The year was full of good reminders that our data isn’t safe.
Hackers really kicked our asses this year, and that’s not just the eggnog talking.
The year started with a breach so egregious it could have been the plot of a “Die Hard” movie. Cyberattackers broke into Sony’s computers weeks before the new year, disrupting the company’s ability to do business. They also threatened to bomb theaters that showed a Sony-produced movie called “The Interview,” a satire about a talk show host who gets sucked into a plot to kill North Korea’s leader.
If that wasn’t enough, the hackers also leaked company emails, airing dirty laundry about executives and exposing unequal salaries between male and female movie stars.
The Sony hack changed the way we think about data breaches. Sure, we’ve all stressed about stolen credit cards and have gone through the hassle of replacing them. But the Sony attack was a different animal. It prompted an executive order from President Barack Obama imposing sanctions on a foreign power. A multinational corporation was knocked to the ropes, and a diplomatic war of wills broke out between nations.
People watched as these hackers embarrassed one of the world’s most influential movie companies, which itself is part of a tech behemoth. The attack “had a real impact on the Sony bottom line,” said Dmitri Alperovitch, co-founder of cybersecurity firm Crowdstrike.
And that was just the beginning.
Join me in reminiscing.
Kathy Quirk-Syvertsen, Kathy Quirk-Syvertsen/Masterfile/Corbis
From our private affairs to our employment records, everything about us is online, and with motives ranging from money to pure malice, hackers will attempt to get that information. Not every hack is created equal, though, and we learned something different from each one.
The Ashley Madison hack captured our attention like a slow-motion car crash. Starting in July, the “Impact Team,” a group of hackers (or one hacker, we still don’t know), stole information from the adultery-focused dating site. The hackers threatened to publish data on more than 30 million users unless the company shut down.
Initially, Ashley Madison was quick to assure users that credit card information hadn’t been stolen. The company was legally required to make that announcement, but it highlighted the absurdity of the situation. Nobody cared about their credit cards; their reputations, marriages, jobs and lives could be at stake. Some of them had even paid Ashley Madison prior to the hack to erase their account information, but the company hadn’t done it.
Ultimately, Ashley Madison refused to give in to the Impact Team’s demands. So, the hackers posted the data online.
The effect on Ashley Madison’s users was catastrophic. Two suicides were potentially connected to the data breach, and people named in the hack report they’re still being subjected to extortion attempts.
Indeed, the Ashley Madison hack showed us there are far worse places to be hit than the wallet. What’s more, money isn’t the only thing motivating hackers. Some are just drawn to wreak havoc to serve an agenda.
“Those guys are getting bolder,” said Keith Graham, an executive at cybersecurity company SecureAuth. “They truly are.”
Government does no better
In June, reports of a hack on the US government hinted that a few million Social Security numbers had been compromised. If only that were all.
By the end of July, the Office of Personnel Management said two breaches had compromised the Social Security numbers of more than 21 million people. Also exposed was highly personal information from federal background checks, along with millions of fingerprints. Anyone who’d applied for federal security clearances since the turn of the millennium was affected.
Politicians pointed fingers at China as the source of the hack, and OPM Director Katherine Archuleta resigned. Multiple unions filed lawsuits against the government on behalf of federal employees.
To protect those affected, the government contracted with services that monitor credit and detect identity theft. But reports soon surfaced of the CIA pulling several officers out of the US embassy in Beijing because the breach had blown their cover and exposed them as spies.
That’s right: A hack in Washington may have outed members of our country’s spy network on the other side of the world.
The breach revealed the federal government to be just as disorganized with its sensitive information as Sony and Ashley Madison.
Not even a password-protection company is safe
Every geek friend of yours has probably told you to have a different password for every website you visit. Of course, that’s a lot of work.
There’s an app for that, promising to protect your cache of passwords with a supersecure service.
You know where this is going, right?
In June, one of those password manager services, called LastPass, said it had been hacked.
Mercifully, the damage caused by LastPass’ hackers was minimal compared with the attacks on Sony, Ashley Madison and the federal government. Hackers got the usernames of LastPass account holders, the hint for the password to their account, and a scrambled-up version of that password.
“I think it is probably lost on most people that the risk [of exposure] was as close to zero as it could be with LastPass, whereas OPM was a national disaster,” said LastPass CEO and co-founder Joe Siegrist.
Still, there’s the psychological toll many LastPass users were suddenly confronted with. If a company dedicated to their security could be hacked, how could they ever be secure?
The unfriendly skies
This reported hack might have flown under your radar.
In July, Bloomberg News said unnamed sources at United Airlines had revealed a data breach at the company that had occurred earlier in the year. Among the data allegedly scooped up were flight manifests, which could provide a record of customer movements.
United has never confirmed the hack. It said at the time that the reports were “pure speculation,” and it has declined to provide any update for this story.
Articles said the reportedly hacked information didn’t include credit card numbers or any other kind of data that would have triggered a legal requirement to report the breach.
The lesson here? Some companies may be telling us only what they absolutely have to. The rest you might never hear about.