Was 2017 the Year of Ultimate Breaches?10 April 2018
Last year wasn’t exactly the poster child for good cybersecurity.
Barely a month passed by without another data breach being reported.
Large businesses and household names were victims of major cyber attacks, which affected millions of people as information was hacked, stolen or left unsecured.
More personal data was compromised in the first half of 2017 than the entire year and the number of major breaches was staggering.
The Online Trust Alliance (OTA) found that attacks against businesses nearly doubled from 82,000 in 2016 to 159,700 in 2017, driven by ransomware and new methods of attack.
Incidents including the Equifax hack, WannaCry and the Gmail phishing scam undoubtedly contributed to these dramatic figures.
Worst data breaches of 2017
WannaCry is the largest ransomware attack to date. It began in May and affected an estimated 300,000 computers across 150 countries.
One of the largest organisations hit was the National Health Service (NHS). The attack compromised 26 million patient medical records, shut down computers at 80 NHS organisations and resulted in 19,000 cancelled appointments across the UK.
Yahoo suffered the largest breach of user data in history, and in 2017 revealed that it was three times larger than previously reported.
All 3 billion user accounts, not just the 1 billion originally reported, were affected by a hack the company suffered in 2013. Names, passwords and email addresses were compromised, affecting every user on Yahoo’s service at the time.
More than 145 million US customers’ data and 700,000 credentials belonging to UK users were stolen after hackers took control of a website of the credit report company.
What’s worse is Equifax failed to report it for two months and then, when they did, sent customers to a fake phishing website.
The attack is one of the largest ever seen in the US and compromised names, birth dates, addresses, social security numbers and some driving licence numbers.
Personal details of more than 14 million customers were exposed after the information was mistakenly left on an open server controlled by Israel-based Nice Systems.
The sensitive information included names, phone numbers and account PINs and could be accessed by anyone who correctly guessed the web address.
Deep Root Analytics
The data analysis company was hired by the Republican National Committee last year to gather information about American voters.
The firm leaked personal information of 200 million registered voters after more than a terabyte of data was left on an open Amazon cloud server.
The data leak exposed sensitive information about where voters stood on issues such as gun control, abortion, stem cell research and environmental issues.
The Internal Revenue Service (IRS)
Personal information of up to 100,000 taxpayers was compromised when hackers accessed the IRS’ Data Retrieval Tool.
Fraudsters used personal data obtained by identity theft to fill out financial aid applications. The tool populated the forms with tax information, which could then be used to file tax returns.
An estimated 8,000 fraudulent returns were filed, totalling $30 million. IRS filters stopped 52,000 returns and 14,000 illegal refund claims were stopped.
Six million Instagram accounts were exposed after hackers exploited a bug to gain access to users’ contact information.
The hackers created an online database on the dark web that contained email addresses and private phone numbers accessible to cybercriminals.
Criminals could access private user information, including details for celebrity accounts, for just $10 per search.
One million Gmail users were affected in a single hour by a phishing scam seeking to infiltrate accounts through a third-party application.
Suspicious emails were made to look like they came from trusted contacts and asked users to click on a shared Google Doc. Once opened, the hackers could access and manage the victim’s account.
What we can learn from 2017
It is likely that the hacks, scams, unsecured data and cybersecurity threats that dominated the headlines in 2017 will, unfortunately, continue in 2018.
The range of major breaches, made possible by a lack of security awareness and poor cyber practices, reminds us just how perilous the state of cybersecurity was last year.
The OTA found that around 93 percent of all breaches in 2017 could have been avoided by conducting regular software updates, blocking fake emails and training employees to recognise phishing attacks.
The insider threat, whether malicious or accidental, cannot be ignored as it represents an immediate risk to a company’s cybersecurity. Infosecurity magazine said: “Among companies experiencing data breaches, internal actors were responsible for 43 percent of data loss, half of which was intentional, and half accidental.”
As we head into 2018, we must be aware of the many threats that will find new ways to infiltrate systems and exploit vulnerabilities.