Despite innovative new cyber security appliances and applications, hackers are finding ways to push data breach statistics to new heights. Even though 2014 was deemed the year of the data breach, 2015 has shaped up to be just as formidable. Aside from bolstering your cyber defenses, you should reflect on the biggest data breaches and think about how you can avoid seeing your company’s name in the headlines.
2015 is coming to a close and it’s time to look back at the year of cyber security attacks and data breaches.
Before diving into the specifics of some big data breaches, here’s a review of 2015 cyber security by the numbers:
880 data breaches were recorded in the first half of 2015 alone, a 10% increase on 2014’s record pace
246 million records were breached in the first half of 2015
Just 2% of data breaches were the result of state-sponsored attacks, but these accounted for 41% of breached records
Cyber attacks are showing no signs of slowing down and if you want to learn from the mistakes of other companies, these are the ones to look to:
The electronic learning toy company lost the names, dates of birth and genders of more than 200,000 children in addition to 4.8 million breached records. Experts say that poor password security may have been the culprit and attackers could have easily used SQL injections to meet their goal.
When children are involved, you know attackers are starting to take their methods to new levels.
More than 15 million T-Mobile customers were compromised when their credit was checked by Experian. Names, addresses and encrypted Social Security numbers were stolen—more than enough for identity theft. This was a big hit for consumer trust in the financial sector.
Poor password management led to hackers stealing a contractor’s credentials and planting a malware backdoor into the OPM network. For nearly a year, hackers were able to mine for data that could be used to exploit government workers for money. The consequences of this attack if the data were to get in the hands of an enemy country would be massive.
Sometimes attacks aren’t all about consumer records or financial gain. More than 37 million Ashley Madison users were compromised, an embarrassing situation for the site that promises anonymity. Embarrassing information is one thing, but the attack also led to at least two potential suicides.
Being a hacker doesn’t make you invincible to cyber attacks—just ask The Hacking Team, an Italian group that sold zero-day exploits. More than 400GB of data was stolen and published online, giving anyone access to valuable zero day attacks.
Many of these exploits emerged in the wild, compromising an untold number of users. One of the engineers’ password was “Passw0rd.” Apparently even hackers have a tough time with safe password practices.
The biggest data breach of 2015 was launched against Anthem Inc., the health insurer. More than 80 million people were compromised (including 19 million rejected consumers)—more than one-third the US population.
Attackers were able to compromise websites that Anthem employees frequented, stealing their credentials and gaining access to a host of poorly encrypted (or unencrypted data). Experts believe this was the work of Chinese hacking group, Deep Panda, who were also responsible for another attack on the healthcare industry—the Premera data breach.
The healthcare industry is proving to be a prime target for attackers looking for sensitive personally identifiable information (PII)—a trend to keep an eye on heading into 2016.
This was by no means an exhaustive list of data breaches in 2015. However, there’s plenty to learn from here. Notice that none of these attacks were the result of extensive, large-scale DDoS attacks or new malware threats. Attackers are launching large-scale breaches simply by compromising one user’s password and credentials. Human error is the cause of over 52% of security breaches and you have to be ready.
Aside from deploying a comprehensive network of cyber security appliances, make sure you know your baseline traffic and give your systems 100% visibility with network TAPs.