Light Dark
December 9, 2015 By Douglas Bonderud 4 min read
Advanced Threats

2015 was a banner year for cybercriminals. And with less than a month left before the calendar rolls over, it’s worth taking a look back at the biggest, craziest and downright strangest hacks and data breaches of the last 11 months.

Eight Crazy Hacks in 2015

In no particular order, here are eight of the biggest and strangest hacks from the past year:

1. Premera

In February, cybersecurity experts called 2015 the “year of the health care hack,” according to Reuters. And they were right: It all started in January with the breach of more than 11 million records at Premera Blue Cross. In addition to personal data such as Social Security numbers, mailing addresses and bank account info, attackers also took aim at sensitive claims data. Further investigation by the company discovered the initial hack actually happened in May 2014, giving attackers ample time to comb the system for valuable data.

2. The IRS

At the beginning of 2015, the Internal Revenue Service rolled out a new way for taxpayers to request critical tax data with their Get Transcript service. The problem? Hackers cracked the system in February and made off with more than 300,000 records that included of tax returns and personal information. While the numbers are smaller than Premera’s breach, the impact may be larger over the long term: Stolen tax return data could be used to open new credit card accounts, file fraudulent returns and damage consumer credit ratings for years to come.

Part of the problem came from IRS reliance on knowledge-based authentication (KBA) questions, which the agency claims only the account holder can answer. The problem? It’s easy to buy this information on the Dark Web and then set up an automated submission process to rack up stolen records.

3. The Office of Personnel Management

This summer, the Office of Personnel Management (OPM) announced that the personal information of more than 4 million government employees had been hacked. As it that weren’t bad enough, things quickly took a turn for the worse: Fingerprint records had also been stolen, and after a more thorough investigation, it was determined that a staggering 22 million people were affected by the breach, a far cry from initial reports.

According to Nextgov, part of the problem came from fragmentation. The OPM didn’t know how much data it had or where all this data was stored. The end result was a personnel change at the top of the OPM for failing to effectively secure digital information and a host of Americans worried about compromised data.

4. LastPass

It was only a matter of time. In June 2015, the password management program LastPass was hacked and more than 7 million users were affected. In addition to encrypted passwords, cybercriminals gained access to email addresses and password reminder phrases, rendering the service effectively useless.

It’s hardly a surprise: While these services promise high-level protection for passwords and claim to help users avoid the problem of forgotten logins or worse — writing down passwords on sticky notes or keeping them as smartphone reminders, for example — they’re also ideal targets for motivated attackers. In one fell swoop, malicious actors got everything they needed to compromise user accounts and lock out legitimate owners.

5. Ashley Madison

In July 2015, the Impact Team hacked Ashley Madison, the infamous social site that facilitated extramarital affairs. According to its manifesto, the group wanted Ashley Madison taken offline because most “female” profiles were fake and the company had a history of deceit. When this didn’t happen, 37 million user records were dumped on Tor and made available for public viewing. In addition to public ridicule and shame, both men and women had their credit card details exposed. One positive note? The company had used bcrypt to safeguard passwords, one of the most secure algorithms available and a significant step above more commonly seen cleartext and MD5 hashes.

6. Jeep

It was just one, but it was enough. In July, a team of researchers was able to take total control of a Jeep SUV using the vehicle’s CAN bus. By exploiting a firmware update vulnerability, they hijacked the vehicle over the Sprint cellular network and discovered they could make it speed up, slow down and even veer off the road. It’s proof of concept for emerging Internet of Things (IoT) hacks: While companies often ignore the security of peripheral devices or networks, the consequences can be disastrous.

7. Harvard University

While the Harvard University hack wasn’t anything out of the ordinary in terms of approach or execution, it’s worth noting because of its potential scope. The university isn’t sure how many student records were affected, but since its IT systems oversee eight colleges, it’s possible the damage is extensive. There’s no guarantee that attackers stopped after breaching the first Harvard network layer, either. What about connected networks and third-party vendors? The hack also makes it clear that any information is valuable information to cybercriminals, since most college students aren’t exactly flush with cash or gifted with high credit limits, but that doesn’t matter: Opportunity is the watchword for malicious actors.

8. VTech

Last on the list is children’s toy manufacturer VTech. The company has just disclosed that more than 6 million children’s accounts and 5 million parents’ records were compromised on its Learning Lodge website. There are two issues worth exploring here. First is the noted lack of security provided by VTech; its password hashes were weak and the security architecture was largely out of date. Its response to consumers was also interesting: The company focused on the fact that credit card and financial data hadn’t been compromised, as if somehow that made the breach less of a threat. But that misses the point. Identity, not credit, is the currency of new hacks.

In Conclusion

Attackers went after multiple targets in 2015, and they didn’t pull any punches. While companies are now more aware of existing risks, don’t expect attackers to slow down in 2016 — mobile, IoT and increasingly sophisticated network hacks are on the horizon for the coming year.

**UPDATED** Download the Ponemon Institute 2016 Global Cost of Data Breach Study

 |  |  |  |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from Advanced Threats
April 9, 2024

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

November 6, 2023

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

August 2, 2022

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature