As expected, hacking was a common theme throughout 2015. Data breaches, account takeovers and stolen identities all made headlines in a year that saw people spend more and more time online. Unfortunately, with increased time online comes increased risk. No industry was safe, as everything from hotel chains to secret dating sites and government agencies had issues with security. As we venture into a new year, we take a look back at some of the biggest hacks from 2015, what has happened up to today, what we learned about the causes of each, and the implications for the future of cybersecurity. This is The Year in Hacks: 2015.
As outlined on December 28, 2015 in the ZDNet column, Zero Day, reporter Violet Blue retraced TalkTalk’s plummeting stock price since the UK telecom company disclosed that it was the victim of a denial of service attack in October. Blue cited that it was the third hack of the communication giant in 12 months, and that sensitive data, including usernames and passwords, wasn’t even encrypted. While it remains to be seen if other hacked companies will start to see their stock prices plummet, this was one of the more striking examples of just how destructive a data breach can be for a company that was hacked largely due to poor cybersecurity practices.
9. Trump Hotels
On September 30, 2015, CNN Money reported that between May 2014 and June 2015, hackers using malware quietly recorded customer payment information from a handful of Trump hotel locations in the United States and Canada. “An independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken,” say representatives from the hotel chain. Still, the company is offering 12 months of identity protection for affected customers.
8. CIA Director John Brennan’s Personal Email
Posing as a Verizon worker, a teenage hacker and two accomplices employed social engineering to trick the wireless giant into revealing security information that the trio then used to hack CIA Director John Brennan’s AOL account on October 12. Having first obtained Brennan’s phone number, they did a reverse look-up to determine that he is a Verizon customer. “We told them we work for Verizon and we have a customer on scheduled callback,” the teen told Wired on October 15, 2015. Claiming that their “tools were down,” they used a fake employee pin code to trick Verizon into releasing not only Brennan’s account number and four-digit PIN, but also his AOL email address and the last four digits on his bank card. Armed with that information, the teens called AOL to have the password reset and then accessed Brennan’s e-mail. Among the classified documents they accessed was a spreadsheet containing the names and Social Security numbers of intelligence officials. The hackers also viewed a letter to the CIA from the Senate demanding that the agency stop torturing interogees.
Two U.S. states, along with regulators in Hong Kong, have been investigating a Black Friday breach of toymaker VTech’s Learning Lodge app store and Kid Connect messaging system, reported CNBC on December 2, 2015. The private data of 4.9 million adults and 6.4 million children was stolen in the breach, which security experts believe will force toymakers to rethink their security strategy.
6. Hilton Hotels
On September 28, 2015, USA Today reported that guests of Hilton Hotels, which includes Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts, who used their credit cards to make purchases at the hotels’ restaurants and gift shops, may have had their information stolen. While the investigation continues, anyone who stayed at a hotel owned by Hilton is being advised to look closely for unauthorized charges.
5. Juniper Networks
Juniper Networks, which provides computer network equipment and routers to many major companies and the federal government, was the victim of a three-year hack by someone who the FBI suspects to be the agent of a foreign government — given its sophistication. Having created a backdoor by installing code, the government compares the breach to “stealing a master key to get into any government building.” Nobody knows what documents were stolen over the past 36 months, but Juniper has released a security fix to lock the backdoor, reported CNN on December 18, 2015.
4. Hello Kitty
A December hack against Hello Kitty parent company, Sanrio, affected 3.3 million users. Full names, usernames, passwords and other sensitive data were breached, reported The Daily Beast. While credit card information was not accessed, users are encouraged to update their passwords for other sites, as the stolen information will allow hackers to build a database to access other websites where the same credentials are used.
3. Office of Personnel Management
Roughly seven percent of the over 20 million victims of the Office of Personnel Management (OPM) hack will never be notified, says the US government, because their addresses have changed or are not on file. Reuters reported on December 11, 2015 that the 12-month attack began in May 2014. Names, addresses and Social Security numbers were among the compromised information. This isn’t the first time the OPM has had trouble notifying victims. Victims of a previous attack were notified by e-mail, but the messages looked like a phishing scam and were largely ignored.
2. Ashley Madison
CNN Money reported on December 29, 2015 that the infamous adultery site Ashley Madison has increased its membership from 39 million to 43 million since the July hack that revealed the identities of 32 million users. Parent company Avid Life remained mum on the increased membership, but did assert at the time of the breach that reporters were misinterpreting the gender data, and that the male to female ratio of active users is 1.2 to 1. Avid Life, which previously boasted sales of $115 million and $55 profits, faces a dozen class-action lawsuits seeking over $500 million damages as a result of the breach.
On February 5, 2015 the Los Angeles Times reported that Anthem Inc., the national second largest health insurer, was a victim of a massive data breach. The names, dates of birth, Social Security numbers, member ID numbers, addresses, phone numbers, email addresses and employment information of up to 80 million customers were accessed. The only things not stolen were credit card numbers and major medical histories. Security experts criticized Anthem for failing to encrypt the stolen data. Anthem countered that additional encryption wouldn’t have helped, citing that an administrator’s stolen credentials were used to bypass security (which could have been prevented with two-factor authentication). Encryption debate aside, this remains one of the largest hacks in history, with widespread information implications that are still being discovered today.