2017 may be remembered as the year where people and organizations were hammered by mega breaches. We estimate that more US residents lost private or sensitive data this year than ever before.
This is largely thanks to massive cyber events which were either designed to steal data, hold a company for ransom, or embarrass organizations by publicizing private data, such as customer details to unreleased television series. Sometimes, however, it’s just do to simple human error.
We’ve compiled a list of what we see as the biggest computer hacks, data leaks and breaches of the year and summarise the main take-aways for organisations today.
WannaCry was a ransomware worm that suddenly started spreading rapidly in the early hours of Friday May 12, UK time. Lawrence Abrams of BleepingComputer, said WannaCry wasn’t a big player in the ransomware space until “something caused it to be spread far and wide very quickly.” It turned out that the ransomware worm had been modified to exploit a critical Microsoft Vulnerability, referred to as Microsoft Security Bulletin MS17-010, first made available in mid March 2017. Unpatched Windows computers were vulnerable. While most home users automatically update the latest patches, organizations sometime delay the process.
Takeaway: Ransomware is a growing threat that has proved lucrative for attack agents. It’s vital to make their jobs as difficult as possible. WannaCry reminded organization to review their vulnerability and patching policy https://tbgsecurity.com/cybersecurity-architecture-assessment/ to ensure they do not leave their systems open to a quickly and wildly spreading threat, such as this ransomware.
198 million US voter records, going back more than 10 years, were left unprotected on a publicly accessible Amazon S3 server by conservative data firm called Deep Root Analytics. The security issue was due to a misconfigured server. While a lot of the data would have been publicly accessible via other means, this case highlights how lack of expertise when dealing with system and data security can leak to a privacy disaster.
Takeaway: Mistakes happen, and despite good intentions, IT staff who insufficiently trained and skilled at information security put organisations at much greater risk. A security breach that impacts the confidentiality and integrity of sensitive data opens the door to a host of business problems: negative publicity, corporate brand damage, loss of customer trust, investigations, litigation and fines. Getting experts to assessing your system to find misconfigurations and vulnerabilities radically improves an organisation’s security posture.
Similar to the Sony hack of 2015, 1.5 terabytes of HBO data were stolen, including full episodes of unreleased shows and sensitive internal documents. New programs were leaked online prior to release dates. A ransom note said that HBO would need to pay millions of dollars to stop the episodes from leaking. There were rumours that HBO was planning to pay $250,000 to the attackers as a bug bounty, but later claimed it was a ruse to buy time. In November 2017, United States officials charged an Iranian hacker for the theft of 1.5 terabytes of data from HBO in May, an attack that tormented network executives and included the release of several unaired programs and scripts.
Takeaway: One of the major difficulties with organisations like HBO is the sheer number of third party companies involved in the process. Each of these which facilitate access to sensitive data must have a hardened security. Involving the authorities from the get-go can also help in catching the perpetrator(s). Cyber training is also strongly recommended for any employee or contractor who has access to sensitive data or systems.
The very private data (SSN numbers, driver licenses, credit details…) of an estimate 140 million people was stolen from one of the three largest credit agencies in the U.S., Equifax. Because of the sensitivity of the data stolen, the Equifax data breach is considered one of the worst hack of 2017. From May to July, hackers exploited a vulnerability in the website. Equifax discovered the breach on July 29.
Takeaway: This Equifax breach reminds us that regular website risk assessments would have caught this vulnerability and saved the company a lot of embarrassment, business disruption and money. Equifax did not gotten off lightly, though maybe some of the senior honchos did. Shareholders saw the share price plummeted by an astounding 34% percent following the data breach announcement.
Four months after Verizon acquired Yahoo’s core internet assets, it was revealed that every single customer account – so 3 billion Yahoo accounts – were impacted by the Yahoo! Breach, 2 billion more than was originally stated. While the stolen data from the breach did not include passwords in clear text, payment card or bank account data, Yahoo said it “believes an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts.”
Takeaway: Ensure everyone you love (or like) knows the importance of having a unique passwords for each online account – a password manager may be useful to help individuals remember each complex password. This breach not only affected residents of the US, but people from around the world. You can check to see if your email login details have been stolen as part of this breach by visiting https://haveibeenpwned.com/. It’s a good idea to ensure your passwords for any email accounts listed are changed and that multi factor authentication is turned on.
It was revealed in November 2017 that Uber had failed to disclose a year-old hack that impacted more than 57 million rider and driver accounts. Uber also confirmed it had paid the hackers responsible $100,000 to delete the data and keep the breach quiet. The CSO at the time, Joe Sullivan, paid off the hackers secretely and made it look as though the transaction was compensation for a bug bounty program.
Takeaway: If you are a victim of a breach, It is wise to launch your crisis management strategy, which must include disclosing the breach to affected parties. People need to know that they are advised to reset passwords and take whatever steps required to protect their other accounts.
There you have it – our list of 2017 worst data breaches. But the year isn’t out yet, so we reserve the right to make amendments to this article come the new year. 😉
Want to discuss any of these elements more in depth? Give the info security and compliance experts at TBG Security a call – they’re here to help.