Hacks are occurring at an ever increasing rate; the need for network security, information security and overall cybersecurity is at an all-time high. The following is a compilation of 30 of the greatest cybersecurity hacks to date. The list is in two parts: one for virus-type hacks and one for attacks against specific targets. Both types of security breaches are dangerous and require security on a personal and corporate level.
Viruses, Worms and Personal Hacks
In 2008, a vicious and tenacious worm was discovered and since that time it has been located on over 1 million computers. Conficker is a virus that updates itself and connects to websites and accesses users’ personal computers to expand its network of operations. This type is called a ‘botnet’ and while no specific actions have taken place as a result of this computer worm/virus, there are potentially millions of computers within a single grasp. This means that an amazing amount of computer power is at the disposal of the author of this program – who remains anonymous as of this writing!
2. Operation Get Rich:
While many hacks are for political, social or attention-grabbing reasons, Operation Get Rich was the tool a single hacker used to make lots of money. Alberto Gonzalez and his associates used a database program (SQL) to steal ATM and credit card numbers directly from retailers. Once a list of account numbers was compiled, it was sold at auction for a huge profit. It is estimated that over 170 million accounts were compromised from 2005 to 2007. The reason this is known, however, is that he was caught and received prison time for his efforts.
When an Amsterdam-based internet hosting company, Cyberbunker found their emails were being blocked by Spamhaus, who is among the largest spam-blocking services (which blocks huge numbers of unsolicited emails from around the world), they fought back unleashing a ‘Distributed Denial of Service’ attack unlike any to date. At the peak of impact, 300 GB of data per second was blocked, which rippled across European connections and nearly caused a catastrophic effect. The head of Cyberbunker, Sven Kamphius was arrested and the legal impact is still pending.
This malware (malicious software) had a specific target in mind: Iran. Probably created in 2005, the program was discovered in 2010. It specifically targeted Siemens SCADA systems which were used by Iran as part of their nuclear program. The Microsoft Windows worm destroyed over 950 uranium centrifuges by randomly changing the spin speeds during use without notifying the user (rendering the centrifuge ineffective). Rumor has it that this was a joint venture between 2 governments – but neither government has acknowledged any participation. Stuxnet is one example of national participation in hacking; this represents an ethical dilemma that has yet to be resolved: how much covert impact can one country have in another sovereign state?
5. Dallas City Warning System:
In an example of the risk of hacking on a civil level, the emergency warning signal system in Dallas was accessed in April of 2017 and all 156 warning sirens went off from 11:40 pm Friday night until 1:20 am Saturday morning. The warning system is designed to alert residents of impending danger from weather events or “other emergencies” was interpreted as a possible military attack or terrorist activity. The sirens caused local residents to panic and led to thousands of 911 calls expressing concern and requesting information. Administrators tried shutting the system down to end the hacking, but each time it was brought back up, the sirens blared again – meaning that this was an ongoing attack. The matter is still under investigation.
Considered the largest ransomeware (a program that encrypts all information on a computer and then demands payment to allow the user to access their own files) attack to date, the WannaCry is an example of the insidious nature of hacking. The root cause of this hack was the NSA’s loss of some key tools used against hackers, allowing backdoor access to users who then installed the ransomeware and execute the blackmail demand. The malware was reported in over 150 countries and affected many government systems including the United Kingdom’s National Health Service systems (where only emergency services were available).
Data Breaches: Hacks against specific organizations
This is an unsuccessful attempt to use ransomeware, but it exposes the vulnerability of open databases and reveals the great need for information security. In this “hack that didn’t really happen,” malicious users aggregated data from hundreds of previously breached databases and matched up common records in order to compile a suspected list of user account information contained in iCloud and therefore gain access to Apple products. While not strictly a hack in terms of a direct breach of security, this ongoing episode (it started in May 2017) is still active as Apple users are being locked out of their accounts. This shows a soft risk where available information can be combined to execute a data breach without directly attacking a provider.
Perhaps the most troubling aspect of a data breach at VeriSign was how the company handled the matter. VeriSign, which administers internet domains, did not disclose the attack until the year after it occurred; even then, it was not forthcoming with the details of what happened, except to say that no sensitive DNS (Domain Name System) Network servers were affected. The only news released by the company admits that “access was gained to information on a small portion of our computers and servers.” The fact that there was a data breach demonstrates that no system is immune to attack.
9. Sabre Systems:
Software company Sabre Systems revealed a data breach in 2017. The company’s product, Sabre Hospitality Solutions SinXis Central Reservations program is used by many end-users to manage guest and passenger reservation information, as well as accounting information and human resources data. As a result, many Sabre clients reported data loss due to the theft of account credentials.
