It’s the holiday season, and if you are an IT security professional like me, going home for the holidays often means you are the designated briefing correspondent on all things data breaches. This year, instead of trying to explain IT jargon to my friends and family, I decided to compile a list of 2016 breaches and security incidents that will be sure to spark some interesting conversation at any holiday dinner table.
2016 Data Breach Cheat Sheet for the Security Professional
These breaches, as painful as they may be, remind us that identity and access management (IAM) is often overlooked and underbudgeted. Had there been strong controls in place to authenticate users throughout sessions, the subsequent use of any compromised credentials would have likely had a lesser effect.
Let’s take a moment to remember some of this year’s breaches that undoubtedly made the 2016 naughty list.
SWIFT’s Master Heist and Weebly’s Folly
Cyberattackers used the Bangladesh Central Bank’s SWIFT code to complete transactions amounting to around $81 million, ultimately transferring the funds from the bank’s New York account to accounts across Asia.
Additionally, Weebly announced that 43 million customers were victims of a breach that exposed their credentials and IP addresses. The web hosting service admitted it was at fault in the incident.
Yahoo and the New Perimeter
Still hurting from its 500 million accounts hacked in 2014, Yahoo made its second announcement this year, disclosing a different attack that exposed more than 1 billion accounts in 2013. The sheer volume of these attacks against a single company is unprecedented. The Yahoo breach serves as a prime example of why organizations need to adopt ways to authenticate beyond usernames and passwords. One such method is multifactor authentication, which is useful for logging into mobile devices.
Micros, a point-of-sale division of Oracle, suffered a breach that exposed hundreds of systems leveraged by retail customers. The cybercriminals installed malware that compromised usernames and passwords as they were being fed into the system.
Mirai Botnet Attack
The Mirai botnet attack consisted of malware that disrupted some of the internet’s highest-profile websites — Spotify, Twitter and PayPal, to name a few. It originated from malware infecting poorly secured Internet of Things (IoT) devices such as routers, DVRs and mobile devices.
NSA Hacking Tools Stolen
As any intelligence agency, the National Security Agency (NSA) houses advanced tools for hacking. This year, in one of the most impressive breaches on record, the NSA’s hacking tools were not only stolen, but later auctioned. To make matters worse, a disgruntled security professional from the NSA later stole terabytes of classified data. Et tu, Brute?
Bad Year for Social Media
MySpace, the once-mighty social networking site, suffered an astonishing security breach in which 427 million accounts were compromised. Similarly, Tumblr experienced a breach of 65 million accounts. Although the incident occurred in 2013, it went undetected until May 2016.
Finally, LinkedIn was forced to deliver several waves of crushing news to its users this past year. While the networking company originally believed that a 2012 breach risked 6 million user credentials, it recently notified users that the impact of the incident was actually much worse: Vice Motherboard reported that a well-known cybercriminal called Peace had been selling 117 million LinkedIn credentials.
For the IT industry, 2016 was certainly an exciting and challenging year filled with damaging, yet ultimately educational breaches. Organizations still have a long way to go in the space of IAM.