Antivirus, Crypto Currency, Enterprise, GDPR, Internet Security, Social Media

9 Biggest Hacks/Leaks of 2017

2017 was a year where nothing seemed safe. Bombshell hacks and serious security breaches were experienced both in the Government…

2017 was a year where nothing seemed safe. Bombshell hacks and serious security breaches were experienced both in the Government and private sector.

2017 was hit with a high number of cybersecurity meltdowns ranging from stolen credit card numbers to global ransom campaigns that cost private companies millions of dollars. As we do more and more of our businesses online, hackers too are developing sophisticated ways of either spreading ransomware or stealing crucial data that is vital for our businesses and government operations.

In a report released by Bitdefender, it was found that ransomware payments doubled in 2017 hitting a record $2 billion as compared to 2016. According to Trend Micro, if the trend continues, there’s a high possibility that ransomware will most likely hit $9 billion by the end of 2018. With that being said, this article will outline and explain 9 of the biggest hacks and data breaches of 2017.

 

Equifax

Credit reference agency Equifax revealed that approximately 143 MILLION of its US customers information was breached in May of 2017. This most vital information exposed by this leak was the social security numbers of its 143 million American users. Other information revealed included names, birth dates, addresses, and drivers license numbers. As many as 209,000 users had their credit card numbers exposed also.

Due to the nature of the information revealed, all of its users are now potential targets for identity theft. It was recommended that any affected by the breach put a freeze on their credit report to prevent further damage.

The hack didn’t only include American users. It was revealed that limited information was also leaked regarding British and Canadian users. Four main groups of UK users were identified, this included almost 640,000 phone numbers and 30,000 driving license numbers. 12,000 users email addresses and 15,000 Equifax membership details were also exposed.

This massive data hack led to the resignation of the company’s chairman and CEO, Richard Smith.

There was also some controversy regarding the timing of the company’s statement about the hack. Several high ranking members of the firm exercised their right to sell off stock options worth millions of dollars between the time the breach was discovered and it was revealed to the press.

 

NSA

Although this story started as early as August 2016, the majority of the damage caused was revealed over the course of 2017. The Shadow Broker hacking group had been releasing classified information believed to be from the NSA via Twitter and Pastebin. The information contained within asked for criminals to send bitcoin bids in return for hacking tools used by the NSA.

On April 8 2017, the group released the hacking tools they claim to have stolen from the NSA’s own Equation hacking Group. In total, they released more than one gigabyte of software used to exploit Microsoft products. By the time that the group released the NSA’s leaked hacking tools, Microsoft had already patched all of the 0-day exploits they utilized.

The hacking tools weren’t the only thing that the notorious hacking group appears to have stolen from the NSA. They have revealed other information such as the 2017 Shayrat Missile Strike, President Trump’s attack against a Syrian Airfield.

 

NHS

ransomwareFollowing on from the release of the NSA’s hacking tools, we have the 12 May 2017 ransomware attack on the UK’s National Health Service. The NHS became the target of a fast-spreading ransomware called WannaCry. This ransomware encrypted the computer’s data and demanded a payment in the untraceable cryptocurrency, bitcoin. The WannaCry attack was created off the back of the exploits released by the Shadow Brokers previously.

Even though Microsoft had patched all of the 0-day exploits used in the NSA’s tools, the NHS still had thousands of computers not updated. This led to over one-third of NHS organizations being disrupted, with thousands of NHS computers infected by the ransomware. Eventually, a kill switch was found for the ransomware which meant that devices were no longer locked.

Due to the scale of the attack, thousands of appointments and operations were canceled. The effect of the attack was still being felt weeks later as a huge backlog had been created.

 

US Voter database

In June 2017 more than 198 Million US voters personal information was leaked. This information wasn’t hacked but instead was available to browse due to a security misconfiguration. The database was stored on Amazon S3 servers by data firm Deep Root Analytics. Although the information revealed by this leak isn’t much more than what is publicly available already, the sheer volume of aggregated data makes it valuable to would be cybercriminals.

The leak was discovered by Chris Vickery of security analyst firm UpGuard. A large part of the company’s research involves scanning the internet for any publicly accessible information. This led to the firm not only finding the US voter database but also databases relating to Mexican and Philippine voters.

Macron Campaign

Another political entry into our list is the “massive and coordinated” hacking attack on now French President, Emmanuel Macron. In the last few days run-up to election day May 2017, several gigabytes of information was uploaded to document sharing site Pastebin by an anonymous poster. The Macron campaign team revealed that tens of thousands of internal emails, along with other documents had been breached. The files were initially spread on 4chan, a site which is popular with far-right leaning posters.

