With 2015 in the history books, what can we learn from the top data breaches in the past year? Nothing seems to be safe; from children toys to medical records the boundaries of only losing a credit card number seems to be from an age of almost innocents. It’s impacting people lives -or the ones they want to hide like Ashley Madison.
Living in the digital age at some level becomes a more frightening time, such as the higher chances of having our personal information stolen. Unfortunately, there’s only so much we can do to prevent ourselves. It can be a massive disruption if our information is compromised, especially if it’s stolen from a company we’ve entrusted to keep our private data secure.
We take a look at the 10 top hacks of the year, from the salacious to the scary, and even one that wasn’t so bad but illustrates just how vulnerable our connected lives can be. Have companies getting any better at looking out for the best interest of consumers, or are we still living on the edge?
- Ashley Madison
The Ashley Madison hack was the most publicized hack of the year, due largely to the nature of the site: it’s essentially a service for those looking to cheat on their significant other with someone they find on site. There’s some irony to the fact that it was hacked, which of course wasn’t lost on the perpetrators.
Not only was the information of 32 million accounts stolen, but it was also published online by the hackers, meaning that anyone could conceivably go to the database and see if someone they knew used the service. Information such as credit cards and transaction details were also included in the data dump. Email addresses were also part of it as well. Reports show that as many as 15,000 of those email addresses were either .mil or .gov addresses.
It’s important to note that while 32 million accounts were hacked, it’s not known exactly how many people were affected: a seemingly large number of female user accounts were made up, a ploy to entice men to use the site. Other female accounts were largely inactive.
In February, Anthem disclosed it had suffered a breach that resulted in the personal information of 78.8 million people being stolen, making this hack easily the largest on our list.
Not only were Anthem’s own customers put at risk, but as many as 18.8 million people who members of other Blue Cross or Blue Shield health plans and had used their insurance in a state where Anthem operates may have been put at risk. That figure is included in the 78.8 million.
The hack resulted in information like Social Security numbers, names, birth dates, email addresses, and home addresses being stolen. About the only thing that wasn’t compromised was credit card information.
- Fiat Chrysler
This is a little different from the other hacks on the list, in that it only officially involves the hacking of one user, and that user was in a controlled environment and knew they were going to get hacked.
In June, a story was published by WIRED that involved journalist Andy Greenberg driving a Jeep that was remotely hacked via the car’s internet connection. The two hackers involved were Charlie Miller and Chris Valasek, who didn’t have any malicious intent, but instead aimed to warn users that their cars were vulnerable in the same way as their computers. Like a hacker can take control of a computer, Miller and Valasek were able to completely take over the Jeep, including sending commands to the car’s steering, brakes and transmission.
While the hack only involved one car, it caused the recall of 1.4 million cars by Fiat Chrysler, which promptly installed a software update the vehicles and told users that hacking the car was a criminal offense. The company reportedly knew of the vulnerability of its Uconnect entertainment system for 18 months prior to Miller and Valasek’s demonstration.
- Internal Revenue Service
In August, the IRS reported that it too had suffered a hack, and while the agency first reported 114,000 people were affected by the breach, it later increased that figure to 334,000.
While the IRS did say that 334,000 accounts were compromised, it wasn’t unable to say whether information from those accounts was stolen.
The hackers themselves reportedly made use of the IRS’ own system, Get Transcript, which allows users to view their tax transactions and return information for any given year. While users have to answer a number of identifying questions to see this information, the hackers found those answers from other sources and were able to access the IRS accounts.
- US Office Of Personnel Management
The hack of the US Office of Personnel Management, which manages employees of the US federal government and government agencies, was first reported in June. While the office itself first announced that 4 million people were affected, the FBI later put the number at around 18 million.
The breach first started in March of 2014, and it took the OPM more than a year to discover it, and then another two months to report it. This obviously raised questions about the level of security that agencies like the OPM are using and whether better ways of securing user information need to be put in place.
As far as what data was stolen, the OPM reported Social Security numbers, names, addresses and dates of birth of federal employees were taken, however it was later reported that the hack likely involved security clearance-related background information as well, meaning that non-employees who underwent background checks could have been affected, too.
