2015 was a banner year for cybercriminals. And with less than a month left before the calendar rolls over, it’s worth taking a look back at the biggest, craziest and downright strangest hacks and data breaches of the last 11 months.
Eight Crazy Hacks in 2015
In no particular order, here are eight of the biggest and strangest hacks from the past year:
In February, cybersecurity experts called 2015 the “year of the health care hack,” according to Reuters. And they were right: It all started in January with the breach of more than 11 million records at Premera Blue Cross. In addition to personal data such as Social Security numbers, mailing addresses and bank account info, attackers also took aim at sensitive claims data. Further investigation by the company discovered the initial hack actually happened in May 2014, giving attackers ample time to comb the system for valuable data.
2. The IRS
At the beginning of 2015, the Internal Revenue Service rolled out a new way for taxpayers to request critical tax data with their Get Transcript service. The problem? Hackers cracked the system in February and made off with more than 300,000 records that included of tax returns and personal information. While the numbers are smaller than Premera’s breach, the impact may be larger over the long term: Stolen tax return data could be used to open new credit card accounts, file fraudulent returns and damage consumer credit ratings for years to come.
Part of the problem came from IRS reliance on knowledge-based authentication (KBA) questions, which the agency claims only the account holder can answer. The problem? It’s easy to buy this information on the Dark Web and then set up an automated submission process to rack up stolen records.
3. The Office of Personnel Management
This summer, the Office of Personnel Management (OPM) announced that the personal information of more than 4 million government employees had been hacked. As it that weren’t bad enough, things quickly took a turn for the worse: Fingerprint records had also been stolen, and after a more thorough investigation, it was determined that a staggering 22 million people were affected by the breach, a far cry from initial reports.
According to Nextgov, part of the problem came from fragmentation. The OPM didn’t know how much data it had or where all this data was stored. The end result was a personnel change at the top of the OPM for failing to effectively secure digital information and a host of Americans worried about compromised data.
It was only a matter of time. In June 2015, the password management program LastPass was hacked and more than 7 million users were affected. In addition to encrypted passwords, cybercriminals gained access to email addresses and password reminder phrases, rendering the service effectively useless.
It’s hardly a surprise: While these services promise high-level protection for passwords and claim to help users avoid the problem of forgotten logins or worse — writing down passwords on sticky notes or keeping them as smartphone reminders, for example — they’re also ideal targets for motivated attackers. In one fell swoop, malicious actors got everything they needed to compromise user accounts and lock out legitimate owners.
5. Ashley Madison
In July 2015, the Impact Team hacked Ashley Madison, the infamous social site that facilitated extramarital affairs. According to its manifesto, the group wanted Ashley Madison taken offline because most “female” profiles were fake and the company had a history of deceit. When this didn’t happen, 37 million user records were dumped on Tor and made available for public viewing. In addition to public ridicule and shame, both men and women had their credit card details exposed. One positive note? The company had used bcrypt to safeguard passwords, one of the most secure algorithms available and a significant step above more commonly seen cleartext and MD5 hashes.
It was just one, but it was enough. In July, a team of researchers was able to take total control of a Jeep SUV using the vehicle’s CAN bus. By exploiting a firmware update vulnerability, they hijacked the vehicle over the Sprint cellular network and discovered they could make it speed up, slow down and even veer off the road. It’s proof of concept for emerging Internet of Things (IoT) hacks: While companies often ignore the security of peripheral devices or networks, the consequences can be disastrous.
7. Harvard University
While the Harvard University hack wasn’t anything out of the ordinary in terms of approach or execution, it’s worth noting because of its potential scope. The university isn’t sure how many student records were affected, but since its IT systems oversee eight colleges, it’s possible the damage is extensive. There’s no guarantee that attackers stopped after breaching the first Harvard network layer, either. What about connected networks and third-party vendors? The hack also makes it clear that any information is valuable information to cybercriminals, since most college students aren’t exactly flush with cash or gifted with high credit limits, but that doesn’t matter: Opportunity is the watchword for malicious actors.
Last on the list is children’s toy manufacturer VTech. The company has just disclosed that more than 6 million children’s accounts and 5 million parents’ records were compromised on its Learning Lodge website. There are two issues worth exploring here. First is the noted lack of security provided by VTech; its password hashes were weak and the security architecture was largely out of date. Its response to consumers was also interesting: The company focused on the fact that credit card and financial data hadn’t been compromised, as if somehow that made the breach less of a threat. But that misses the point. Identity, not credit, is the currency of new hacks.
Attackers went after multiple targets in 2015, and they didn’t pull any punches. While companies are now more aware of existing risks, don’t expect attackers to slow down in 2016 — mobile, IoT and increasingly sophisticated network hacks are on the horizon for the coming year.