Top 10 Data Breaches Of 2015 — A New Year’s Day Retrospective
2015 may have come and gone, but the effects of last year’s data breaches are far-reaching — for both millions of consumers and internet users as well as the companies and organizations whose systems were breached.
Such events are no less devastating in terms of brand damage, and 2016 will undoubtedly bring forth a heightened collective security awareness in both organizations as well as consumers.
Cyber criminals are equal opportunity opportunists. Faulty security controls and bad infosec practices are the only prerequisites to becoming a data breach victim; this is certainly evident when surveying last year’s infosec headlines — from professional sports to healthcare, a wide range of industries were hit hard by cyber attackers. Here’s a retrospective featuring the top 10 data breaches of 2015.
10. St. Louis Cardinals/Houston Astros
In June of 2015, the U.S. Justice Department and FBI investigates the St. Louis Cardinals in response to allegations that their employees hacked into rival Houston Astro’s network, stealing confidential information like player statistics, trading information, and other data. One of the more unconventional cyber espionage data breaches in recent years, the Cardinals/Astros Hack may be a sign of things to come in professional sports, especially given how data-driven sports strategy is in this day and age.
Hacker group The Impact Team steals and releases over 25 gigabytes of user records from popular extramarital affair website Ashley Madison in July/August of 2015, giving divorce attorneys around the world cause for celebration. It’s unlikely that the company will recover from the life-threatening blow to its business, despite dubious claims by the company that its registrations surged post-breach.
Casinos are essentially banks, which of course makes them prime targets for cyber attacks. Cyber thieves steal cardholder data — including addresses and CVV numbers — through a criminal attack on The Four Winds Casino’s payment card network. Malicious software used in the breach is active in the casino’s system for at least a year, and The Four Winds issues a warning to its customers using credit cards for purchases between October 2014 and October 2015.
The VTech and Sanrio hacks in November/December 2015 mark an alarming trend towards breaches involving children’s data. Our friend Troy Hunt was first to confirm the VTech data breach to Vice Magazine, and VTech later issues a press release announcing the compromise. A few weeks later, Sanrio — maker of iconic children’s brand Hello Kitty — announces that 3.3 million user records were leaked through a gap in website security.
America’s second-largest health insurer announces in February 2015 that it was hacked, leaving nearly 80 million people with compromised personal data. This prompts the Office of Personnel Management’s (OPM) Inspector General to request a comprehensive IT security audit on Anthem’s systems, as Anthem provides coverage to 1.3 million federal employees. Anthem refuses to cooperate, and 4 months later the OPM announces its own data breach of epic proportions.
You know things are bad when IT security providers start getting hacked. Kaspersky Labs discovers the Duqu 2.0 malware on its network while testing a prototype of an anti-APT solution. Ironically, the firm was able to identify and neutralize the threat with the prototype, but since the compromise attempt was carried out in order to gain knowledge of future anti-APT solutions, the prototype may have been part of what the hackers were looking for. This leaves in question the efficacy of future versions of Kaspersky’s security software products.
Cyber criminals are increasingly targeting 3rd parties connected to credit reporting agency’s data stores as an easy attack vector. The Experian/T-Mobile data breach in October 2015 is the most prominent incident to date, impacting 15 million customers of the mobile telecom giant.
In September 2015, a security enthusiast discovers an exposed payload of data in the cloud: police reports, drug tests, detailed doctor’s notes, social security numbers, all left open and unsecured in the AWS cloud. Misconfiguration is the culprit — and insurance claim software vendor Systema Systems is to blame. The firm is likely to be investigated for potential violations of the Health Insurance Portability and Accountability Act.
In December 2015, security researchers discover a massive data file leaked to the public containing the personal information of 191 million voters: names, addresses, phone numbers, birth dates, political affiliations, and voting histories since 2000. Again, a misconfigured database is the culprit, but the owner of said database is yet to be determined.
1. U.S. Office of Personnel Management (OPM)
Topping the list is the OPM data breach: 21.5 million user records stolen from the U.S. agency that handles all federal employee data, as well as the data of current/former applicants and individuals referenced in background checks. The extent of the damage is still TBD, but it’s clear that the worst is yet to come. In December 2015, the National Nuclear Security Administration announces that the OPM breach includes some of the U.S. Pantex nuclear plant workers, raising some new concerns around the security compromise.
The majority of these (and most) security mishaps are due to misconfigurations and unpatched software — flaws that can be hard to detect in large, heterogeneous environments. Fortunately, this is exactly what ScriptRock was designed to do. Our platform can detect security gaps and vulnerabilities in the most disparate of infrastructures, continuously. Make continuous security monitoring with ScriptRock for a stronger security/compliance posture part of your organization’s agenda for 2016, it’s free for up to 10 nodes.