The En Marche! campaign team claimed that this was no the first time that they had come under attack. A statement claimed they had “consistently been targeted by such initiatives” during the entire presidential campaign of 2017. They also claim that many false documents had been added to the leak in an attempt to spread disinformation.

Due to the timing of the hack, neither presidential candidate could comment on the subject. This was due to Frances laws on presidential campaigning, which ban communications before the polling stations opened.

Cloudflare

February 2017 saw a security bug in the popular content delivery network, Cloudflare, expose millions of users data. The leak, named Cloudbleed after the infamous Heartbleed bug discovered in 2014, exposed data such as passwords and security tokens.

The cloudbleed bug was discovered by Google Project Zero research, Tavis Ormandy. He discovered a buffer overflow issue in Cloudflare’ servers that meant that sensitive data could be returned by the proxy servers accidentally. This data was then being cached by search engines such as google.

In response to the bug, Cloudflare disabled several of its features – Email obfuscation, server-side Excludes and HTTPS rewrites to stop the leak. The company didn’t notify its users by itself, Ormandy followed policy and waited seven days before releasing his findings publicly. Following this public release Cloudflare confirmed the security flaw whilst also reassuring customers any information would now have been flushed from search engine caches.

Verizon

Chris Vickery of UpGuard pops up again after discovering a Verizon customer database unprotected from public access. This database was stored on Amazons S3 cloud servers by a third party vendor used by Verizon, NICE systems. The database contained sensitive information for up to 6 Million Verizon customers. Information such as PIN codes to verify customers were listed, alongside the customers’ phone numbers. This information is enough for anyone to access any of the Verizon customers accounts, even with two-factor authentication enabled.

With access to a customers account, cybercriminals could potentially add extra lines to a Verizon account leading to extra unwanted charges. The database was created from information gleaned when people contacted customer service over a 6 month period. Both business and residential customers data was exposed in the leak.

It turned out that the leak by NICE System had occurred when they uploaded the database to the S3 service and marked it as public. Verizon did not offer a way to check if a users PIN was exposed, although it did recommend that all users change their PIN as a precautionary measure.

Uber

One of the biggest hacks of 2017 technically took place in 2016. Ridesharing app Uber concealed the breach of 57 million customers personal data in October 2016 by failing to notify both its users and also regulators.

Like other hacks we saw in 2017, the information taken was stored on a third-party cloud service. This information was reportedly accessed by two hackers and in a surprising move, Uber decided to pay the hackers a ransom of $100,000 (£75,000 at the time) to delete the data and keep quiet about the information.

The information stolen included users names, phone numbers, and email addresses. Drivers for the firm had more sensitive information taken including their driving license numbers. Uber confirmed that highly sensitive information such as date of birth and social security numbers were not revealed during the hack.

Ubers chief executive Dara Khosrowshahi stated, “None of this should have happened, and I will not make excuses for it”. Uber stated at the time that it was actively monitoring the situation and Uber’s then chief security officer Joe Sullivan was forced to resign.

Yahoo

2017 saw the acquisition of internet giant Yahoo by Verizon Communications. Unfortunately, it also saw Yahoo release information about the biggest data breach in history.

Yahoo had revealed information about a data breach before it’s acquisition which lead to a drop in the acquisition price of over $300m. Verizon then went on to hire external forensic investigators and new information came to light.

Verizon revealed in October 2017 that information from over 3 billion Yahoo accounts had been stolen in August 2013. Data taken included names, email addresses, and hashed passwords but no financial information of its users. Unencrypted user security questions were also breached. Yahoo sent emails to affected accounts and prompted all users to update their passwords at the time.

Experts have stated that it is common for data security breach estimates to be initially on the lower end, but I do not believe anyone would have guessed that 3 billion accounts could be breached at one time.

To conclude…

Apart from the 9 biggest hacks of 2017 listed in this article, there were many other major security breaches that took place in the past year. Among these we didn’t mention include the HBO data leak, the Kaspersky controversy, the River City Media leak, the LastPass hack and finally, the Sony Pictures hack.

Looking at a majority of these security breaches, you’ll discover that data was lost through rather straight forward exploits. Unfortunately it doesn’t matter how vigilant you are with your data, until big business takes security seriously then we are all at risk. Lets hope for a safer 2018.

Be the first to write a comment.

Leave a Reply

Crypto Currency

How much do you know about blockchain, cryptocurrency, and Bitcoin?

How much do you know about blockchain, cryptocurrency, and Bitcoin? mashable.com


How much do you know about blockchain, cryptocurrency, and Bitcoin? mashable.com
Read More

Continue Reading
GDPR

Data intelligence: why Data Protection Day is becoming increasingly important

The problem with data, whether it’s a report, an email, a spreadsheet or any other file type, is that internal personnel have to deal with it, typically through the uses of multiple applications in different locations with no real control. This raises significant questions around how this data is stored, shared and analysed.Every business must…


The problem with data, whether it’s a report, an email, a spreadsheet or any other file type, is that internal personnel have to deal with it, typically through the uses of multiple applications in different locations with no real control. This raises significant questions around how this data is stored, shared and analysed.

