Last year was a year filled with security gaffes, data breaches, and hacks—many of which were felt country and even nationwide. Well-known organizations such as Yahoo, the NSA, and the IRS each had to deal with their own security breaches that found millions of user accounts compromised or exposed to malicious third parties. Everything from login details to personally identifiable information (PII) was released or obtained by hackers in 2016; but the attacks didn’t stop with just looted data.
Larger attacks occurred during Q3 and Q4, seeming to serve only a single purpose: disruption. There were also breaches revealed in 2016 that actually occurred years prior (much to the public’s dismay), which indicates that not only were many of these companies not capable of detecting the breach, but that they also most likely didn’t have any kind of recovery plan in place to handle the aftermath of being compromised.
While ‘blunder’ might seem like a harsh word for victims of a hack, the majority of companies could have done a lot more to mitigate the damage of their respective breaches. A noticeable percentage of the affected groups also didn’t immediately come forward about the hacks, which also constitutes a blunder, albeit a legal and PR related one.
The following summaries highlight five of the most prolific IT blunders to go down in 2016.
In 2016, Yahoo! announced that they’d been hacked. Around 500 million user accounts and their corresponding login details had been exposed by the breach. The problem? The actual attack had occurred in 2014 but the company didn’t discover it until 2016—so they said. Even worse was when they announced that a second attack had occurred—this one dating back to 2013.
Not only did they lose half a billion user accounts to hackers, they either weren’t watching their systems or they knew about the breaches but didn’t go public right away. Both scenarios present their share of problems, from their legal obligation to disclose that a breach had occurred, to having their IT and security fail them so completely.
Dyn is an Internet performance management company that faced a distributed denial of service (DDoS) attack in October of 2016. There were multiple waves of the attack that caused more than twenty services to lag or go down completely, but Dyn was on top of it. They effectively managed the attacks and did a stellar job of keeping the public apprised of their efforts. It was one of the largest attacks of its kind in history, effectively leaving its mark on 2016 as a turning point in cyber terrorism.
Dyn is a good example of a company that had the right plan and reaction to an attack, and you can read their public statement on the October DDoS attack here.
The 2016 US Presidential Election was a tumultuous one, but one of the most talked about elements was Russia’s involvement. First, the Democratic National Committee’s computer network was breached, which Wikileaks jumped on. The whistle-blower site published almost 20,000 emails and attachments from DNC staffers back in July. After that, talk about Russia’s influence on the election grew.
Even after the election, investigations were ongoing to determine whether Russia had any part in the results of the election. While no evidence was found that they had hacked the ballots, investigators believe they did have a great deal of influence via online trolls who targeted the Democratic Party’s nominee, Hillary Clinton.
If the latter is true, it goes to show that cyberattacks don’t always have to be blunt or heavy-handed; in fact, there are malicious users who understand the intricacies of covert cyber warfare, including online harassment. This extends to attacks and hacks designed to commandeer social media profiles and post obscene, vulgar, or inaccurate information to disparage and discredit the user to whom the account belongs.
Cyber criminals can easily work to discredit individuals and organizations by “trolling” them in various ways—another tactic the world will have to learn to counter and defend itself from.
Apple and controversy went hand-in-hand this past year, especially when the FBI wanted Apple’s help to break an iPhone belonging to the terrorists responsible for the attack in San Bernardino, California in 2015. The device’s built-in security tools made it impossible for the FBI to access the phone’s data and they went to Apple for help. The company refused and spurred the government agency to take them to court over it.
The suit was eventually dropped once a security firm came forward with their own solution to the matter, but the case has forced lawmakers to wonder how companies should be held accountable when it comes to their encryption-capable devices and aiding law enforcement with bypassing the owner’s authorization.
5. Myspace, Tumblr, and LinkedIn
A hacker took credit for gaining access to login info for more than half a billion users across each of the three social media platforms. Cybercriminal “Peace” sold the data in their dark web store, which eventually led to Facebook CEO Mark Zuckerberg, Twitter co-founder Biz Stone, and Drake—a few of the many—having their accounts taken over.
Investigators still aren’t sure how Peace obtained so many user details, but there’s speculation that the data obtained was from a breach in 2012. If that’s the case, Tumblr, LinkedIn, and Myspace lacked the protection or steps to address the initial breach and allowed themselves to be targeted once more. It’s likely due to users reusing their old/previous passwords, but the responsibility still belonged to the respective companies to take a more reliable approach to fixing their security issues than simply requesting users to change their passwords.
Even the most prepared groups can become victim to cybercriminals, as was the case with Dyn, but it’s important to take note of how cyberattacks have evolved. We learn from the mistakes and misfortunes of others, but we can also increase our knowledge of security measures by seeing how companies respond to cyberattacks successfully.
The Cost of Dealing with Cyberattacks
Prevention and proactive maintenance are the two tactics best capable of lowering the cost of dealing with fallout from cyberattacks, hacks, and breaches; and at the rate that those costs are climbing, learning how to manage threats is key.
Keeping apprised of the latest breaches gives us a window into how our own security best practices should adapt to meet the new challenges we face in IT security. Start the New Year out on the right foot by working with IT consultants who can keep your computer networks running securely and efficiently.