Tis’ the season – the season where I look back at predictions I made last year, the season where I evaluate and take a deep dive into the breach landscape and the season where I look into where 2015 is headed. In a March 2014 blog post, I discussed how the sheer amount of data breaches (i.e. Target, Adobe, Korea Credit Bureau, Neiman Marcus) is a clear sign cybercrime will continue to rise. We will dive into those predictions, stepping through where we stand today. But before we do so, we’ll provide a quick review on where we stand within the data breach landscape.
2014 Data Breach landscape:
- August 31, 2014: iCloud
An alleged perpetrator was exposed on Reddit. The mainstream media leapt on to the story and got reactions from affected celebrities. The individual responsible for the breach used 4Chan to offer explicit videos from celebrities’ phone, as well as more than 60 nude “selfies”. The breach appeared different from other celebrity “hacks” in that it used a near-zero-day vulnerability in an Apple cloud interface. While an unusual, long, convoluted password may have prevented the attack from being successful, the only real defense against this assault was never to put photos in Apple's cloud in the first place.
- September 3, 2014: Goodwill
Goodwill announced in early September that card information at approximately 330 stores had been compromised. Some 868,000 payment cards were said to be involved in this breach.
- September 4, 2014: HealthCare.gov
A hacker managed to breach cybersecurity at HealthCare.gov and implant malicious code on the federal Obamacare website. Officials said the attacker does not appear to have stolen any personal data and only broke into a server used to test run software for the site.
- September 8, 2014: Home Depot
Hackers stole 56 million customer credit and debit card accounts and made off with 53 million customer email addresses. Crooks initially broke in using credentials stolen from a third-party vendor. The company said thieves used the vendor’s user name and password to enter the perimeter of Home Depot’s network, but that these stolen credentials alone did not provide direct access to the company’s point-of-sale devices. For that, they had to turn to a vulnerability in Microsoft Windows that was patched only after the breach occurred.
- October 28, 2014: The White House
The department shut down its worldwide email as part of a scheduled outage of some of its Internet-linked systems to make security improvements to its main unclassified computer network. The White House detected suspicious activity on its unclassified network. Although the State Department found no indication of being compromised at that time, now a department official claims the activity was detected around the same time as the attack on the White House’s network.
- November 10, 2014: USPS
Chinese government hackers were suspected of breaching the computer networks of the United States Postal Service, compromising the data of more than 800,000 employees as well as data on customers who contacted its call center during the first eight months of this year. Employee data included names, dates of birth, social security numbers, addresses, beginning and end dates of employment and emergency contact information.
- November 12, 2014: NOAA
The National Oceanic and Atmospheric Administration (NOAA) has confirmed that an attack on a NOAA web server in September affected four websites and caused the office to temporarily cease delivering satellite data used globally for aviation, shipping, disaster preparedness, and other purposes. The breach, which started in September and lasted until late October, was not reported to Commerce Department officials and other federal cybersecurity authorities. The NOAA satellite imagery system is used by civilian and military meteorologists worldwide to build weather models; it is also used in planning commercial aircraft and merchant shipping traffic. While NOAA did not identify the attacker publicly, agency officials said the attack was traced back to China.
- November 24, 2014: Sony
Employees at Sony Pictures Entertainment, the movie and television production division of Sony, had their computer screens hijacked by a grinning skull. A group calling itself Guardians of Peace said it had taken over the corporate network and would release detailed company information online if unspecified demands weren’t met. Within days, gigabytes of internal Sony Pictures’ data appeared on file-sharing sites, including social security numbers and scanned passports belonging to actors and executives, internal passwords, unpublished scripts, marketing plans, financial and legal information and even four entire unreleased Sony movies. The company’s 6,800 employees, plus other individuals the company had paid over previous years, were placed at dire risk of identity theft, and Hollywood studios got a detailed blueprint of Sony Pictures’ accounts, future plans and internal workings. Some rumors blamed North Korea, others disgruntled insiders.
While this creates the Spark Notes version of our data breach landscape, just wait, there’s more. The real story is that some of these attacks carry all the hallmarks of well-financed and carefully developed intrusions that could only be accomplished by nations themselves, not organized crime or renegade groups of hackers.
Needless to say, my predictions that we would see an increase in breaches as we hit 2014 was a huge understatement in comparison to this reality.
Diving back into the initial predictions I laid out:
Trend 1 – Revenue Loss Means Board Room Focus – Following Target’s massive data breach CIO Beth Jacob resigned in March this year. Shortly thereafter, the board decided it was time for new leadership and CEO Gregg Steinhafel resigned in early May.
Trend 2 – Retail Breaches: An Easy Target
Most have realized, particularly in the wake of security breaches with such well-known retailers, that we are hitting a new era: an era of insurmountable cyberattacks, an era of legislation scrambling to mandate specific security requirements and an era where the public is seeing companies that were once thought of as untouchable getting breached.
Trend 3 – Cloud and Big Data = Big Target for Cybercriminals
Just take a look at iCloud and earlier this year, when more than 1 billion usernames and passwords linked to half-a-billion email addresses. The massive trove of data — stolen from hundreds of thousands of websites — was discovered by the Milwaukee firm Hold Security.
Trend 4 – Government and Healthcare: High Risk
Attacks happened during the same timeframe of an alleged Chinese infiltration of the White House’s unclassified network and a data breach at the US Post Office that exposed 800,000 employee records—also now attributed to Chinese attackers.
Trend 5 – Compliance Will Grow Bigger Teeth
Following large retail hacks this year, an October 2015 deadline requires retailers to shift from magnetic-stripe to chip cards.
Where do I see 2015 headed?
- Retail-which just started to put more of an emphasis on security-will require significantly more data breaches to ignite action. We’ll see more and more retailers considered an easy target.
- Compliance won’t change anything: government agencies will continue to enact compliances to reduce the number of breaches and exposing customer data, however compliance just won’t be enough to keep up with hackers.
- More state-sponsored attacks. Hacks will come in but not necessarily for financial reasons. We will begin to see more and more hacks coming from other countries and hitting key infrastructure.
- There will be a bigger emphasis on encryption. Recent implementations of chip-and-pin will just be the beginning.
- We will see even more insider threats resulting from data breaches. Companies will continue to focus on securing their perimeter, but insider threats will be the biggest security flaw companies face.
2014 has been quite the year and it’s time to protect customers and take a data first approach. These breaches are happening at such a rapid pace so in 2015, it’s high time we put ‘the year of the data breach’ to rest.