It’s the walk down memory lane that no one really wants to take. This year we never got a week off from the barrage of large-scale hacks and breaches that had already ramped up so extensively in 2014. The question is whether 2016 will be a bit better or a lot worse. Here we look back on seven memorable hacks from 2015, because it’s all starting to blend together. And don’t forget, the Sony hack was already more than a year ago.
Office of Personnel Management (OPM)
This one was really, really horrible. Almost 26 million people were directly affected by a breach of the agency, which is essentially the federal government’s human resources department. Allegedly Chinese state-sponsored hackers were behind the attack and sat on the network for about a year collecting data before being discovered over the summer.
In addition to exposing extensive personal details, including social security numbers, there were two really thorny aspects of this situation. The first is that background checks compromised in the hack (for things like elevated security clearances) included extensive information about candidates’ family members, former colleagues, professional recommenders, neighbors, and others. Basically a lot of extra personal information got dragged in, beyond the already enormous trove of data on federal employees themselves. Second, the hackers accessed 5.6 million fingerprint records. This is always a problem since people can’t change their fingerprints, but you can see how this particular set of records is especially crucial, because it’s the fingerprints of government employees with security clearances.
People will feel the impact of the OPM breach for a long time to come, and it was the hack that finally crystalized the idea that China may be compiling a Facebook-like database of Americans.
It’s never good when the second-largest health-insurer in the country gets hacked, and the Anthem breach, announced in February, was part of a rash of attacks on healthcare data. But this one included the personal information of 80 million current and former customers. That’s a lot of people. The Financial Times reported in October that investigators traced the attack to China, where hackers may have been trying to gather information about the U.S. healthcare system to help the Chinese government expand its programs. Between the OPM and Anthem hacks alone, as many as a third of Americans’ social security numbers may have been compromised. And that’s just looking at two hacks.
Other government hacks
The hacking collective Anonymous claimed responsibility for a hack of the United States Census Bureau’s non-confidential networks. And don’t forget that an Internal Revenue Service breach impacted hundreds of thousands of taxpayers.
OK, this one you probably remember. A hacking group called the Impact Team released information about more than 30 million users from the adultery facilitator Ashley Madison. The group also released 20 gigabytes of company data. The hackers were trying to make a moral argument, but it was more about data privacy than romantic affairs. The hackers alleged that Ashley Madison’s parent company Avid Life Media wasn’t actually deleting user data, even after customers paid for a service called “Full Delete.” The hackers wrote, “Find yourself in here? It was ALM that failed you and lied to you. Prosecute them and claim damages.” It was definitely an odd choice to expose everyone’s data in the process of criticizing a service for poor data management. Unfortunately for Josh Duggar, though, attackers can do what they want once they take control no matter how little sense their plan makes.
Everyone is always saying that the best personal cybersecurity comes from turning on two-factor authentication wherever possible, creating strong passwords, and keeping track of them with a password manager. But when password manager LastPass got hacked in June, it was a powerful reminder that strong security is not an easy thing to achieve. Luckily in this case it seems like the breach was limited to email addresses, password reminder prompts, and encrypted master passwords. But even that could still put users at risk if they chose a weak master password or if their password reminder was too descriptive. LastPass said it prompted all affected customers to change their master passwords just in case.
“I have to say I’m not surprised,” cybersecurity researcher Zhiwei Li told Slate at the time. “The security quality of password managers is reasonably good … [but] security design/implementation is hard to make right.” Even Kaspersky Lab, the popular anti-virus software maker and research firm, was hacked in June.
The notorious Italian firm Hacking Team, which sells surveillance tools and vulnerability exploits to governments (probably including repressive regimes), was hacked itself in July, with attackers releasing 400 gigabytes of company documents and communications. Right after the attack, Hacking Team employee Christian Pozzi told CSO Online, “The attackers are spreading a lot of lies about our company that is simply not true.”
Home electronics and toy manufacturer VTech was hacked in early November, exposing personal information from 4.8 million adult customers and 200,000 children. Yup, kids. The attackers gained access to names, birthdays, and genders—and the information may make it possible to connect children with their parents, potentially exposing where exactly they live. The breach even included photos of kids and family chat logs. Around the same time, a security researcher hacked Mattel’s Internet-connected Hello Barbie, exposing things like account information, home Wi-Fi networks, and MP3 files recorded by the dolls. Basically, November was the all-out creepy worst-case scenario you would fear for digitally connected toys. Welcome to 2015.
Cybersecurity researchers have known for years that businesses, government agencies, and other organizations lacked digital security. But 2015 was the year when average Americans learned this for themselves. Even CIA directors can’t seem to get it right. And the news keeps coming to the bitter end. Reuters reported on Thursday morning, New Year’s Eve, that Microsoft hasn’t been warning its customers when their Outlook (formerly Hotmail) email accounts are being hacked by governments. The company said on Wednesday that it would change this practice for 2016. That’ll make it a happy New Year.