2016 shows no letting up on the hacking front. From HSBC’s digital services being affected as a result of a recent cyber attack to the ongoing saga with V-Tech, this year looks set to equal or even better last year in terms of the incidence of cyber crime and the cost to industry and consumers.
It follows on from a very eventful 2015 in hacking terms. If you’re an analyst who predicted cyber attacks would go through the roof last year, 2015 was far from a disappointment. True to industry predictions, more security breaches through hacking hit the headlines than ever before.
Although this is by no means an exhaustive list, SMS PASSCODE’s annual “Top Ten Global Hack Attacks” showcases some of the most high profile hacks from last year, showing how prevalent they are and how disastrous the consequences can be:
- US Office of Personnel Management: this breach was one of the biggest ever of US government systems believed – although not proved – to be perpetrated by Chinese hackers. The data theft consisted of stealing addresses, health and financial details of 19.7 million people who had been subjected to government background checks as well as 1.8 million others.
- FBI portal breach: a portal used by police and the FBI to share intelligence and arrest suspects was hacked in November this year and data on arrestees stolen. It is unsure how many people were affected as the FBI didn’t announce figures. This attack is thought to be one of the biggest law enforcement hacks this year. It was perpetrated by the same hackers who accessed CIA director John Brennan’s personal email account earlier this year.
- Ashley Madison: the security data breach that hit the infamous infidelity dating site back in the summer of 2015 was media gold. A hacking collective identified weaknesses in password encryption and used these to crack the bcrypt hashed passwords. The upshot was the personal information – including credit card details – of over 11 million users was leaked on the dark web. And the company has lost its CEO, seen its share price and whatever credibility it had plummet and faces class actions from clients and investors.
- TalkTalk: October this year saw one of the UK’s biggest hacks this year and one that dominated news headlines in the UK for weeks. The mobile phone provider was the target of a bunch of teenage hackers who stole the details of over 20,000 customers. The hackers were quickly identified and dealt with, but the company has been left with a bill of up to £35 million, having had millions wiped off its share price and is facing law suits from customers and investors.
- Health insurer Anthem: it emerged in October that Chinese hackers had targeted US health insurance company Anthem in a bit to learn more about how medical coverage is set up in the US. Apparently, Anthem has not been the only target, with smaller insurer Premera saying it had been hacked in March, exposing details of about 11 million people. Healthcare data has become some of the most valuable information that can be sold in the online black market, making healthcare companies a prime target for hackers.
- Carphone Warehouse: one of the biggest breaches in the UK this year was when the details of almost 2.5 million customers was stolen back in August, with almost 90,000 having encrypted credit card information stolen. The company said they had been the victim of a sophisticated cyber attack that is being investigated by the industry watchdog.
- Multiple US financial institutions and media companies: hackers stole the details of over 100 million people with banks accounts in what authorities dubbed “securities fraud on cyber steroids.” At least nine banks and other financial institutions, including JP Morgan, plus Dow Jones, the parent company of the WSJ, were targeted by hackers who gained access to a number of systems that helped them to make money from illegal activities including running a digital currency exchange, gambling websites and inflating stock prices. Three men have been prosecuted.
- Vodafone: Another UK telco company was involved in a data breach in October, when hackers stole the personal and financial details of 2000 customers. Hackers used emails addresses and passwords acquired from an unknown source to get names, phone numbers, bank sort codes and the last four digits from bank accounts.
- Samsung Electronics: The electronics giant’s subsidiary, LoopPay was hacked back in March this year. LoopPay developed the payment system used to run Samsung Pay, a competitor to Apple Pay, but Samsung said that no user data was compromised during the hack, which lasted several months before detection.
- Hilton Worldwide: The global hotel chain has recently been the victim of an attack, which infiltrated its POS terminals, giving hackers unfettered access to customer credit card information. Stolen information includes cardholder names and card numbers, security codes and expiry dates, enabling hackers to shop online or by phone.
The escalation in cyber attacks is only set to worsen. The nature of cyber attacks are mutating and the perpetrators are an increasingly diverse group of people - from criminal gangs and teenage IT geeks, to terrorists and, increasingly, Government sponsored organisations.
One of the most vulnerable areas in the IT environment is authentication, the point at which users log on to networks, applications and systems. 75 per cent of all security breaches involve weak or stolen passwords, allowing hackers to log on as normal users to avoid detection. By doing this, they can go undetected in company networks for weeks or months, as they did in the JP Morgan breach.
Organisations have to think more laterally about security. And they really need to up the ante on their authentication policies and systems. Multi-factor authentication uses a variety of different variables as an acid test to the authenticity of a user – this might be their geographical location, IP address, time of day and other factors.
It’s another weapon in the corporate security armoury. If corporates really do want to avoid becoming another victim statistic, then they need to properly lock down their boundaries and do so quickly.
David Hald is Chief Relationship Officer at SMS PASSCODE
Image Credit: Shutterstock / CobraCZ