- Premera Blue Cross
The second health insurance provider on the list, Premera Blue Cross revealed that it was the victim of a cyber attack back in March. According to the company, as many as 11 million customers had their information breached as part of the hack.
Premera said data such as banking details, Social Security information, birth dates, and even clinical information was stolen. In fact, while the Anthem hack was larger by scale, it didn’t include medical information, making the Premera hack the largest to involve medical data to date.
Around 6 million of the people whose information was stolen were residents of Washington state, and included employees from Amazon, Microsoft and Starbucks.
A password management service like LastPass is probably the last account you want to be hacked. Unfortunately, that’s exactly what happened earlier this year, as LastPass disclosed in June that it had been breached.
While the service did detect an intrusion on its servers, it reported that passwords for other services stored in its database should be safe. The hackers did take email addresses, password reminders, and authentication hashes, as well as master passwords. Impacted users were instructed to immediately change their master password when they were informed of the hack. LastPass also said the authentication hashes that were stolen should be encrypted strongly enough to prevent hackers from using them to access accounts.
It didn’t disclose how many people were affected by the breach, and anyone with a LastPass account should have changed their password to the service at the time.
- UCLA Health
The UCLA Health hack, disclosed in July of this year, is the third such breach on this list, resulting in an unsettling trend of health care provider systems being compromised more frequently. In this instance, hackers gained access to the personal information of a hefty 4.5 million users.
Information like names, Social Security and Medicare numbers, physical addresses, and health plan IDs were all potentially stolen.
The hackers first slipped into the system in September of 2014, and around a month later the computers detected suspicious activity. At that point, UCLA called in the help of the FBI, and in May, the university discovered the hackers accessed computers housing sensitive records.
UCLA says it’s not sure if any records were actually stolen, but if the hackers successfully breached the system, there’s a good chance they were.
- Carphone Warehouse
UK phone store Carphone Warehouse disclosed in August that it suffered a hack, reporting that around 2.4 million customers may have had their personal information compromised. Not only that, but the retailer also warned the encrypted credit card details of around 90,000 people may have been taken.
(Credit: Wikimedia Commons)
While in other cases on this list companies and agencies waited months to disclose a hack, Carphone disclosed the hack to customers days after discovering it.
Among the information stolen were names, dates of birth, addresses and bank details. Customers information was compromised in the attack were contacted by Carphone Warehouse, and if a customer didn’t hear from the company, they don’t need to worry.
All of the hacks up till now had one thing in common – they’re prime target was adults. The VTech hack, however, raised the creepy factor to a whole new level as it exposed the personal information of 6.4 million children.
As part of the hack, the company’s “Learning Lodge” app store and “Kid Connect” messaging system were breached. According to VTech, information about children’s names, gender and birth dates was accessed. Data was also stolen about many of the children’s parents, including names, mailing addresses, encrypted passwords and secret questions and answers for password retrieval.
While the attack is horribly scary, especially for parents, it will hopefully prompt toy companies like VTech to take a serious look at their security measures. The hack, according to some experts, should also serve as a wake up call for families.
Looking to Trends in 2016
The number of new malware files detected every day falls by 15,000
According to Kaspersky Lab, 2015 marked the moment when demand for new malicious programs reached saturation point.
This year saw the number of new malware files detected every day by Kaspersky Lab products fall by 15,000, from 325,000 in 2014 to 310,000. Kaspersky Lab’s experts believe this is mainly due to the fact that coding new malware is expensive and cybercriminals have realized that they can get equally good results using intrusive advertising programs or legitimate digital signatures in their attacks.
This approach appears to be working, as results show that despite the cost-cutting in malware creation, in 2015 the number of users attacked by cybercriminals increased by 5 per cent.
The number of iOS threats discovered this year has more than doubled
Symantec has released research finding that the number of iOS threats discovered this year has more than doubled, while Mac OS X threats specifically rose by 15 percent in 2014.
These threats stem from cybercrime gangs branching out to Apple platforms, as well as high-level attack groups like the Butterfly corporate espionage team that infected OS X computers in targeted organizations.
Stay safe and remember emails are still the top way to infect a machine!