When 2013 came to a close, many referred to it as the ‘Year of the Data Breach’, a title which has since been passed down to 2014, in recognition of the even greater number of data loss incidents and records lost this past year.
For a quick summary, here are some of the largest and most noteworthy hacks of 2014:
- Home Depot
A hack that went unnoticed for over five months cost Home Depot 56 million payment card numbers and 53 million email addresses. The hack played out in almost the exact same fashion as 2013’s infamous Target breach, whereby malware was installed on POS terminals to steal data when a payment card was swiped.
While consumer backlash has been significantly less than with Target (See: Another Major Retailer Hit By Data Breach: Does Anyone Care?), it has recently been reported that the DIY retailer now has to face down 44 lawsuits relating to the hack.
- JPMorgan Chase
In September, one of the largest banks in America revealed to the public that the personal information of 76 million households and 7 million businesses had been compromised. The hack, which affected more than 50% of all households in the United States, was reportedly made possible due to lack of two-factor authentication on a server.
While not one of the biggest hacks of 2014, it was one of the most sensational. In August, hackers leaked nude images of many famous celebrities on the popular imageboard 4chan. Some of the celebrities affected include Jennifer Lawrence and Kate Upton, and the images have been circulating the internet since.
The images were taken from Apple’s iCloud storage, and further investigation revealed that the images were not taken due to a vulnerability in Apple’s systems, but rather that hackers conducted brute force attacks on the celebrity accounts to gain access to their private data.
The hack highlighted the risk of storing sensitive data on cloud storage sites, which many did not consider to be an issue prior to the hack. You may find out more about the hack here, or read more about the real-life dangers of cloud storage here.
- Sony Pictures
This hack is still making waves as we speak, with nations and heads of state getting involved. Hackers stole unreleased movies, emails and personal information from the computer network of Sony Pictures Entertainment. GOP, the hacking group behind the attacks, seems more focussed on wreaking havoc within Sony than turning a profit. They have released sensitive email conversations between employees, put unreleased movies up for viewing on Bittorrent, and made threats to public safety if The Interview, a movie depicting an assassination attempt on Kim Jong Un, were to be screened in America. That didn’t stop the Canadians or 300 independent cinemas however.
Data breaches will continue to increase
There was a 42% increase in targeted attacks from 2011 to 2012, and a 62% increase the following year. While there is not yet any data available on the increase in attacks over the past year, given the large number of hacks and the magnitude of records lost, it’s not going to be good news. While new technologies like the US adoption of EMV chip-and-pin may be positive steps towards better security for card-present retail transactions, many experts warn that no single technology is a silver bullet to stopping data breaches.
Plus, just as new data security solutions are created, new vulnerabilities are also being discovered; it’s an endless cat and mouse game between data security experts and hackers (See: Bash Exploit “Shellshock” Puts the Entire World at Risk).
Will it ever end?
Is it conceivable that every individual and business having personal information stolen from them is as likely as the common cold?
How many people actually think about the potential repercussions of downloading an app on the Google Play store? We’re not delusionally running around in tinfoil hats- the repercussions are real. It was recently revealed that all of the top 10 Android Flashlight Apps available on the Google Play Store contain some form of malware, allowing the creators to do anything from taking your pictures and videos to tracking your location.
In a corporate network environment, phishing email attacks will continue to be a very real threat in 2015, achieving a high success rate for harvesting data from inside a seemingly secure network. According to many of our partners who offer penetration testing services, a common victim during a pen test is a CEO or CFO clicking on malicious links within a test phishing email. (and these are people with privileged access to data)
And on a entirely different level, just think of the dangers many new wearable technologies pose- Google Glass. Smart contacts. Microchip implants. And perhaps scariest of all, Nick Percoco gave a great TED talk 2 years ago about the idea of hacking people’s thoughts using EEG devices. Hackers might soon be able to literally get under our skin and into our heads.
But back to the data security challenges of 2015, technology will continue to evolve and hackers are constantly finding ways to find and exploit vulnerabilities whilst the good guys continue to lag behind. Unless this changes (and we’re not holding our breath), 2015 is going to be another windfall year for the hacking community.
We’re only 5 days into the new year, and there’s a high likelihood that 2015’s early data compromises have already happened over the weekend just past. Unfortunately, the victims probably don’t know it yet and will only come to find out weeks or months from now.
Your new years resolution: Do something – It’s better than nothing.
So what needs to be done to cancel the data apocalypse? The solution is not a groundbreaking one- it all boils down to developers incorporating security into their software design from day #1, system administrators having a real understanding what sensitive data is stored or handled, and consumers being aware of potential risks, and taking necessary precautions.
Have a secure 2015!