The Worst Hacks of 2015

[Inga Goddijn <inga () riskbasedsecurity com>]

http://motherboard.vice.com/en_ca/read/the-worst-hacks-of-2015

Last year we witnessed some of the most shocking
<https://motherboard.vice.com/read/from-sony-to-snapchat-the-year-in-hacks-attacks-and-no-good-vulnerabilities>
cyberattacks ever, with North Korea allegedly hacking Sony
<https://motherboard.vice.com/read/why-the-fbi-believes-north-korea-is-behind-the-sony-hack>
over the release of a dumb comedy movie to unknown hackers spilling the
private nude pictures of dozens of celebrities
<http://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/>. For some,
it was the year hacking truly became the norm
<http://mashable.com/2014/12/30/infosec-2014-hacking/>.

But somehow, 2015 was worse. Hacking and data breaches weren’t just the
norm, but they reached far and wide, hitting victims of all kinds, from
regular consumers, to government employees, and even children and cheaters.
It seemed like no one was spared.

We’ve decided to look back to 2015 and revisit not only the worst data
breaches, but those that pushed the boundaries and redefined the world of
information security. In no particular order, here’s our list.

*Israel Government Allegedly Hacks Kaspersky Lab*
In the last few years, the Russian security firm Kaspersky Lab has helped
uncover some of the most secretive and high profile government-led
cyberattacks and espionage operations ever, from the landmark Stuxnet
<http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/> to Flame
<http://www.wired.com/2012/05/flame/>, Red October
<http://mashable.com/2013/01/15/red-october-cyber-espionage/>, and those of
the Equation Group
<https://motherboard.vice.com/read/the-only-way-you-can-delete-this-nsa-malware-is-to-smash-your-hard-drive-to-bits>.
This year, the tables turned when Kaspersky Lab announced it had been
hacked by a group of government-sponsored hackers, likely from Israel
(though the firm avoided to pointing fingers, the malware used was
attributed
<http://www.theguardian.com/technology/2015/jun/11/duqu-20-computer-virus-with-traces-of-israeli-code-was-used-to-hack-iran-talks>
to Israel in the past). The attack on Kaspersky
<https://motherboard.vice.com/read/government-spies-are-now-hacking-cybersecurity-firms>
didn’t spill a lot of confidential data, but it was a sign of things to
come: a future where malware hunters are targeted by the own spies they’re
trying to uncover, using more than just intimidation tactics
<http://motherboard.vice.com/read/cybersecurity-researchers-are-hunted-from-all-sides>.


*The Massive Breach at OPM, The Hack That Keeps on Giving*
In May, the agency that handles practically all US government employees'
data revealed
<https://motherboard.vice.com/read/the-us-agency-that-handles-all-federal-employee-data-has-been-hacked>
it had been the victim of a monthlong intrusion, and that hackers had taken
the personal data of around 4 million people. That was bad enough, but it
turned out the breach was much, much worse
<https://motherboard.vice.com/read/the-massive-hack-on-us-personnel-agency-is-worse-than-everyone-thought>
than OPM let on.
For starters, hackers (likely Chinese) actually stole the personal
information of at least 20 million people
<https://motherboard.vice.com/read/hacker-attack-on-government-may-have-exposed-32m-federal-employees>,
including the fingerprints of 5.6 million people
<https://motherboard.vice.com/read/whoops-opm-says-hackers-stole-56-million-fingerprints-not-11-million>.
But we later also learned that the personal data stolen wasn’t just stuff
such as date of birth and names, but the intimate personal details of
millions of government workers, including those holding security
clearances. The stolen data included information on their sex lives, drug
abuses, and debt
<http://www.thedailybeast.com/articles/2015/06/24/hackers-stole-secrets-of-u-s-government-workers-sex-lives.html>—all
information that could be used to blackmail them and even blow their cover.
Oh, the OPM hack even involved White House correspondants.
<https://motherboard.vice.com/read/the-sweeping-opm-hack-also-compromised-white-house-journalists>

*Vigilante Hacker Hits Italian Spyware Vendor Hacking Team*
In early July, the usually-quiet Twitter account of the controversial
surveillance tech vendor Hacking Team got its name to “Hacked Team,” and
started tweeting screenshots of internal emails, as well a link to more
than 400 gigabytes of data.

“Since we have nothing to hide, we’re publishing all our emails, files, and
source code,” read the tweet.

As it turned out, the company had been hacked
<http://motherboard.vice.com/read/spy-tech-company-hacking-team-gets-hacked>
by a hacker only known as PhineasFisher, the same mysterious vigilante
<https://motherboard.vice.com/read/hacker-claims-responsibility-for-the-hit-on-hacking-team>
who hacked
<http://motherboard.vice.com/read/a-hacker-claims-to-have-leaked-40gb-of-docs-on-government-spy-tool-finfisher>
Hacking Team’s competitor Gamma International in 2014. The files exposed
Hacking Team’s shady customers
<https://motherboard.vice.com/read/here-are-all-the-sketchy-government-agencies-buying-hacking-teams-spy-tech>,
including Sudan and Bahrain. Thanks to the cache of internal emails and
files, among many things, we also found out how someone stole the company’s
equipment in Panama
<https://motherboard.vice.com/read/hacking-teams-equipment-got-stolen-in-panama>,
how its software targeted porn sites’ visitors
<https://motherboard.vice.com/read/hacking-teams-spyware-targeted-porn-sites-visitors>,
and how the company could turn off customers’ spyware infrastructure
<https://motherboard.vice.com/read/leaked-emails-show-hacking-team-lied-to-its-rascal-customers>
thanks to a backdoor.

