Biggest data breaches of 2015
The recent VTech Learning Lodge hack, for example, affected about 5 million adults and 200,000 children, including photos of parents and kids. By linking stolen children’s names with their parents’ names, attackers could figure out the last names and locations of the kids.
+ More on Network World: 10 more security startups to watch +
Multiple breaches at the U.S. government’s Office of Personnel Management over nearly a year led to theft of data on 22 million current and former federal employees that included the fingerprints of about 5 million. Among those affected: members of law enforcement and intelligence communities. The agency had lots of problems, including the lack of a comprehensive inventory of its IT assets.
Two major health insurers, Anthem and Premera, were hacked, likely by the same actor, resulting in the largest theft of medical records to date. Both break-ins were discovered on the same day, leading some to think law enforcement had discovered the attacks and tipped off the victims. The perpetrators seemed to be after intelligence as opposed to data they could sell for cash, indicating that a nation might be behind it. The breaches involved methods and tactics attributed to a Chinese group known as Deep Panda.
The Hacking Team, an Italian business that sells zero-day exploits to governments so they can break into systems, was itself hacked, much to the delight of social media. The posting of gigabytes of stolen data revealed that staff used lame passwords and sold to some governments with sketchy human-rights records. It also made public zero day exploits it had in its arsenal, some of which made their way into use in the wild.
+More on Network World: DARPA wants early warning system for power-grid cyberattacks+
And there was Ashley Madison, the site for married people to find other married people with whom to have affairs. Its customer records were posted publicly, leading to much embarrassment, heartache and perhaps two suicides. It also represented a treasure trove of potential spear-phishing victims.
Below is a list of some of the top hacks of 2015 with a summary of what was stolen, how and the impact.
Ashley Madison
Data compromised – 37 million customer records including millions of account passwords made vulnerable by a bad MD5 hash implementation
How they got in – Unclear.
How long they went undetected – Discovered July 12, 2015, undisclosed when they got in.
How they were discovered – The hackers, called the Impact Team, pushed a screen to employees’ computers on login that announced the breach.
Why it’s big – The attackers posted personal information of customers seeking extramarital affairs with other married persons, which led to embarrassment, and in two cases, possible suicides.
Office of Personnel Management
Data compromised – Personnel records on 22 million current and former federal employees
How they got in – Using a contractor’s stolen credentials to plant a malware backdoor in the network.
How long they went undetected – 343 days
How they were discovered – Anomalous SSL traffic and a decryption tool were observed within the network, leading to a forensic investigation.
Why it’s big: It appeared to be a data mining operation – seeking data on individuals for intelligence purposes as opposed to data to be exploited for cash. The stolen personnel records include those for workers with classified employees holding sensitive jobs in law enforcement and intelligence, and also includes their fingerprints.
Anthem
Data compromised – Personal information about more than 80 million people
How they got in – A possible watering hole attack that yielded a compromised administrator password
How long they went undetected – Nine months
How they were discovered – A systems administrator noticed a legitimate account was querying internal databases but without the legitimate users’ knowledge.
Why it’s big – It resulted in the largest number of records compromised in a healthcare network and bore the fingerprints of Deep Panda, a group known for breaking into technology, aerospace and energy firms as well as another health insurer, Premera.
Hacking Team
Data compromised – 400GB of internal files including zero day exploits the company planned to sell, source code, a list of its customers and emails
How they got in – Attackers gained access to an engineer’s PC while it was logged into the network. (His password was Passw0rd.)
How long they went undetected – Undisclosed
How they were discovered – Attackers announced it by commandeering the company’s Twitter account and renaming it Hacked Team
Why it’s big – It revealed the customer list for the attack tools that Hacking Team sold and gave insight into how it negotiated sales and for how much. It was ironic in that a firm selling hacking tools was itself hacked.
Premera
Data compromised – Names, dates of birth, addresses, telephone numbers, email addresses, Social Security numbers, member identification numbers, medical claims information and financial information for 11 million customers
How they got in – Perhaps using phishing to lure employees to typo domain sites that downloaded malware
How long they went undetected – May 5, 2014 to Jan. 29, 2015
How they were discovered – Undisclosed.
Why it’s big – It was the largest breach of medical records, and the methods used in the attack are similar to those used against Anthem and likely used by the same attack group. Both attacks were discovered the same day.
IRS
Data compromised – Tax records for 330,000 taxpayers used to collect bogus refunds
How they got in – Using apparently stolen credentials and knowledge-based authentication information they gamed the IRS filing and refund systems.
How long they went undetected – Uncertain
How they were discovered – Attackers sent so many requests for old tax returns the IRS IT team thought it was a DDoS attack and investigated.
Why it’s big – The thieves collected tens of millions of dollars in fraudulent refunds as well as all the data included on the tax forms they scammed from the IRS.
Slack
Data compromised – Its database of usernames, email addresses and hashed passwords and some phone numbers and Skype IDs
How they got in – Undisclosed
How long they went undetected – Four days
How they were discovered – Undisclosed, but afterwards Slack activated two-factor authentication and noted it had seen suspicious activity in some accounts.
Why it’s big – Slack is a popular collaboration platform in which businesses work on critical projects where security is a must.
Experian breach affecting T Mobile
Data compromised – names, addresses, dates of birth and encrypted Social Security numbers and other ID numbers that could have been compromised anyway
How they got in – Undisclosed
How long they went undetected – 15 days
How they were discovered – Undisclosed
Why it’s big – The theft points out the lines of trust – warranted or not – that exist among businesses and how consumers can be affected by the security lapses of companies they don’t deal with directly.
mSpy
Data compromised – Customer screenshots, geolocation data, chat logs, location records on up to 400,000 users
How they got in – Undisclosed
How long they went undetected – Undisclosed
How they were discovered – Became public when security blogger Brian Krebs posted he’d been tipped to hundreds of gigabytes of mSpy customer data posted to the Dark Web
Why it’s big – Demonstrates the danger of dealing with spyware companies.