ARN

Biggest data breaches of 2015

From Ashley Madison to VTech it has been a nasty data breach year
  • Tim Greene (Network World)
  • 02 December, 2015 21:12

Big data breaches made big news in 2015 as measured by a variety of criteria that range from the number of records compromised to the types of data stolen to the potential threat to specific groups such as children.

The recent VTech Learning Lodge hack, for example, affected about 5 million adults and 200,000 children, including photos of parents and kids. By linking stolen children’s names with their parents’ names, attackers could figure out the last names and locations of the kids.

+ More on Network World: 10 more security startups to watch +

Multiple breaches at the U.S. government’s Office of Personnel Management over nearly a year led to theft of data on 22 million current and former federal employees that included the fingerprints of about 5 million. Among those affected: members of law enforcement and intelligence communities. The agency had lots of problems, including the lack of a comprehensive inventory of its IT assets.

Two major health insurers, Anthem and Premera, were hacked, likely by the same actor, resulting in the largest theft of medical records to date. Both break-ins were discovered on the same day, leading some to think law enforcement had discovered the attacks and tipped off the victims. The perpetrators seemed to be after intelligence as opposed to data they could sell for cash, indicating that a nation might be behind it. The breaches involved methods and tactics attributed to a Chinese group known as Deep Panda.

The Hacking Team, an Italian business that sells zero-day exploits to governments so they can break into systems, was itself hacked, much to the delight of social media. The posting of gigabytes of stolen data revealed that staff used lame passwords and sold to some governments with sketchy human-rights records. It also made public zero day exploits it had in its arsenal, some of which made their way into use in the wild.

+More on Network World: DARPA wants early warning system for power-grid cyberattacks+

And there was Ashley Madison, the site for married people to find other married people with whom to have affairs. Its customer records were posted publicly, leading to much embarrassment, heartache and perhaps two suicides. It also represented a treasure trove of potential spear-phishing victims.

Below is a list of some of the top hacks of 2015 with a summary of what was stolen, how and the impact.

Ashley Madison

Data compromised – 37 million customer records including millions of account passwords made vulnerable by a bad MD5 hash implementation

How they got in – Unclear.

How long they went undetected – Discovered July 12, 2015, undisclosed when they got in.

How they were discovered – The hackers, called the Impact Team, pushed a screen to employees’ computers on login that announced the breach.

Why it’s big – The attackers posted personal information of customers seeking extramarital affairs with other married persons, which led to embarrassment, and in two cases, possible suicides.

Office of Personnel Management

Data compromised – Personnel records on 22 million current and former federal employees

How they got in – Using a contractor’s stolen credentials to plant a malware backdoor in the network.

How long they went undetected – 343 days

How they were discovered – Anomalous SSL traffic and a decryption tool were observed within the network, leading to a forensic investigation.

Why it’s big: It appeared to be a data mining operation – seeking data on individuals for intelligence purposes as opposed to data to be exploited for cash. The stolen personnel records include those for workers with classified employees holding sensitive jobs in law enforcement and intelligence, and also includes their fingerprints.

Anthem

Data compromised – Personal information about more than 80 million people

How they got in – A possible watering hole attack that yielded a compromised administrator password

How long they went undetected – Nine months

How they were discovered – A systems administrator noticed a legitimate account was querying internal databases but without the legitimate users’ knowledge.

Why it’s big – It resulted in the largest number of records compromised in a healthcare network and bore the fingerprints of Deep Panda, a group known for breaking into technology, aerospace and energy firms as well as another health insurer, Premera.

Hacking Team

Data compromised – 400GB of internal files including zero day exploits the company planned to sell, source code, a list of its customers and emails

How they got in – Attackers gained access to an engineer’s PC while it was logged into the network. (His password was Passw0rd.)

How long they went undetected – Undisclosed

How they were discovered – Attackers announced it by commandeering the company’s Twitter account and renaming it Hacked Team

Why it’s big – It revealed the customer list for the attack tools that Hacking Team sold and gave insight into how it negotiated sales and for how much. It was ironic in that a firm selling hacking tools was itself hacked.

Premera

Data compromised – Names, dates of birth, addresses, telephone numbers, email addresses, Social Security numbers, member identification numbers, medical claims information and financial information for 11 million customers

How they got in – Perhaps using phishing to lure employees to typo domain sites that downloaded malware

How long they went undetected – May 5, 2014 to Jan. 29, 2015

How they were discovered – Undisclosed.

Why it’s big – It was the largest breach of medical records, and the methods used in the attack are similar to those used against Anthem and likely used by the same attack group. Both attacks were discovered the same day.

IRS

Data compromised – Tax records for 330,000 taxpayers used to collect bogus refunds

How they got in – Using apparently stolen credentials and knowledge-based authentication information they gamed the IRS filing and refund systems.

How long they went undetected – Uncertain

How they were discovered – Attackers sent so many requests for old tax returns the IRS IT team thought it was a DDoS attack and investigated.

Why it’s big – The thieves collected tens of millions of dollars in fraudulent refunds as well as all the data included on the tax forms they scammed from the IRS.

Slack

Data compromised – Its database of usernames, email addresses and hashed passwords and some phone numbers and Skype IDs

How they got in – Undisclosed

How long they went undetected – Four days

How they were discovered – Undisclosed, but afterwards Slack activated two-factor authentication and noted it had seen suspicious activity in some accounts.

Why it’s big – Slack is a popular collaboration platform in which businesses work on critical projects where security is a must.

Experian breach affecting T Mobile

Data compromised – names, addresses, dates of birth and encrypted Social Security numbers and other ID numbers that could have been compromised anyway

How they got in – Undisclosed

How long they went undetected – 15 days

How they were discovered – Undisclosed

Why it’s big – The theft points out the lines of trust – warranted or not – that exist among businesses and how consumers can be affected by the security lapses of companies they don’t deal with directly.

mSpy

Data compromised – Customer screenshots, geolocation data, chat logs, location records on up to 400,000 users

How they got in – Undisclosed

How long they went undetected – Undisclosed

How they were discovered – Became public when security blogger Brian Krebs posted he’d been tipped to hundreds of gigabytes of mSpy customer data posted to the Dark Web

Why it’s big – Demonstrates the danger of dealing with spyware companies.