Cybersecurity Year in Review
This year was a busy one for global cybercrime, with numerous high profile attacks across businesses in nearly every sector. Today on the blog, we’re reflecting on some of 2015’s most notable data breaches, and sharing how hedge funds can apply the lessons learned from these incidents to their own cybersecurity strategies.
In February, TalkTalk announced what the company called a “small but significant breach”. In reality, the data of more than four million customers was stolen. The data was then used to fraudulently contact customers, and was only noticed as a result of these fraudulent contacts and the increasing number of customer complaints. In October, TalkTalk suffered a DDoS attack, which acted as a smokescreen for another data theft, coupled with a ransom demand. A company as large and established as Talk Talk should have been much better prepared, especially as they had already been the victim of an attack in 2014. A DDoS attack is often followed by a data breach, and this should have been paramount in the company’s mind. As an absolute minimum requirement, TalkTalk should have ensured that its customer data was encrypted.
CareFirst BlueCross BlueShield
In the US, the CareFirst BlueCross BlueShield breach in May was notable because it highlighted the continued vulnerability of the healthcare sector. CareFirst discovered the breach during a security review and found hackers had gained access to a database that members use to access the company’s website and online services. More than one million members had their names, birth dates, email addresses and subscriber information compromised. Luckily, member password encryption prevented cyber criminals from gaining access to credit card and financial data. However, the information gained by the hackers was still enough to make the members potential victims of targeted spear phishing attacks. In order to prevent attacks of this nature in the future, organizations should consider a multi-layered security strategy that protects the perimeter, endpoints and outer vulnerabilities, but also encrypts data at rest or in transit.
Hackers stole close to five million records and a database of first names, genders and birthdays of more than 200,000 children. The effects of the attack on VTech could have been mitigated had a data encryption solution and secure passwords been in place. This data breach highlights the vulnerabilities of the Internet of Things, with seemingly irrelevant information being the target of cyber criminals. The data stolen in the VTech attack also makes each victim a prime candidate for spear phishing attacks in the future.
In February, Kaspersky Lab discovered a global cybercrime heist, affecting as many as 100 banks around the world. The attacks infiltrated the banks’ networks through phishing, which allowed them to gain access to key resources and employee account credentials. The cyber criminal group, known as Carbanak, used those credentials to make fraudulent transfers, and ultimately stole more than £1 billion.
Hacking Team is a professional, legitimate hacking organization that develops spy tools for government
agencies, including tools that can circumnavigate traditional anti-virus solutions. A data breach at the organization published more than one million emails from the Italian company, revealing its involvement with oppressive governments as well as multiple Flash zero-day vulnerabilities. As well as highlighting questionable practices, this data breach demonstrated that even the hackers can become victims.
Credit agency Experian suffered a data breach in September, affecting as many as 15 million T-Mobile customers who underwent credit checks. Personally identifiable information, such as names, addresses, social security numbers, birth dates, and even passport numbers were stolen. Experian has since undertaken a review of its web application firewalls, enhancing encryption key security, limiting internal access to records for staff and increasing its monitoring of servers and systems processing sensitive data.
Retaj, brokerage firm Scottrade experienced illegal network activity more two years ago, and as a result recently suffered a major data breach. More than four million customers were targeted in spam campaigns following the breach.
Possibly the highest profile hack of the year occurred when 37 million people had their data exposed in the Ashley Madison hack . Because of the morally sensitive nature of the company and its members, this hack caused uproar, and made cybersecurity a personal concern for many. Compromised user data was published on the Internet and used in ransom style threats for weeks following the breach. Data encryption would have mitigated the risk arising from a breach of this scale.
The UK’s biggest data breach of the year was at mobile retailer Carphone Warehouse. More than two million customers had their personal information stolen in the attack and 90,000 customers had their encrypted credit card data stolen.
Password manager LastPass suffered a data breach this year. While it’s not clear if any data was taken during the breach, this incident shows that even the organizations that exist to keep us safe can be a target of cyberattacks.
Most recently, the JD Wetherspoon pub chain warned customers of a data breach. Security specialists discovered that in June 2015, hackers broke into a database containing the details of nearly 657,000 customers. JD Wetherspoon said there was a delay in discovering the breach because the data was held by a third-party company that formerly hosted the company’s website. This data breach highlights the necessity to ensure that any third-party suppliers can meet and exceed the cybersecurity and data protection standards that are mandated for your industry.