*Think of the Children: Toymaker Gets Hacked, Loses Parents’ and Kids’
Personal Data*
An anonymous hacker found a way into the servers
<https://motherboard.vice.com/read/one-of-the-largest-hacks-yet-exposes-data-on-hundreds-of-thousands-of-kids>
of the multinational toy company VTech, which makes internet-connected
toys. The hacker was able to access the personal data of almost 5 millions
parents and 6.3 million children
<https://motherboard.vice.com/read/hacked-toymaker-vtech-admits-breach-actually-hit-63-million-children>,
including their names, home addresses, passwords, and even selfies and chat
logs. The data, however, was never published online. The hacker told
Motherboard that all he wanted was expose and denounce
<https://motherboard.vice.com/read/vtech-hacker-explains-why-he-hacked-the-toy-company>
VTech’s poor security practices. As a result of the hack, the company had
to take down its online services, two US senators put into question
<https://motherboard.vice.com/read/us-senators-put-pressure-on-hacked-toymaker-vtech>
VTech’s security and privacy protections, and a 21-year-old was arrested
<https://motherboard.vice.com/read/british-cops-arrested-a-man-they-suspect-of-hacking-vtech>
in the UK.

“If T-Mobile can’t guarantee my Social Security number’s safety, it
shouldn’t ask for it.”

*Hackers Steal Social Security Numbers of 15 Million T-Mobile Customers*
T-Mobile revealed in October that hackers had gained access
<https://motherboard.vice.com/read/data-breach-affects-as-many-as-15-million-t-mobile-customers>
to a server of the giant data broker Experian, getting their hands on
around 15 million Social Security numbers. The third-most popular mobile
phone carrier in the US tried to deflect the blame on the data broker,
which was the one actually hit with the breach. But as Motherboard managing
editor (and data breach victim) Adrianne Jeffries argued
<https://motherboard.vice.com/read/t-mobile-lost-my-social-security-number>,
“If T-Mobile can’t guarantee my Social Security number’s safety, it
shouldn’t ask for it.”

*Hackers Dox Cheaters And Embarrass Infidelity Giant Ashley Madison*
A mysterious group of hackers calling itself the Impact Team broke into
Ashley Madison, a successful and infamous website that promised discreet
affairs for married men and women. A few weeks later, the hackers released
a large data trove
<https://motherboard.vice.com/read/hackers-post-what-appears-to-be-stolen-ashley-madison-account-data>
revealing all the names of the sites’ users, as well as internal emails.
The hack exposed the service’s many lies, from the faulty
<https://motherboard.vice.com/read/ashley-madisons-full-delete-wasnt-full-at-all-lawsuit-claims>
paid service to "full delete"
<https://motherboard.vice.com/read/ashley-madison-allegedly-made-millions-from-selling-its-extra-services>
an account, to its alleged army of fake women accounts
<http://gizmodo.com/almost-none-of-the-women-in-the-ashley-madison-database-1725558944>.
The hackers claimed
<https://motherboard.vice.com/read/ashley-madison-hackers-speak-out-nobody-was-watching>
it was an easy hack, saying “nobody was watching” despite the fact that
emails showed the site administrators knew it was a target
<https://motherboard.vice.com/read/ashley-madison-hackers-speak-out-nobody-was-watching>
for cybercriminals. Most of all, the hack exposed its users secret
lives, leaving
some of them in despair
<https://motherboard.vice.com/read/im-desperate-ashley-madison-users-confide-in-a-security-researcher>
over what to do. At least three users
<http://fusion.net/story/187640/two-suicides-ashley-madison-leak/>
committed suicide, countless users got blackmailed
<http://fusion.net/story/242502/ashley-madison-hack-aftermath/>, and some
were publicly outed and doxed. Months earlier, hackers also stole data from
hookup website AdultFriendFinder
<https://motherboard.vice.com/read/hookup-service-adultfriendfinder-got-hacked>,
exposing almost 4 million users and their sexual preferences.

*The Massive Healthcare Data Spillage*
2015 was the year of the healthcare breach, with 55 recorded ones and a
whopping 100 million records stolen
<https://motherboard.vice.com/read/55-healthcare-data-breaches-have-hit-more-than-100-million-people-in-2015>.
The biggest one was the one suffered by the provider Anthem, which lost
almost 79 million records. But there were other attacks against other big
providers such as Premera and BlueCross Blue Shield.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!