The hacks that left us exposed in 2017
December 22, 2017 11:09 am
Bombshell hacks were revealed one after another in 2017, from an Equifax breach that compromised almost half the country to global ransom campaigns that cost companies millions of dollars.
The cyberattacks highlighted the alarming vulnerability of our personal information.
More tools used by government hackers have become public, and it’s easier than ever to create sophisticated ways to spread malware or ransomware or steal data from companies. Companies also frequently fail to patch security flaws in a timely manner.
And there’s more to come.
“As we do more and more of our business online, and as criminals realize the value of the data that organizations are protecting, we’re seeing morse big-name breaches, more high-profile breaches,” says Mark Nunnikhoven, vice president of cloud research at the security company Trend Micro.
In particular, ransomware -- when hackers demand money to unlock files -- is becoming more common.
An analysis from anti-virus software firm Bitdefender found ransomware payments hit $2 billion in 2017, twice as much as in 2016. Meanwhile, Trend Micro predicts global losses from another growing trend, compromised business email scams, will exceed $9 billion next year.
Here’s a look back at the major hacks of 2017.
Cybercriminals penetrated Equifax (EFX), one of the largest credit bureaus, in July and stole the personal data of 145 million people. It was considered among the worst breaches of all time because of the amount of sensitive information exposed, including Social Security numbers.
The company only revealed the hack two months later. It could have an impact for years because the stolen data could be used for identity theft.
The Equifax breach raised concerns over the amount of information data brokers collect on consumers, which can range from public records to mailing addresses, birth dates and other personal details.
Firms like Equifax, TransUnion and Experian sell that data to customers, such as banks, landlords and employers, so they can learn more about you. Whether data brokers do enough to keep that private information secure is under scrutiny.
Former Equifax CEO Richard Smith, who stepped down after the breach was revealed, testified to Congress and blamed the security failure on one person who had since been fired.
The public still doesn’t know who is responsible for the hack.
A Yahoo bombshell
Parent company Verizon (VZ) announced in October that every one of Yahoo’s 3 billion accounts was hacked in 2013 -- three times what was first thought.
In November, former Yahoo CEO Marissa Mayer told Congress that the company only found out about the breach in 2016, when it reported that 1 billion accounts were hacked.
The company still does not know who was responsible.
Separately, a Canadian hacker pleaded guilty this year to his role in another major Yahoo security breach from 2014. That one compromised 500 million Yahoo accounts. He will be sentenced in February.
Leaked government tools
In April, an anonymous group called the Shadow Brokers leaked a suite of hacking tools widely believed to belong to the National Security Agency.
The tools allowed hackers to compromise a variety of Windows servers and Windows operating systems, including Windows 7 and Windows 8.
Microsoft said it had released patches for the security holes in March. But many businesses had not patched their software. The tools Shadow Brokers leaked were then used in the year’s biggest global cyberattacks, including WannaCry.
In March, WikiLeaks released documents that claimed to describe hacking tools created by the CIA. Researchers found that many of the exploits were old and imitated hacks that were made public years ago.
One tool, according to the documents, was malware that allowed the CIA to listen to targets through Samsung smart TVs, even while the TV was in a “fake off” mode.
WannaCry, which spanned more than 150 countries, leveraged some of the leaked NSA tools. In May, the ransomware targeted businesses running outdated Windows software and locked down computer systems.
The hackers behind WannaCry demanded money to unlock files. More than 300,000 machines were hit across numerous industries, including health care and car companies.
There was a human cost: In Britain, hospitals with locked computers were forced to close temporarily. One patient told CNN his cancer surgery was delayed.
Nunnikhoven, from Trend Micro, says it’s an example of an Internet of Things hack with major consequences. The Internet of Things refers to everyday devices, beyond traditional computers and phones, that connect to the internet.
The WannaCry infections were so bad that, in an unusual move, Microsoft released a patch for Windows systems that it had stopped updating.
The cyberattack has been linked to North Korea.
In June, the computer virus NotPetya targeted Ukrainian businesses using compromised tax software. The malware spread to major global businesses, including FedEx, the British advertising agency WPP, the Russian oil and gas giant Rosneft, and the Danish shipping firm Maersk.
This virus also spread by leveraging a vulnerability leaked by the Shadow Brokers.
In September, FedEx attributed a $300 million loss to the attack. The company’s subsidiary TNT Express had to suspend business.
Another major ransomware campaign, called Bad Rabbit, infiltrated computers by posing as an Adobe Flash installer on news and media websites that hackers had compromised.
Once the ransomware infected a machine, it scanned the network for shared folders with common names and attempted to steal user credentials to get on other computers.
The ransomware, which hit in October, mostly affected Russia, but experts saw infections in Ukraine, Turkey and Germany.
It served as a reminder that people should never download apps or software from pop-up advertisements or sites that don’t belong to the software company.
Voter records exposed
In June, a security researcher discovered almost 200 million voter records exposed online after a GOP data firm misconfigured a security setting in its Amazon cloud storage service.
It was the latest in a string of major breaches stemming from insecure Amazon servers where data is stored. They are secure by default, but Chris Vickery, a researcher at cybersecurity firm UpGuard, regularly finds that companies set it up wrong.
Verizon and the U.S. Department of Defense also had data exposed on Amazon servers.
Hacks target school districts
The U.S. Department of Education warned teachers, parents, and K-12 education staff of a cyberthreat that targeted school districts across the country in October.
In one Montana school district, parents and students feared for their safety after a hacker groupsent threatening text messages as a part of an extortion campaign.
The group, dubbed The Dark Overlord, stole information on students, teachers and other district employees. They asked for money to destroy the files. Schools closed for three days.
The same group was responsible for stealing information from Netflix’s production partners and leaking episodes of Netflix’s “Orange is the New Black” after the company refused to pay ransom.
An Uber coverup
In 2016, hackers stole the data of 57 million Uber customers, and the company paid them $100,000 to cover it up. The breach wasn’t made public until this November, when it was revealed by new Uber CEO Dara Khosrowshahi.
Now Uber is facing questions from lawmakers. Three senators introduced a bill that could make executives face jail time for knowingly covering up data breaches. City attorneys in Los Angeles and Chicago and the Washington state attorney general are suing Uber over the breach.
Expect even more of this in 2018.
Nunnikhoven predicts attacks on the Internet of Things will keep hitting industries including airlines, manufacturing and cars as they rely more on so-called smart technology.
“They face the same cybersecurity challenges that our laptops and our phones do, but they’re attached to real things in the real world,” he said. “If someone hacks my laptop, my data is at risk. But if someone hacks a robotic manufacturing arm, that entire manufacturing line is at risk.”
The year’s breaches may ultimately change consumer behavior. They proved Social Security numbers and birthdays might not be the best form of secure identification. Criminals buy and sell those numbers for fairly low prices, along with other personal information like addresses, emails and passwords.
Lawmakers are also proposing legislation to combat data breaches.
In the meantime, businesses and people are at least more aware of security risks.
“The number of high-profile international breaches has been a wake-up call this year to businesses that security is a top-level item,” Nunnikhoven said. “It affects the bottom line.”