2016 was not a good year for cybersecurity. Many of the years data breaches and cyber attacks have assumed historic proportions, making 2016 the worst security year so far for the government, companies, and individual users alike. The danger with these breaches is that they have the ability to shut down an entire business and cause serious damage to their reputation, finances, and users. The biggest hacks of 2016 demonstrated that a lot of Internet data is still not secure. There were the typical hacks facilitated by spear phishing as well as some ominous Internet of Things (IoT) hacks that bode ill for the future.
- Law firms, especially those involved in mergers and acquisition, wered targets in 2016. Hackers are looking for non-public information on companies for purposes of insider trading. In March 2016 news broke of fifty law firms, including giants Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, targeted by a shadowy group of Russian hackers called Oleras. Following the data breach, plans were announced to bring a class action lawsuit against the attacked firms over the exposure of client information.
- Again, in December, Cravath was spearphished, presumably to discover information on the huge proposed merger of Time-Warner and AT&T. Fortune magazine claimed that the data breach was part of a larger initiative by the Chinese government .
- Also in December, the New York Attorney General warned of a scam that involved sending emails to lawyers purporting to be from his office.
- The Panama Papers data breach was the largest involving a law firm in 2016. The Panamanian firm attacked was Mossack Fonseca, who sells anonymous offshore companies that can serve to sanitize illegal funds . A whistleblower provided the Süddeutsche Zeitung about 2.6 terabytes of data on politicians, criminals, professional athletes, etc. About 400 journalists from around the world have taken part in researching the 11.5 million documents consisting of e-mails, pdf files, photo files, and excerpts of an internal Mossack Fonseca database. The data covers a period spanning from the 1970s to the spring of 2016. About two years ago, the whistleblower had already furnished data on a few hundred offshore companies; the Panama Papers involves about 214,000 companies.
- The leak has had profound consequences worldwide. “The main point here is that we can link companies from the Panama Papers leak not only with economic crimes like money laundering,” said Europol’s head of financial intelligence, Simon Riondet, “but also with terrorism, Russian OCGs [Organized Crime Groups], drug trafficking, human trafficking, illegal immigration, [and] cybercrime.”
- As of January 1, 2017, California joins Wyoming in making ransomware usage a standalone crime. The law is a result of the Hollywood Presbyterian Medical Center attack in February 2016. Hackers wrested control of a few hundred computers, asking for $3.6 million in ransom. Hollywood Presbyterian finally paid $17,000 to make the hackers go away.
- Quest Diagnostics was the target in December. The data breach involved names, dates of birth, lab results, and some telephone numbers for a total of 34,000 records.
- Banner Health discovered that cyber attackers are not always looking to steal patient data. For two weeks in the summer, hackers gathered payment card data at some of Banner’s food and beverage outlets. The attackers intercepted up to 3.7 million cardholder names, card numbers, expiration dates, and internal verification codes as the data passed through their payment processing systems
- Reports are still surfacing involving the Russian hack of the U.S. election. Many sources claim that the goal was to influence voters towards Donald Trump. This would be consistent with the timing and target of attacks earlier in the year. More than 19,000 emails from DNC officials were published on WikiLeaks immediately before the Democratic National Convention. Reportedly, the DNC was an easy target because it did not have an advanced email spam-filtering service. Earlier in the year the Democratic National Committee and the Democratic Congressional Campaign Committee were hacked by a group of Russians called the Dukes.
- According to a report issued by US Intelligence in January 2017, Russia used typical attack tools to exfiltrate data. It supplemented these attacks with smear campaigns not only within the Russian government and state-controlled media, but also through third-party intermediaries and paid social media users or “trolls”. Furthermore, after Election Day Russian intelligence began a spearphishing campaign targeting US government employees and individuals associated with US think tanks and NGOs in national security, defense, and foreign policy fields.
