Top data breaches in 2015

2015 is the year that every organization woke up to the dire state of security. As the year comes to an end, we look back on some of the high-profile top data breaches and the damage they have done.

Weak login at heart of healthcare breach

The second-largest health insurer in the US disclosed that it fell under attack in February. The personal information of 80 million people was exposed – not only medical records but also personally identifiable information. The hackers got the credentials of five Anthem technology workers, and used targeted phishing campaigns to trick network administrators into revealing login information. What made matters worse was that the data wasn’t encrypted and was easily readable by hackers. Investigations suggested that the scale of this breach could have been limited if there were additional security measures in place. The hackers wouldn’t have been able to access its customers’ personal information without a second factor such as a mobile SMS code, and even if they were able to defeat this layer of defense, encryption of data would have further protected it from being stolen.

Notorious IT security breach exposes secret affairs 

The attackers posted personal information of 37 million users of Ashley Madison – an online dating website that encourages extramarital affairs. The identity of the hacker(s) carrying out the attack called itself “Impact Team” has not been determined but security experts suggested that this was an inside job. The tech evidence supported the claim that it was done with local access and not remotely. Most companies have increased focus on security protocols against external hackers but many still miss the mark on protecting against insider threats. It is possible the Ashley Madison incident could have been prevented if they had been following information security standards and used systems capable of detecting insider threats.

Entertainment hack highlights security failures

This hack happened at the end of 2014 but continues to haunt Sony until this day with a financial loss of $35 million and counting. Hackers broke into Sony Pictures and revealed confidential data ranging from unreleased film scripts to employee information to internal business documents. While it is difficult to determine the cause of this attack, details about the attack revealed several security red flags including the storage of sensitive system-level passwords in plaintext in Excel spreadsheets and the usage of extremely weak passwords. What could have been done to mitigate the risks? The bare minimum would have been to implement a stricter password policy on privileged accounts and promoting better password practice amongst its employees.

Government doesn’t do it better

In May the Internal Revenue Service (IRS) announced a major data breach. Hackers got personal information from an unnamed outside source and used that data to access taxpayers’ IRS accounts. They stole more than 100,000 tax records and claimed $50 million in refunds. The IRS hack exposed several security weaknesses including reliance on password and personal data for user authentication. The knowledge-based method assumes that if the person knows the correct answers, then that person is the authentic account holder. But the questions such as previous address, loan amounts and dates that IRS required, could be successfully enumerated with random guessing. A more secure way to confirm identity is multi-factor authentication requiring hackers to provide another form of identification which would make the attack exponentially harder.

What are the top 2015 breaches on your list? And what do you think companies should do to turn the tide against cyberattacks in 2016?