2015 Data Breach Lessons Learned

If the past two years have taught us anything, it’s that the frequency and impact of data breaches will continue to grow if organizations do not do more to implement effective cybersecurity practices. The theft and sale of personal data is big business for profit-motivated hackers, while state and non-state actors clamor to get their hands on sensitive and potentially damaging information for various intents and purposes, from extortion to espionage.

According to the Identity Theft Resource Center (ITRC), 750 data breaches reported in 2015 exposed a breathtaking 177.8 million records, more than double the amount of records compromised in 2014. The “business” category was hit with the greatest number of breaches, 301, exposing over 16.1 million records. However, the healthcare industry saw an unprecedented 121.6 million records compromised, representing 68.4 percent of all records breached in 2015. Due in large part to the Office of Personnel Management (OPM) breach, the government/military category represented 19.2 percent of all records exposed this year, compromising 34.2 million records– a 514 percent increase over 2014.

To wrap up the year, we took a look at some of the most notable breaches and identified some the lessons learned.

January 29 – Both Anthem, Inc. and Premera Blue Cross learned they had been targets of sophisticated intrusions that went undetected for many months. The intruders that infiltrated Anthem’s network accessed the personal information of over 80 million customers, resulting in the largest healthcare compromise to date. The threat actors used a watering hole attack coupled with effective email phishing campaigns to lure employees onto sites where login credentials were compromised. Premera’s breach began with an initial intrusion in May of 2014 and potentially exposed 11 million records. Prior to this incident, federal security auditors warned Premera that their network was vulnerable, as its security posture was inadequate and software patches were not being applied in a timely manner. Four months later, on May 20th, CareFirst BlueCross BlueShield announced that they, too, were targeted. The CareFirst breach resulted in the compromise of 1.1 million current and former members’ accounts. Indicators suggest that the attack methods used in this intrusion were the same as those used in the Anthem and Premera breaches.

• Lesson Learned: This year’s series of healthcare breaches drew greater attention to the increasing value of healthcare data on the black market, and therefore increased targeting by profit-motivated hackers, however, investigators reportedly linked these insurance breaches to a state-sponsored Chinese espionage group known as “Deep Panda” and “Axiom”. The targeting of healthcare organizations, coupled with the persistent targeting of federal agencies and various industries throughout the private sector, underscore the intent and capability of our nation-state adversaries – not just in the collection of trade and national security secrets, but any sensitive information on American citizens.

In order to mitigate the risks of profit-motivated theft and state-sponsored espionage, companies need to be proactive and progressive when it comes to data encryption, even if current laws or regulations do not require it. Unencrypted data is ripe for the picking by any network intruder, and moreover, it exponentially increases risk and the liability implications of data breaches. Conducting regular security audits and implementing security recommendations promptly are important strategies in protecting organizations against network intrusion and data theft.

May 15 – Penn State University revealed that their College of Engineering computer network was breached and an investigation determined the initial intrusion took place in 2012. Nearly 18,000 records containing personally identifiable information (PII) and intellectual property were exposed. Two different threat actors were identified, one of whom was traced back to China.

• Lesson Learned: Institutions of higher education are certainly not immune to cyber threats and are considered valuable targets for nation-state actors seeking sensitive research data and intellectual property, in addition to threats posed by profit-motivated hackers as well as hacktivists. In addition, it is possible for a network intrusion to go unnoticed for years, allowing plenty of time for attackers to access, view, and exfiltrate sensitive data without the victims’ knowledge. For more, read our threat analysis, “Higher Education: An Attractive Target for Range of Malicious Actors.”

May 26 – The Internal Revenue Service (IRS) revealed that hackers stole tax information of 104,000 Americans by exploiting poor user authentication steps needed to access the “Get Transcript” website application. The The number of victims was later increased to 330,000. The hackers used the personal details of each of the victims, likely obtained through social engineering or by exploiting data available through social media or other online sources, to bypass the knowledge-based security questions it used to verify users’ identities. It is believed that the attackers gathered this information to potentially use in the filing of fraudulent tax returns.

• Lesson Learned: This hack highlighted the dangers of making personal information available online via social media and other websites. Attackers can collect this information and use it to answer authentication questions that websites employ as an added layer of security to gain access to your accounts. Read more from security journalist Brian Krebs on “Don’t Be a Victim of Tax Refund Fraud in ’16.”

