Despite multiple layers of security, and IT pros devoted to keeping networks safe, the bad guys keep winning. Instead of our monthly Hack Hall of Shame, in December we are counting down the top 10 worst hacks from 2015 together with some lessons on how to keep safe in 2016.
VTech has 4.8 million records pinched
Toys are no longer just made of wood, cloth and plastic. I bought my daughter a robotic dog and a singing doll with sound recognition for Christmas. With these advances, toymakers, such as VTech, started collecting information not just about their grownup buyers, but the kids who use the toys.
This year hackers nabbed nearly 5 million records. What’s worse, they got the personal information of about 200,000 children. Scary.
Lesson: Always make sure to ask for complex passwords.
ProtonMail gives in to (USD) $6,000 hacker demand
Ransomware had a big year in 2015. Even tech companies such as ProtonMail fell victim. ProtonMail likely had no choice at giving in to the demands but it did set a very dangerous precedent, and the company was heavily criticized for it. But Proton bills itself as selling secure encrypted email, and it couldn’t let hackers continue to wage DDOS attacks that keep customers from their messages.
While not the typical ransomware attack that locks up data, it was nonetheless an attack that came with a ransom.
Lesson: Paying a ransom only encourages similar attacks.
T-Mobile has 15 million customers compromised
The numbers of those impacted by breaches kept on growing in 2015. Cellular provider T-Mobile had records of 15 million customers in the US breached. It wasn’t all T-Mobile’s fault – the records were held by Experian, a credit checking and reporting company.
T-Mobile promises to be more careful. “Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected,” said John Leger, CEO of T-Mobile in a statement.
Lesson: Make sure partners that hold your data have high standards of protection.
Cheaters never win when hackers take aim
When your aim is to cheat on your partner, secrecy is a must. Millions of clients of the Ashley Madison website found out the hard way that secrecy is never a given on the Internet.
First the Ashley Madison database was cracked and weeks later the names and passwords of 12 million of the rascally customers were cracked. Divorce lawyers are now having a field day.
Lesson: If you play, be prepared to pay.
ICANN can’t keep credentials safe
The Internet Corporation for Assigned Names and Numbers (ICANN) is in many ways a guardian of the Internet. Unfortunately its own defenses weren’t enough to prevent hackers from compromising user names, email addresses and password hashes.
Lesson: If you haven’t done so already, change your ICANN password.
Android beset by remote code execution (RCE) exploit
Android is used by millions around the world, and the bigger the user base the bigger the hacker target. RCE is one of the most dangerous kinds of attack because, as the name denotes, it allows a hacker to install and then run malware of all shapes, sizes and impacts.
Stagefright, Androids media playback subsystem, is the code that was so effectively cracked. Nearly a billion Android devices were compromised.
Lesson: Phones are easily lost, stolen and hacked so be careful of what you keep stored on the handy little devices.
US personnel office gives up millions of government worker records
The United States Office of Personnel Management got a big black eye when millions of employee records were exposed in a massive data breach. The agency, in response, offered those impacted free identity theft education.
Lesson: If you think your data is safe, go ahead and add another layer or two of protection anyway.
IRS loses 10,000 tax records to hackers
The US Internal Revenue Service (IRS) a couple years back was hit by hackers that stole refund checks. In 2015, it had 100,000 tax records stolen. The records were complete tax returns that include enough personal information such as social security numbers to make identity theft a snap.
Lesson: The hackers cracked the IRS’ multi-factor authentication. If you have something you want to protect, make sure the authentication is state of the art and carefully protect usernames and passwords.
Password management firm loses passwords
Yikes! LastPass, a password management vendor, was hit by a data breach. The good news is that the passwords were encrypted and likely not cracked.
Lesson: Take your own password management seriously, and use encryption whenever possible.
Health insurance provider Anthem has records of 80 million people taken
Anthem, an insurance provider, suffered a horrible breach that let hackers access full medical records of 80 million patients. This isn’t just a massive privacy problem, but these records also included finances and social security numbers.
Lesson: Securing data with perimeter defenses isn’t enough. The important stuff should be strongly encrypted. If you keep it, encrypt it!