Password management should be secure, as this is the guardian of access to accounts. In May of 2017, OneLogin, a popular provider of password security announced it was attacked by an unknown source. While the company explained that their sensitive data files are secured by encryption, it acknowledged that a hacker may have obtained the ability to decrypt data. This exposes the risk that as security technology advances, so does the technology to break through new technology!
The world’s leading (and notorious) iPhone device cracker, Cellebrite was hacked in January of 2017. The result of the data breach was that hundreds of gigabytes of sensitive corporate information was compromised. Reportedly, the data stolen includes a client list (people who purchased the phone-cracking technology), various databases and a large amount of technical data about Cellebrite’s products. The company confirmed the loss but advised it was not aware of any “increased risk” to their clients’ information.
Wonga, the payday loans company, admitted that they suffered a data breach in April 2017. The attack affected over 250,000 customers affiliated with the British company and compromised personal information including addresses, banking details and card details. Customers were noticed via email that the company is “urgently investigating illegal and unauthorised access to the personal data of some of its customers in the UK and Poland.”
Font-sharing website DaFont was attacked in May 2017 resulting in the theft of usernames, passwords and email addresses for nearly 700,000 users. While the passwords were “hashed” as a form of security, it was discovered that over 98% of the user account passwords were decoded.
An online forum for law enforcement officers, PoliceOne, experienced an attack back in 2015; although news wasn’t released until early 2017. A hacker compromised over 700,000 user accounts, including FBI and DHS. Noteworthy is that the website used outdated security software and used a password hasher (instead of encryption) which is known to be easy to break through.
15. Bell Canada:
Canada’s largest telephone provider, Bell Canada, was attacked and private information for 1.9 million customers was compromised. Information stolen included active telephone numbers, names and email addresses. According to one user, “I was locked out of my phone, service was cut and when I called Customer Service, was told someone had ordered a Samsung Galaxy 8 on my account.” The recipient of the hacker’s data had used the password and email address on the account to reset the password. In this case, the hacker also downloaded apps from the Google Play store at a cost of $45 which is still in dispute with the company.
In another high profile telecom incident, Verizon customers who contacted customer service over a 6-month period had their data exposed on the internet. Nice Systems, an Israeli company that specializes in data extraction of recorded customer service calls, had kept the raw data on an Amazon S3 server that was completely exposed. Data included the customer name, phone number and PIN; it was not readily available whether or not any information was circulated on the internet.
In 2013, Adobe was attacked and private information for 38 million user accounts was compromised. Information taken included username and encrypted passwords for 38 million active users, but the impact didn’t stop there. There may have been 150 million user account data profiles stolen as well as 3 million encrypted customer credit card numbers. In 2015, an agreement was reached (details of which are confidential) relative to violation of the Customer Records Act and unfair business practices because of the data breach; the company paid over $1 million in legal fees and customer settlements.
18. RSA Security:
Many employees who access their company’s network remotely are familiar with the SecurID token used to validate credentials. In 2011, RSA Security suffered a cyber attack that compromised up to 40 million employee records. It appears that two separate hacker groups and a foreign government coordinated an effort to steal the data via ‘phishing’ attacks aimed at RSA employees. While the company maintains that no customers’ networks were accessed illegally, suspicion lingers due to subsequent hacks of other companies shortly after the data breach. RSA did not help matters by being vague in its announcement of the attack. The lesson learned is that everyone is vulnerable to attack – even the security providers.
19. The Home Depot:
Point Of Sale malware proved to be the undoing of The Home Depot as the company was attacked and credit and debit card information for 56 million customers was compromised. In September 2014 the company announced that data had been stolen using infected payment card processing systems since April. The company settled legal liability actions for an estimated $19.5 million dollar payout which included reimbursement of losses and to provide identity theft protection for affected customers. In all, some 40 million customers’ payment card data was stolen as well as over 52 million email addresses.
20. JP Morgan Chase:
A hack against JP Morgan Chase compromised personal information for nearly half of all households in the United States – 76 million customers – plus some 7 million small businesses’ data. Stolen information included names, addresses, phone numbers, email addresses and other internal information about the customer stored in Chase’s database. The nation’s largest bank advised that no customer money was stolen and “no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.” However, the hack exposed ‘root’ privileges on over 90 servers, meaning the hackers could possibly make financial transfers or close accounts.
Emodo is an education platform with 77 million accounts that were attacked and compromised in May 2017. This account information then appeared for sale on the dark web and, according to Vice’s Motherboard includes usernames, email addresses and passwords.
22. Sony PlayStation Network:
In April 2011, 77 million Sony PlayStation accounts were compromised, demonstrating that it isn’t just traditional businesses entities that are vulnerable. Sony PlayStation took their services down for nearly 3 weeks in order to resolve the security issue as well as customer fallout – at an estimated cost of $171 million. Of the information stolen, over 12 million accounts had unencrypted credit card numbers; hackers also were able to obtain full names, addresses, emails, passwords and purchase history data from the account profiles. A result of the attack, Sony agreed to a $15 million settlement of a Class Action lawsuit stemming from the data breach.
