In our 2015 predictions, “The Invisible Becomes Visible,” Raimund Genes, our Chief Technology Officer (CTO), said that in 2015 “Increased cyber activity will translate to better, bigger, and more successful hacking attempts.”
Now that 2015 has passed, we can look back and take the measure of the truth of that prediction. As you’ll see in our 2015 Annual Security Roundup “Setting the Stage: Landscape Shifts Dictate Future Threat Response Strategies” 2015 was indeed the year of “better, bigger and more successful hacking attempts,” certainly from the standpoint of attacks against and theft of data. If there is an underlying theme to most of the major developments in the 2015 Annual Threat Roundup, it’s data. Data that is attacked. Data that is lost. Data that is stolen. Data that is sold. The most notable thing about the attacks against data that we saw in 2015 is that cyberattacks that result in data theft are now having an ever greater real-world impact. This is a trend likely to continue into 2016 and beyond.
That 2015 is a year of attacks against data isn’t surprising: it seems not a month would go by without some major data breach occurring (which, by the way, was one of Raimund’s predictions for 2014). As the year started, we were still reeling from the Sony data breach. By the end of the year we were looking at the VTech data breach endangering children’s information. In between these two events, we had multiple Blue Cross and Blue Shield chapters hit, Scottrade, Experian, and the UCLA Health System. And even the United States Federal Government showed their data was attacked and stolen with both the Internal Revenue Service and the Office of Personnel Management reporting an aggregate of over 120 Million records stolen (and at the time of this writing those numbers continue to go up). As if that alone wasn’t enough evidence that attacks against data were the theme of the year, there’s the Ashley Madison data breach that rewrote the rules about what data breaches are about and what harm they can cause.
But attacks against data in 2015 didn’t just focus on stealing the data. Ransomware roared back to life in 2015 after a long hiatus in the form of crypto-ransomware. Crypto-ransomware took the ransomware scourge to a new level by adding essentially unbreakable encryption and using it to target victims’ data and hold it hostage unless a ransom was paid. As if that weren’t bad enough, crypto-ransomware attackers finished off the year by pivoting their attacks to focus on businesses rather than individuals. Attackers recognized once again that attacks that target data are more painful when directed at businesses rather than individuals. And, they realized, businesses have access to greater funds and so make for a richer target.
Of course, theft doesn’t exist in a vacuum: something has to happen with information once it’s been stolen. As our multi-year series on the Cybercrime Underground Economy in the Deep Web has shown, the economics of theft have matured over the years into full-fledged economic ecosystems. A major shift in the supply of something in an economy has an impact on its price. And in 2015, as we saw more and more data being successfully stolen, we then saw the impact of this surge in the supply of stolen data on the overall cybercrime underground economy.
Just like you’d expect with a surge in supply, we saw a plateau or even drop in price for some cybercrime staples like stolen credit card information and even stolen personal information. Of course, just because prices drop doesn’t mean that cybercriminals are ready to close up shop: we saw some cybercriminals adapt to the market reality by finding new sources of stolen data and looking to sell those are the cybercrime underground. In particular, we found in 2015 that stolen Netflix, Spotify, Uber and online Poker accounts were becoming popular and increasing in price.
In the end though, the most noteworthy event around attacks against data for 2015 has to be the Ashley Madison data breach. From the beginning it was clear this was different when attackers made clear their intentions weren’t around financial gains for themselves but harm for the victims. And the new, different, terrible nature of this data breach became clear as we learned about the real world harm and damage this data breach caused. From personal embarrassment to broken marriages to lost jobs and even reported deaths by suicide, the Ashley Madison data breach has cause more harm to people’s lives than any other data breach to date.
The role of attacks against data in 2015 shows how online security has turned a corner in many ways. The worst we’re protecting against is no longer just the inconvenience of lost data or even the loss of money: it’s the loss of family, friends and even self.
As more and more data moves onto Internet of Things devices and into the cloud and attackers continue to hone and perfect their craft, we can expect 2016 and beyond to be more like 2015. There is no reason to think that attacks against data will be any less prevalent or successful or the consequences of those attacks any less harmful. Its one reason why Raimund has predicted that 2016 will be the year of online extortion: attackers have no reason to stop something that’s a success.
What the coming year actually hold remains to be seen. But we will be back next year to take the measure of 2016 to understand how this year developed and what we need to understand about it to be better prepared in 2017.
For the full report, please click here.