When hacking got personal in 2015

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thenational.ae/business/technology/when-hacking-got-personal-in-2015

If there is any lesson that using the internet in 2015 taught us, it’s that
it’s getting increasingly difficult to avoid having our personal data
stolen by hackers.

> From children’s toys and hotels to mobile phone companies and insurance
brokerages, virtually no one was safe from malicious breaches. And, if
anything, hacking became a little more personal – and a little meaner – in
2015.

In June, hackers stole the records of at least 22 million United States
government workers stored with the Office of Personnel Management. The full
repercussions of the breach – considered the most damaging in US national
security so far – aren’t yet known, but analysts are worried about the
potential for blackmail of government employees by enemy powers armed with
the sensitive information.

The US-based healthcare providers Anthem and Excellus BlueCross BlueShield
had 80 million and 10 million customer records leaked, respectively, in
September and February. Birth dates, addresses and social security numbers
were included, exposing millions to potential identity theft and fraud.
Law-enforcement officials failed to identify the perpetrators.

The records of 2.4 million customers, including up to 900,000 credit card
numbers, were stolen from the UK electronics retailer Carphone Warehouse in
August. Even LastPass, an online tool that helps users manage their many
different passwords, was hit in June. The breached data was encrypted and
the company said damage was minimal, but users were, nevertheless, urged to
change their passwords.

The list goes on and on

Many of the victims in the disparate breaches were forced to deal with
identity theft and financial turmoil, and the only thing that kept the
breaches from wreaking a sort of collective mass havoc was – seemingly –
the hackers’ own good graces. But even those, if they exist at all, appear
to be running out.

In July, hackers calling themselves The Impact Team announced they had
stolen data from adultery-enabling website Ashley Madison. The group
threatened to release the information, which included the names and home
addresses of the site’s 39 million members, unless it shut down immediately.

When the Toronto-based parent company, Avid Life Media, did not comply, the
hackers dumped gigabytes worth of usernames and credit card transactions,
plus sensitive emails from executives.

Among the revelations in those correspondences was the fact that company
founder, Noel Biderman, a married man, had multiple affairs despite
previous denials about infidelity. Examination of the data also revealed
that most of the site’s female users were fake and that the company failed
to delete user accounts even after charging fees to do so.

The fallout for users was more pronounced. Heads rolled as judges,
politicians and teachers were outed as members. Families split up and fears
of blackmail spread fast. A New Orleans pastor and Ashley Madison user,
fearing he too would lose his job, committed suicide.

Adultery is an ethical issue, but regardless of where one stands on it, at
the heart of the breach lies the fact that the Ashley Madison hackers
appointed themselves moral arbiters of the site and – by extension – its
users. Avid Life Media is facing a US$567 million class-action lawsuit and
will probably never recover the trust of its users, even if it is claiming
to have added four million new members since the breach. But the social
ramifications for its users, imparted by self-appointed judges, marked it
as a different kind of hack.

Ethically motivated breaches against wrongdoing companies, governments or
institutions have been happening for years but in 2015, their perpetrators
seemed to care less about the everyday people caught in their wake, and not
just in the Ashley Madison case.

Bombastic and divisive US presidential candidate Donald Trump was also
targeted last year, with his hotel chain announcing in October that it had
been the victim of a year-long breach. Hackers may have gained access to
thousands of customer credit card numbers during that period, the chain
said.

While Mr Trump may have suffered a personal knock to his brand and
reputation, as the hackers desired, the true victims – the ones who likely
had to deal with the financial fallout of having their data stolen – were
guilty of no crime other than staying in hotels bearing his name.

Hackers in September also went after Patreon, a Kickstarter-like
crowdfunding site used by independent artists and creators to support their
small-scale initiatives. The perpetrators and motives are unknown, but
Patreon is the veritable opposite of the corporations normally targeted by
hacktivists. Why they would want to harm independent creators trying to eke
out a living through online donations is a disturbing question.

Closing out the year, hackers in November stole 4.8 million records from
Hong Kong-based toy maker VTech, leaking the names, genders and birthdays
of more than 200,000 children. One of the individuals who claimed
responsibility later said he just wanted the company made aware of security
failings that allowed the hack to be fixed. Whether the hacker was aware
that thousands of children had been exposed to potential miscreants is
unknown.

There’s little doubt that data breaches were one of the biggest stories of
2015 and, unfortunately, they will not be going away.

But with hackers increasingly appointing themselves arbiters of the moral
behaviour of institutions and individuals, and the effects of their actions
having more profound social effects than just simple financial damages,
authorities are heading into this year facing more pressure to take action
against what is a growing epidemic.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.