In 2015, an employee of a subsidiary company of Anthem, the second-largest health insurer in America, clicked on a link included in a phishing email and exposed the network to the largest data breach in the healthcare industry to date. The result of the malware was the loss of personal information including names, addresses, social security numbers, dates of birth and employment histories of nearly 79 million customers (current and former). This is the complete ingredient list for total identity theft and the total true impact is not yet known. At the time of this writing, the company maintained that there is no evidence of the information being circulated on the dark web. Yet.
24. TJX Companies:
The parent company of retail brands such as TJ Maxx and Marshalls was attacked in December 2006 when 94 million credit card numbers were exposed. It is believed that the theft occurred during a wireless data transfer between two Marshall’s stores in Miami; although a second theory alleges that the breach occurred via in-store kiosk used for applying for a job at the store. It is estimated that the clean-up cost for this attack approached $200 million paid out by banks, insurers and companies. The lead hacker was apprehended and sentenced to 20 years in prison.
25. Target Stores:
December 2013 – the height of the holiday retail shopping season – was a fateful month for Target Stores. The hack started before Thanksgiving, but was not discovered until weeks later; up to 110 million customers’ payment information was stolen using POS card readers (see Home Depot above). Information compromised included names, addresses, email addresses and phone numbers in addition to payment card numbers. This cost Target’s CIO his job and cost estimates approach $162 million for the data breach. The company increased its security measures, but there are those who claim it focuses on keeping attackers at bay instead of improving incident response time.
26. Heartland Payment Systems:
For nearly a year, an ongoing hack occurred at Heartland Payment Systems until it was discovered in January 2009 when Visa and MasterCard advised of suspicious transactions from accounts they had processed. When everything was revealed, approximately 134 million credit accounts had been compromised – Heartland handled payment processing for 175,000 merchants and handled upwards of 100 million transactions monthly. Impact to the company included being designated as Out of Compliance with the Payment Card Industry Data Security Standard (PCI DSS) and was suspended from payment processing of major credit card providers until May 2009. Heartland also paid an estimated $145 million in compensation for fraudulent transactions.
The stolen credentials of corporate employees led to a cyber attack against eBay, the online auction behemoth, and as a result the private data for all 145 million users was compromised. Data including names, addresses, dates of birth and encrypted passwords was exposed for a period of over seven months because of the illegal access. The company advised that financial information such as payment card numbers was not at risk as that information is stored separately from the illegally accessed database. As a result of the breach, eBay asked that users update their information and change their passwords; but the company was criticized for a lack of communication with its users.
28. Adult Friend Finder:
In October 2016, an adult-themed online company was attacked and over 412 million accounts were compromised. Information exposed included names, email addresses and passwords for 20 years’ worth of information housed in six databases. Many passwords had very week protections on them, so 99 percent of them were cracked by the time a published report showed the vulnerability that allowed the hackers access to the network. AFF Vice President Diana Ballou issued a statement saying, “We did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.”
Between 2013 and 2014, internet-based email provider and web host Yahoo experienced a series of hacks and breaches that impacted nearly half the planet’s population. Data included real names, email addresses, dates of birth and telephone numbers and advised that the majority of passwords were broken using a bcrypt algorithm. Initial estimates indicated that 500 million accounts were involved. A separate attack on the company by a different hacker group obtained private information for 1 billion accounts in 2013; additional information included security questions and answers. Recent estimates (October 2017) now indicate that information for all 3 billion user accounts were compromised. One impact of this cyber attack was the $350 million reduction in sale price when Yahoo was sold to Verizon (for $4.48 billion). Yahoo had once been valued at $100 billion during its history.
While 3 billion user accounts is the largest breach of security, the impact of the Equifax hack is far greater. In September 2017 the company announced that it discovered a hack in July – but the attack likely commenced in May. 143 million users were impacted, but unlike credit card transaction theft, the Equifax data breach exposed names, birth dates, Social Security Numbers and Driver License numbers as well as credit information (including full credit card numbers). Compounding the damage was how the company handled their response and remediation efforts. As it is still fresh, the final total impact and damage cannot be assessed at this time. The Equifax data breach shows that no company is immune to hacks, even those charged with keeping our private data secure. This particular attack diminishes public trust in those who are charged with protecting our private information and leads to a feeling of helplessness when considering our privacy.
Hacks are a part of daily life. The attacks listed above are grievous and concerning; and they belie the scope of the conflict around us. Everyone has a duty to take responsibility for protecting their information, but when a company entrusted with our privacy violates that trust by not keeping current with security measures, it damages the vendor/client relationship.