Data breaches are coming thick and fast. Gemalto estimated there were 888 data breaches in the first half of 2015 alone, resulting in 246 million compromised records, while IBM research indicated that the average, consolidated total cost of a data breach last year hit $3.8 million, marking a 23% increase over 2013.
2015 has been the year where social engineering became the main infection point, the human as the ‘low-hanging fruit’, although software vulnerabilities will most likely forever be exploited. Nation-states are active in this space, and organized criminal gangs see the monetary opportunity. The insider threat remains as prominent as ever.
We look at five of the biggest – and most damaging – data breaches from last year.
In June, the United States Office of Personnel Management (OPM) announced that it had been hit by one of the most advanced cyberattacks in recent memory. It was initially reported that this resulted in the loss of four million records, a figure that was later revised to 18 million by FBI director James Comey. It is now believed that 21.5 million government employees have been affected in total.
Described by federal officials as among the largest breaches of government data in the history of the US, compromised information included personally identifiable data such as names, dates of births, addresses and social security numbers of staff. Over five million fingerprints and security clearance documentation were also exposed.
China was initially blamed – something the country denies – and social engineering deemed to be the likely entry point. Attackers supposedly gained valid user credentials and moved around OPM’s network to inflict damage back in December 2014. OPM first detected the breach in April 2015.
At the start of 2015, US health insurer Anthem notified its customers of an advanced cyberattack, which affected everyone from current and former policyholders, to various other brands (Blue Cross and Blue Shield) that were using Anthem services.
Approximately 80 million customers and employees were affected by the attack, which again began weeks before it was actually detected. It is believed that cybercriminals potentially stole personally identifiable information from its servers (including names, birthdays, medical IDs, social security numbers, addresses and income data), after compromising a database and using an administrator’s credentials to download all the details.
Crucially, Anthem was not required by law to encrypt customer data, and is subsequently facing civil lawsuits for this error. It has been estimated that these legal suits could cost the firm millions of dollars. Data from the attack is believed to have been sold on the black market by the cybercriminals.
It could be argued that the Ashley Madison attack was the most significant – if not famous – data breach of 2015, as the impact on its users was unprecedented (particularly because of the nature of the service offered).
The website, which describes itself as “the world’s leading married dating service for discreet encounters,” became headline news the world over after personal information was leaked online. The very concept that made the site so appealing had been compromised, much to the dismay of its members.
It started a few years ago but gained traction back in July, when the Impact Team compromised Ashley Madison’s servers, and then uploaded user data online. It threatened to release personally identifying information if the website was not immediately shut down.
Approximately 60GB worth of user data was confirmed to be valid in August, and the number of people affected is now believed to be as high as 37 million.
Reporters and vigilantes combed through the database post-breach, finding hundreds of email addresses from Saudi Arabia (where adultery can be punishable by death), as well as emails registered to the US military and government. Two suicides have also been linked to the leak.
Despite all of this, Ashley Madison continues to exist; with the company surprisingly claiming that membership has grown since the attack.
Like Ashley Madison, the breach of Hacking Team was a huge story and when news of the attack came to light in July, it had professionals intrigued.
The Hacking Team has long been criticised by the information security industry for developing hacking tools for illegal use by government agencies. Some of its customers were found to be oppressive governments in the Middle East and Africa.
The breach resulted in the leak of over one million emails, and 400GB of data was dumped online, shedding light on supposedly secret government relationships. The controversy continues to haunt many today.
This case also demonstrated the danger of working with spyware companies. For example, Brian Krebs revealed in May how mSpy had also been compromised. Details belonging to former and existing customers were subsequently posted on the dark web, the security expert confirmed.
VTech, the consumer electronics manufacturer, which specializes in educational toys and technology for children, was hit by a data breach in November, which affected 6.4 million children and 4.9 million customer (parent) accounts worldwide.
The individual behind the attack accessed data through the Learning Lodge app store customer database and Kid Connect servers on November 14th, bypassing security with little effort.
Compromised data included child profiles (names, genders and birthdays), passwords, IP addresses, download history, gender and birth dates. A 21-year-old man from the UK was later arrested for the intrusion, which is likely to have a huge impact on the current fortunes of VTech.
Of the incident, VTech has said: “Regretfully our database was not as secure as it should have been. Upon discovering the breach, we immediately conducted a comprehensive check of the affected site and have taken thorough actions against future attacks.”