Every business must consider where and how their data is stored and shared, and make sure their processes are GDPR-compliant.

  • Satya Nadella calls for global GDPR
  • Majority of companies still aren’t GDPR-compliant
  • Tim Cook praises GDPR, warns about “weaponised data”

Managing data

The first aspect to look at is the encryption level. Low standards of encryption make it easy to hack sensitive information. However, even a system that has bank-level security encryption is only as strong as the permission levels assigned to the people who need to handle the data. For example, even if there are platforms preventing spreadsheet data leakage, one can still take a picture of a computer screen.

Accountability and data governance are becoming more and more scrutinised. Consider this case: British bank Barclays sent an offer to purchase another firm in 2008 that hid—instead of deleted—nearly 200 spreadsheet cells, resulting in unneces

Read More

Continue Reading
Internet Security

Can predictive analytics be made safe for humans?

Massive-scale predictive analytics is a relatively new phenomenon, one that challenges both decades of law as well as consumer thinking about privacy. As a technology, it may well save thousands of lives in applications like predictive medicine, but if it isn’t used carefully, it may prevent thousands from getting loans, for instance, if an underwriting…


Massive-scale predictive analyticsis a relatively new phenomenon, one that challenges both decades of law as well as consumer thinking about privacy.

As a technology, it may well save thousands of lives in applications like predictive medicine, but if it isn’t used carefully, it may prevent thousands from getting loans, for instance, if an underwriting algorithm is biased against certain users.

I chatted with Dennis Hirsch a few weeks ago about the challenges posed by this new data economy. Hirsch is a professor of law at Ohio State and head of its Program on Data and Governance. He’s also affiliated with the university’s Risk Institute.

“Data ethics is the new form of risk mitigation for the algorithmic economy,” he said. In a post-Cambridge Analytica world, every company has to assess what data it has on its customers and mitigate the risk of harm. How to do that, though, is at the cutting edge of the new field of data governance, which investigates the processes and policies through which organizations manage their data.

You’re reading the Extra Crunch Daily. Like this newsletter?Subscribe for free to follow all of our discussions and debates.

“Traditional privacy regulation asks whether you gave someone notice and given them a choice,” he explains. That principle is the bedrock for Europe’s GDPR law, and for the patchwork of laws in the U.S. that protect privacy. It’s based around the simplistic idea that a datum — such as a customer’s address — shouldn’t be shared with, say, a marketer without that user’s knowledge. Privacy is about protecting the address book, so to speak.

The rise of “predictive analytics,” though, has completely demolished such privacy legislation. Predictive analytics is a fuzzy term, but essentially means interpreting raw data and drawing new conclusions through inference. This is the story of the famous Target data crisis, where the retailer recommended pregnancy-related goods to women who had certain patterns of purchases. As Charles Duhigg explained at the time:

Many shoppers purchase soap and cotton balls, but when someone suddenly starts buying lots of scent-free soap and extra-big bags of cotton balls, in addition to hand sanitizers and washcloths, it signals they could be getting close to

Read More

Continue Reading
Internet Security

Atrium, Justin Kan’s legal tech startup, launches a fintech and blockchain division

Atrium, the legal startup co-founded by Justin Kan of Twitch fame, is jumping into the blockchain space today. The company has raised plenty of money — including $65 million from a16z last September — so rather than an ICO or token sale, this is a consultancy business. Atrium uses machine learning to digitize legal documents and develop applications…


Atrium, the legal startup co-founded by Justin Kan of Twitch fame, is jumping into the blockchain space today.

The company has raised plenty of money — including $65 million from a16z last September — so rather than an ICO or token sale, this is a consultancy business. Atrium uses machine learning to digitize legal documents and develop applications for client use, and now it is officially applying that to fintech and blockchain businesses.

The division has been operating quietly for months and the scope of work that it covers includes the legality and regulatory concerns around tokens, but also business-focused areas including token utility, tokenomics and general blockchain tech.

“We have a bunch of clients wanting to do token offerings and looking into the legality,” Kan told TechCrunch in an interview. “A lot of our advisory work is around the token offering and how it operates.”

The commitment is such that the company is even accepting Bitcoin and Bitcoin Cash for payments through crypto processing service BitPay.

While the ICO market has quietened over the past year following huge valuation losses market-wide, up to 90 percent in some cases with many ICO tokens now effectively worthless, there’s a new antic

Read More

Continue Reading