I can hardly believe we’ve hit another year and that we are already looking back at 2015. Once again this year has not fallen short when it comes to data breach expectations. While last year was the year of the retailer, this year was the year of breaches with government and healthcare organizations, the back-door encryption debate, hacking for self-righteousness and ultimately state-sponsored attacks.
I know what you’re thinking, the future looks bleak. But I genuinely believe we are learning our lesson. I feel confident saying that CEOs of companies, large and small, are beginning to understand their information security.
While we are all gearing up for the latest ugly holiday sweater party, baking cookies and starting the shopping season – widely publicized breaches are changing the mindset of business leaders and consumers when it comes to security.
In honor of the holidays, we’ve delivered 12 data breaches from 2015.
Premera discovered that cyberattackers had executed a sophisticated attack to gain unauthorized access to records from 11 million individuals.
Anthem, the nation’s second largest health insurance provider, announced that hackers had broken into the server and stolen social security numbers and personal data of 80 million individuals. Individuals hit the insurer with lawsuits that claimed they were victims of fraud.
Hackers accessed tens of thousands of British Airways frequent-flyer accounts. The airline said no personal information had been viewed or stolen and it had frozen affected accounts while it resolves the issue.
The personal details of world leaders at the G20 summit were accidentally disclosed by the Australian immigration department after an employee of the agency inadvertently sent passport numbers, visa details and other personal identifiers of all world leaders attending the summit to the organizers of the Asian Cup football tournament. The United States president, Barack Obama, the Russian president, Vladimir Putin, the German chancellor, Angela Merkel, the Chinese president, Xi Jinping, the Indian prime minister, Narendra Modi, the Japanese prime minister, Shinzo Abe, the Indonesian president, Joko Widodo, and the British Prime Minister, David Cameron, were among those who details were exposed.
- May 21, 2015: CareFirst
CareFirst announced it had been hit with a data breach that compromised the personal information of approximately 1.1 million customers. There were indications that the same attack methods may have been used with breaches at Anthem and Premera, incidents that collectively involved data of more than 90 million Americans.
Criminals hacked into the IRS website and gained access to approximately 100,000 tax accounts. Another 100,000 attempts were made but were not successful. The hackers got in by taking information about taxpayers they’d acquired from other sources and using it to correctly answer several personal identity verification questions in the IRS’ “Get Transcript” application. The information stolen included Social Security information, date of birth and street address.
Researchers in Russia discovered a nation-state attack attributed to members of the infamous Stuxnet and Duqu gang. The perpetrators were hiding in Kaspersky’s network. Attackers appeared to be the same group that created Duqu, spyware discovered in 2011 that was used to hack a certificate authority in Hungary, as well as targets in Iran and Sudan, and that shared a number of similarities with Stuxnet, the famed digital weapon that sabotaged Iran’s nuclear program.
The Hacking Team attackers leaked 400 GB worth of emails and other data that included hacking tools, instructions, “cookbooks,” pricing, customer data, and more. Now, novice and/or minimally talented hackers have the capacity to pull off extremely sophisticated hacking operations, a shift that is sure to level the cybercrime playing field.
A group calling itself the Impact Team compromised all of the company’s data, and released all customer records. The affair quickly turned into one of the largest personal information dumps ever, and the online hook-up site joined the ranks of the most notorious IT security breaches of all time.
Experian disclosed a massive data breach that exposed sensitive personal data of 15 million people who applied for service with T-Mobile. Experian discovered the theft of the T-Mobile customer data from one of its servers. The computer stored information from 15 million people who had applied for service with telecoms carrier T-Mobile during the prior two years.
Scottrade announced that it had suffered a data breach affecting 4.6 million customers. Hackers stole client contact information. The company offered the affected customers identity theft protection services.
The phone and broadband provider, which has over four million UK customers, had banking details and personal information accessed. The breach exposed 157,000. A UK parliamentary inquiry into the security of personal data online was launched following the TalkTalk incident.
The Great Backdoor Encryption Debate
In a September blog post ‘Backdoor Encryption: Where Government and Hackers Become One in the Same’, I discussed the debate around back-door encryption. In 2015, encryption became the hot topic and organizations realized that if they don’t do encryption right, people are going to get around it.
While tech companies embraced encryption, some government officials started seeking the right to use secret keys to track terrorists and other criminals. They felt encryption could render information government officials claim is vital to national security invisible.
The Justice Department eventually obtained a court order demanding Apple turn over text messages between suspects using iPhones. While the government had warned for months that this type of standoff was inevitable, senior Justice Department and FBI officials argued that there should be legal frameworks that allow the government to monitor data – with the hope that with surveillance, government has the ability to monitor potential terrorists.
While the government’s reasoning for creating a backdoor is sound, opening a door for the government means that same door is open for hackers.
The Justice Department sparked this ongoing debate on the merits of backdoor encryption. In fact, alongside the debate, we released a report to discuss how Americans perceive backdoor encryption. According to survey respondents felt:
- Data accessed through a “backdoor” could be abused by hackers (69%)
- Data accessed through a “backdoor” could be abused by government entities (62%)
- U.S. businesses could lose their competitive advantage (34%)
The Safe Harbor Scheme was an agreement between the European Commission and the U.S. government allowing any U.S. entity complying with its principles to be certified and therefore permitting these entities to process personal data which had been transferred from Europe.
In 2015, a decision declared the U.S. Safe Harbor Scheme to be invalid creating major implications for multinational organizations that transfer personal information from Europe to the U.S. as part of their business.
Although it wasn’t a surprise, this is still an extraordinary ruling given the agreement has governed data flow between the U.S. and EU for fifteen years. The decision also spoke to the fundamental disconnect between Europeans and Americans when it comes to data privacy practices, a gap that was made apparent following the NSA spying revelations.
Hitting the end of 2015
The best thing security executives can do is take the time to understand data protection, do their due diligence in researching and understanding encryption solutions that best fit their needs and deploy a solution that allows their companies to stay both compliant and safe.
If security portfolios and controls are properly balanced, the implementation and deployment of security technology doesn’t need to break the bank or disrupt business processes. Businesses that have an active interest in expanding and growing shouldn’t waste time with old security practices. Instead, they need to face this new reality and then make it work for them.
In the past, organizations only encrypted for protection what they were forced to protect by compliance requirements. Fortunately, advances in technology mean that it is now faster and easier to secure more data with encryption than ever before – and it can be applied to wherever the data resides. It’s my hope that we continue to focus on providing improved guidance and tools to protect U.S. data and infrastructure. For now, we’re heading in the right direction.