- One of the largest government breaches in history occurred in March when 55 million records were stolen from the Philippine Election Commission (COMELEC). It started with the hacktivist group Anonymous posting a message on COMELEC’s website warning the government not to interfere in the Philippine elections. Then, the entire COMELEC database was stolen and posted online on multiple mirror servers available for download. The database contained personally-identifiable information on every registered Philippine voter, including passport information and fingerprint data.
There were fewer breaches in the retail industry than in 2015, which saw the huge attacks on Home Depot and Target. Still, there was enough to worry about.
- In July, South Korea blamed North Korea for stealing 20 million records from Interpark, an online shopping mall. South Korea claims that the purpose was to obtain foreign currency. Interpark received an anonymous message threatening to publicize the leak of personal data unless it paid the equivalent of $2.6 billion in South Korean currency.
- Toy maker VTech experienced a breach of 6.4 million kids' accounts in December 2015. The pattern continued with the hack of 3.3 million accounts at Sanrio, probably best known for Hello Kitty products. The records included names, insecurely encrypted birthday, gender, country of origin, email addresses, unsalted SHA-1 password hashes, and password hint questions with answers. As an adult, having such personal data revealed is bad enough. However, since most parents don't monitor their child's credit record, any fraud stemming from the hack might not be detected for years.
- In November, an employee login was used to access servers at Three Mobile. Purportedly private information of two thirds of the company's nine million customers could have been exfiltrated.
- The Telegram instant messaging service experienced the largest known breach of an end-to-end encrypted communications system in August. The Achilles heel of Telegram’s system was the use of SMS text messages to activate new devices. Hackers associated with the Iranian government intercepted the messages and used the codes to add new devices to Telegram accounts. Then the hackers could read chat histories and monitor new messages for the accounts. Over a dozen accounts were affected. In addition, the phone numbers of 15 million Iranian users were leaked.
Breaches that affect all industries
Every company was potentially affected by the SWIFT hack. The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides a network that enables financial institutions worldwide to send and receive information about financial transactions.
After a malware attack against a Bangladeshi bank the resulted in the heist of $81 million, SWIFT issued a software patch that detects the attacking malware. In September, the organization announced a set of mandatory security controls. Customers must demonstrate each year that these controls are in place starting in 2018.
Targeting IoT Devices
Cybercriminals targeted Internet of Things (IoT) devices such as webcams, TVs, and DVRs to a much greater extent than previously. Since Gartner predicts that there will 20.8 billion IoT devices by 2020, it seems likely that the future bodes attacks similar to those experienced in 2016. In October, a host of websites were disrupted by large distributed denial of service (DDoS) attacks against Domain Name System (DNS) hosting provider Dyn. Some 20,000 IoT devices were infected with Mirai malware to create a botnet. The botnet delivered DDoS packets at a rate of up to one terabyte per second. A DDoS was also used to attack IoT devices themselves. In October, cybercriminals stopped the heating in two buildings in the Finnish city of Lappeenranta.
In 2016, Yahoo broke the record for the largest announced hack in history—twice. In September Yahoo reported a 2014 breach of at least 500 million user accounts. Then in December, Yahoo revealed that another hack in 2013 leaked data concerning 1 billion users. This goes to show that your Internet information may have been hacked; you just don’t know it yet. What is worse, a database concerning 57 million people appeared for sale on the dark web in May 2016. The origin of the data, which included email addresses, passwords, and cell numbers, is unknown. The passwords were encrypted with MD5, an easily crackable cipher.
And life goes on …
Cybersecurity breaches should never be taken lightly. While the incidents outlined in this article are large scale and high profile, business owners from every sized company can learn from these mistakes and take steps to prevent it from happening to them. We expect these hacks to further mutate in 2017. We will see new twists in old packages. Protecting data will continue to be a challenge, requiring increasingly sophisticated security software. Happy 2017!
Were you directly affected by one of these breaches? We’d love to hear your story, please get in touch at firstname.lastname@example.org