud-based company warned that the attackers stole the “hashed user passwords, cryptographic salts, password reminders, and e-mail addresses”, although it estimated that it is less likely for the thieves to be able to surpass the encryption protecting the plain-text passwords.
The intrusion left specific anomalies in their server logs, and their detection lead to the discovery of the breach.
Even without decrypting the core passwords, the attackers managed to affect more than 7 million users and therefore rendered the password manager service virtually useless. LastPass publicly exposed the situation and urged its clients to reset all their passwords.
-
The Experian breach
The Experian breach took place in September 2015. The global information services company had 15 million accounts compromised and PII of its clients stolen in a hack that affected mainly T-Mobile customers and their data stored on the Experian servers.
Again it was one of the situations where the cyber-attack targeted a known safe harbor company in what credentials and data were concerned. Many other companies used Experian to store data in a manner that made it conglomerate-like and kept it from being personally identifiable.
The 2015 attack apparently went on undetected for 15 days; it also followed the 2014 Experian breach that exposed over 200 million U.S. citizen’s data.
-
The Anthem breach
The healthcare provider breach affected around one third of the American citizens. In February 2015 over than 80 million records were stolen, as well as the data of 19 million rejected customers. The party behind the attack remains yet undisclosed.
The hack remained undetected for 9 months until a suspicious activity coming from a legitimate account raised questions, since the real user was unaware of the internal database query initiated from his account.
Healthcare data being among the most expensive types of merchandise on the black market, this breach represented a big victory for its malicious authors, as well as a major healthcare tech event of the unpleasant type. Healthcare companies are valuable breach targets, in direct proportionality with the sensitivity of the data they store.
The losses coming from this breach are around $272 billion and spread across healthcare system, since data is intertwined in this field.
The breach that prefigures future IoT breaches:
-
The VTech Breach
In late November the global supplier of children toys and electronic learning products VTech was affected by a breach that compromised its app store. This lead to the exposure of various personal data, account credentials, activity logs and photos included. Considering that many of the personal data regarded children, the breach (summing up 4.8 million records and related information on the first names, genders and birthdays of more than 200,000 kids) represents a very serious case of cyber theft. The more recent numbers mention “4,854,209 customer (parent) accounts and 6,368,509 related kid profiles” as being affected – in an article on the arrest of a British citizen in connection with the breach.
The breach brought in the spotlight the concern on how companies that manufacture various products (and started embedding connected elements into their merchandise) actually lack the necessary cyber-security experience, thus putting their customers at risk.
