High-profile, large-scale cyber attacks and related fallout occupied headlines throughout most of 2015. According to The Identity Theft Resource Center, an estimated 750 data breaches affected more than 170 million records this year. Let’s take a stroll down memory lane by evaluating some of the worst breaches of 2015.
On the second day of National Cyber Security Awareness Month – this October – financial firm Scottrade became the victim of a data breach that affected more 4.5 million customers. The St. Louis-based company sent out an email and shared information about the breach via a Web post, revealing that personal data such as Social Security numbers, names, addresses and contact information had been stolen. Scottrade has been informed by federal investigators who were in the process of examining a similar string of cyber attacks against various other financial firms, and that the hackers were most likely after contact information.
Later reports would verify this claim. In November, four suspects were indicted in the attacks against not only Scottrade, but also the massive JP Morgan Chase attack of 2014 that allowed them to pilfer 80 million customer records, the Dow Jones breach – parent company of the Wall Street Journal – and multiple others, according to Wired. The hackers were running a slew of other schemes intended to make quick cash, but their alleged reason for going after Scottrade was to create their own brokerage business. The situation highlights the variety of different ways hackers stand to gain from a diverse range of customer information.
Right around the time that Scottrade notified customers of a potential breach, T-Mobile announced that 15 million of its customers may have had personal information stolen as a result of a data breach against Experian, which up until that point had been processing the telecom’s credit applications. The breach could not have happened at a worse time, as T-Mobile just passed Sprint to become the third largest cellular carrier in the U.S. in August.
Trend Micro noted similarities between the T-Mobile incident and one the Heartland Payment Systems Breach in 2009. In both cases, companies responsible for processing payment information were exploited by hackers. In conjunction with the breaches against Scottrade, JP Morgan and others, the Experian breach highlights the important of data encryption and ironclad cyber security in the financial sector – even if the company is a middle man, like Experian. Targeted attacks are becoming the norm and organizations may see many more of them in 2016.
The Office of Personnel Management
Although the OPM breach was not the largest data breach in 2015, it is undoubtedly one of the most memorable in recent history. The actual damage involved the theft of sensitive information from 21.5 million people, as well as biometric data of 5 million. Those affected principally entailed government workers and their families. As of December, the Chinese government arrested multiple hackers that it claimed were responsible for the OPM breach. Not everyone saw this as a victory.
“We don’t know that if the arrests the Chinese purported to have made are the guilty parties,” said a U.S. official, according to the Washington Post.
This official was not alone in these sentiments, as in the time leading up to the attack, many others believed that the breach may have been state-sponsored. There has yet to be any new evidence released to support these notions. In the aftermath, the OPM notified those who were affected, and offered free limited-time identity protection services.
This breach weighs heavily on the minds of cyber security experts and laymen alike for several reasons, one of which is unproven notion that China has a bigger hand in the breach than meets the eye. However, the incident highlights a more significant concern: the growing threat to critical infrastructure in the U.S., including government agencies, transportation, water services and the electric grid. According to Trend Micro research, hackers are becoming increasingly interested in going after critical industry and infrastructure, and many countries in the western hemisphere, including the U.S. are not fully prepared to handle potential worst-case scenarios.
While the OPM breach was alarming, the consequences of a successful attack on the electric grid could be far more severe.
Honorable mentions: Ashley Madison, VTech
In July, extramarital-affair website Ashley Madison was breached. Going by the name “Impact Team,” the hackers eventually dumped login information, names, email addresses and other data of 32 million users after their demands for the website to be shut down were not met. According to Wired, the breach may have mixed motives, attacking Ashley Madison both for its morally questionable business model and due to the fact that the company was charging customers a $19 fee to erase data after use, but not following through.
On the opposite end of the spectrum, manufacturer of childrens’ electronics, VTech was breached in late November. The breach exposed the data of approximately 5 million adults, along with pictures of 200,000 children. The fact that the attacker claimed to be acting solely with the purpose of exposing a security flaw, according to Motherboard, is little consolation for those affected. The incident further highlights the contentious, and growing, concern of hacktivism.
Needless to say, 2015 was a good year for the bad guys. Improve cyber security this New Year with threat protection solutions from Trend Micro.