June 4 – The US Office of Personnel Management (OPM), disclosed information about two major breaches that exposed the sensitive data of 21.5 million Americans, including federal employees and individuals who applied for security clearances with the federal government. Evidence pointed to the involvement of a Chinese hacking group who gained access by using stolen credentials and placing a backdoor on the network. Data stolen included personnel records of classified employees, background information of prospective classified employees, and 5.6 million fingerprint records.

• Lessons Learned: Creating and maintaining a comprehensive inventory of every server, database, and device on the network is a crucial component of cyber security. Actively monitoring networks for anomalous activity and encrypting data goes a long way to prevent theft of sensitive information. Third party relationships, especially those that are granted access to the network, should be tightly controlled and monitored. Multifactor authentication for all accounts is a must to prevent the use of stolen credentials by malicious actors. For more, read our threat analysis, “OPM Breach: Reinforces Threat from Cyber Foes.”

June 15 – LastPass, an online password management company, stated it had been breached after detecting and blocking suspicious activity on its network. Although the investigation did not reveal any evidence that encrypted user vault data was stolen or that any user accounts were accessed, LastPass prompted users to change their master passwords as they acknowledged that users’ email addresses, password reminders, and authentication hashes were compromised.

• Lesson Learned: Password vaults may help create and manage complex passwords, but users are accepting additional risk in using them. If the login credentials for the manager are compromised, or vulnerabilities are exploited to gain access, user accounts would more vulnerable than ever. Instead, organizations should implement comprehensive password policies that include scheduled resets, mandatory character minimums, and requirements for uppercase, lowercase, numbers and special characters. For more information, read our blog post, “Passwords, Passwords, Passwords.”

July 15 – Avid Life Media (ALM), a Toronto-based company that owns multiple controversial dating websites, was targeted by a hacking group called “The Impact Team”, ultimately resulting in the release of account information on 32 million users. The hack was revealed when employees logged onto their computers and were greeted with a breach announcement from the hackers. The Impact Team stole users’ PII and threatened to publicly release it if ALM did not permanently take two of their dating websites offline. When ALM failed to comply with the hackers’ demands, they released a 9.7 GB of customers’ PII to the public which spurred a number of additional cyber extortion campaigns by other malicious actors.

• Lesson Learned: Although details of how the hackers obtained the data are still unclear, this breach demonstrated the importance of having a robust data management plan complete with data-level protections such as tokenization or encryption, which render stolen data useless. Cyber extortion is certainly a growing trend, and organizations must have plans and policies in place to deal with a range of threats, from ransomware and DDoS for ransom, to blackmail. For more, read our threat analysis, “Extortion: Profit-Motivated Cyber Tactics on the Rise.”

October 1 – Wireless carrier T-Mobile announced that Experian, the credit-monitoring bureau used to process financing applications, was breached, compromising the personal information of 15 million current and potential T-Mobile customers. The information stolen included the PII of customers who applied for wireless service between September 1, 2013 and September 16, 2015. Specific details surrounding the breach have not been released.

• Lesson Learned: This breach shed light on the risks posed by third parties, supply chains, and any partners with access to your data. Even if a company has all of its proverbial “ducks in a row” with regards to cybersecurity, the safety of its data, and its customers’ data, is at the mercy of all parties that transmit, access, or store that data. You are only as secure as your weakest link.

November 27 – VTech Holdings, Ltd., a children’s toy manufacturer based in Hong Kong, acknowledged that a hacker gained unauthorized access to customer data residing on their “Learning Lodge” app store database on November 14, 2015. A SQL injection attack was used against VTech’s database exposing the PII of 4.8 million parents and 6.3 million children. Three days after the initial announcement, it was discovered that thousands of pictures of children, their parents, some audio files, and a year’s worth of chat logs were also compromised in the breach, quickly raising the question of security in Internet-connected toys.

• Lesson Learned: Children’s data is not off-limits when it comes to theft, especially when toy manufacturers choose to collect and store it in insecure databases. In fact, children’s Social Security numbers are attractive targets for identity thieves, as their lack of established credit history makes it easier to carry out certain types of fraud. Parents need to be extra-vigilant and know what data their children’s toys or apps are collecting and how it’s being stored. The Federal Trade Commission provides more information for parents here.

The breaches detailed above only scratch the surface with regards to the volume of sensitive data accessed by unauthorized parties over the past 12 months. This is why the NJCCIC is committed to arming our businesses, local governments, and citizens with the information and resources they need to protect their networks and keep their data secure in 2016 and beyond.