NOTABLE DATA BREACHES of 2016
by Edward Pereira. Edward is the Principle Consultant of Carmel Info-Risk Consulting a boutique security and privacy firm that focusses on bringing information risk program discipline to medium-sized companies that cannot afford an in-house security function.
COMMUTER TRAINS AND COMPUTER PAINS
On a recent business trip, I rode two different commuter trains between the airport and downtown in both Vancouver and Toronto. Both lines had new and very clean train cars. One, about 4 years old, had AC outlets at every row of seats. The other train line was barely eight years but had no AC power on board for passengers. One was built before the introduction of the iPad and the other, a couple years after. Coincidence?
The advent of the iPad changed everything of course, and among other things, likely led to improvements to the commuter train car that would not have been envisioned otherwise. Similarly, new operating systems push processor speeds and storage chips.
When it comes to cyber security, it is clear that new technologies and hacking tools, and nefarious market places and armies of hackers were pushing us in 2016 to up our game too. How have we reacted? Have we been nimble enough to keep up? Today’s network devices, storage systems, and database technologies are rightfully complicated, and to adequately protect data, successful deployment of all of them is becoming increasingly difficult. Deploying adequate security-centric expertise to all layers of the IT stack to configure a solid defense is becoming a small miracle.
And sure enough, in 2016, there were some serious breaches left wanting a small miracle, including, for example, a major incident in the Bay Area that brought new meaning to ‘train heist’. The San Francisco Municipal Transportation Agency which operates the public railway system in the region was disrupted on the US Thanksgiving Day long weekend by malware that resulted in frozen kiosk screens, and two days of free rides for commuters and tourists alike. This ransomware attack demanded $73,000 in bitcoins, and reminded us of the potential impact of cyber threats on our cities’ critical infrastructure too.
GENERATIONS OF DIFFERENT DURATIONS
The iPad is just seven years old, the iPhone is of course ten years old now, and the Internet, well let’s call it 24 years for argument’s sake. And data breaches? Well, probably they hark back to when cavemen stole rocks from each other, but in my mind, only since Beth Givens began keeping count of them at the Privacy Rights Clearinghouse, has there been data breaches in the public conscience. Which is about 2005 or just 12 years ago. There are other sites that claim to compile the same info, but the Privacy Rights Clearinghouse has been doing it the longest, and has a special place in my heart as I have been using them to build business cases for security expenditures for as long.
NUMBERS DON’T MATTER, PEOPLE DO
But after a year like 2016, the reality is setting in - the number of breaches, and the number of records breached, only tell part of the story although, it is an ever decreasing part of that story. I arrived at this conclusion despite 2016 going down as the year that had the largest breach of them yet.
"…the number of breaches, and the number of records breached, only
tell part of the story though - an ever decreasing part of that story."
What I see are implications much greater than individual privacy lost. How about democracy lost?
THE DNC EMAIL HACK, FAKE NEWS, AND THE US ELECTION
Arguably the most significant series of data mischief of all time may have occurred in 2016, accruing significance and clarity with each week as we closed out 2016, and even without credit card numbers, social security numbers, or health information to show for it. These types of cyber attacks cannot be measured in data records. They were measured in polling numbers and votes cast. Some observers have even claimed that 2016 was the year in which social media was successfully weaponized to specifically affect the results of a major election. Others claim social media had already played a significant political role in the Arab Spring of 2010/11. However, this was different. Perhaps a true cyber dawn of a new Cold War – or worse? What exactly has been fired across the bow? What will 2017 have in store for state-sponsored cyber war-fare?
BOOHOO FOR YAHOO!
Like other years, the year in which breaches are brought to light are just a snapshot of a prior time. And for Yahoo, 2016 was a snapshot of 2013/2014 and a year in which they belatedly announced 2 colossal breaches totaling nearly 1.5 billion accounts.
The cost of privacy lost for Yahoo!’s account holders may never be measurable. But if ever the Cost of Poor Security can be measured, it will be reflected in the eventual price that Verizon pays for Yahoo!, as its first bid for the Company came prior to the announcement of the first breach in the Fall of 2016 - $4.8 billion. The first breach announcement led to a reported $1 billion reduction in Yahoo!’s acquisition price. At the end of 2016, the second breach was announced, and it was a doozy – the largest ever, 1 billion records, (pause and soak it in). One billion accounts affected. To this day, Verizon apparently still views Yahoo! as a strategic asset , but the $1billion purchase price discount announced after the first breach may balloon further to account for related law suits that have emerged. Reportedly, the Yahoo brand, one of the Internet’s most recognized brands, may be jettisoned in the afterlife of the corporate acquisition.
BITCOIN’s RolE IN THE WORLD'S BURGEONING RANSOMWARE PROBLEM
CryptoWall and Cryptolocker ransom-based malware has been locking up an growing number of organizations’ data files, and leaving owners of the data in a moment of truth. In the case of University of Calgary, they decided to pay the $20,000 (which is perfectly legal) relieving them of a potentially disastrous or at least arduous backup data recovery exercise. Still this pay-to-play approach has no guarantees, and ultimately feeds the mouth of the monster that is the next ransomware attack. 2016 likely will set a record for ransomware to date, some $1 billion according to CSO Magazine., and increasingly in bitcoin because of its lack of trace-ability.
GOLDEN LEARNINGS, LOCAL YEARNINGS
Here, in British Columbia, GoldCorp provided a local cyber heist story of its own, with personal employee information as the bait, malware originating from a mine in a foreign country, and possibly from a contractor’s notebook to boot - scintillating stuff that really brought the cyber security message home for BC companies in the mining and other sectors.
RELEASE THE IOTS
Yes, 2016 will also be remembered for the largest DDOS attack ever and by a large margin too. More remarkable was how it was accomplished. Where as in the past, DDOS attacks were generally achieved by infecting computers with known vulnerabilities and converting them into an army of BOTs with a common cyber purpose. That type of DDOS attack is now so 2015. The Mirai malware, now available to the general hacker population, infected some 380,000 much simpler but nevertheless networked devices like home routers, DSL modems, and video recorders. Together, these were enough to generated enough traffic to bring down well known Computer Security Journalist Brian Kreb’s web-site, http://www.krebsonsecurity.com and scare away DDOS rescuer Akamai in the process. Point made. Internet-of-things as a serious security threat has now been proven out in spades.
AND ALL OF THE FORGETTABLE BREACHES OF 2016
There were many, many other breaches in 2016 of course, and the ones that came to mind for me include: (1) LinkedIn’s unauthorized disclosure of 117 million email and password combinations in May 2016 (that occurred in 2012 actually). Then there was the breach of Dropbox, which affected 68 million users in September 2016 and which again, sadly occurred nearly four years earlier. How’s everyone feeling about social networks and cloud storage?
In the meantime, even more US government employees’ personal data was released in 2016; this time, that of 20,000 FBI employees in February 2016. And did I mention the purportedly secretive hacking exploits of a secret NSA division were also hacked?
WHAT’S AHEAD IN 2017
Canadian firms operating in Europe should see more jurisdictions with tighter breach notification laws and beginning in May 2018, thanks to the EU's new General Data Protection Regulation, European privacy regulators will be capable of imposing fines of up to four percent of a firm's global annual revenue or €20 million ($22.5 million) - whichever is greater. Within Canada itself, breach notification laws are likely coming in late 2017. And the FTC in the US, has already recently laid out a key precedent in punishing Wyndham for successive data breaches with a significant fine. But these deterrents probably won’t do enough to turn the continuing tsunami of data breaches, in my opinion.