It’s been said before and we’ll say it again – 2015 was the year of the hack.
Sure, there were major hacks and breaches before 2015, but this was the year when hacking became de rigueur, when hacks went mainstream and became front page news. Often. Very often.
One of the most intriguing aspects of the hacks of 2015 was the scope. No sector was spared from data breaches, from top universities to federal agencies to Steam. It seems like everybody was targeted in 2015, as if the perps did their utmost to reach the widest range of victims. Profiled below are an assortment of people and the hacks that affected them most this year.
Kids – VTech, Hello Barbie, Hello Kitty
Remember the days when kids played with jump ropes and board games? Neither do we.
2015 may well be the year that makes parents reassess exactly what we put in the hands of our children. Three major toy manufacturers were found to be putting highly sensitive information regarding their users at risk. Hello Barbie was put under the microscope by tinkerers and researchers as soon as Mattel released the interactive, network-ready doll. Researchers soon found some major vulnerabilities, including that it was possible to manipulate the talking dolls’ software so that her app could be taken over to control what she says in response as little girls talk to her. It was also possible to record conversations. Toy Talk, manufacturers of the software Barbie uses, took swift action to fix the issues.
The VTech hack at the end of November exposed the information of 6.4 million kids due to glaring security flaws in their Learning Lodge app. The information, which was stored unencrypted on their servers, included photos, email and physical addresses, passwords, IP addresses, dates of birth, gender and more. The hacker, a 21-year-old self-proclaimed ethical hacker, says he did it to bring the vulnerabilities to light. Despite possible good intentions, he is currently awaiting trial and faces serious jail time.
Then, most recently, news broke that Hello Kitty’s servers and website had been breached, this time leaking the information of over 3.3 million kids and tweens. The data dump included full names, dates of birth, email addresses, passwords, and security questions and answers. Japanese parent company Sanrio has told users to change their passwords but has not fully acknowledged the hack.
Time to break out those jump ropes again.
Creeps – The Hacking Team, Ashley Madison
Turns out that the summer of 2015 was the summer of karma for hacking.
In July, the Hacking Team, makers of surveillance software for governments, including many oppressive ones worldwide, was hacked due to the use of pathetically insecure passwords. Many never before seen Flash exploits were found among their dumped information and you can bet that within days, the newly discovered exploits were being used in attacks by regular ‘ol hackers.
On the heels of that hack came the infamous hack on Ashley Madison’s servers. In case you have been living under a rock since the summer, the Ashley Madison website, whose tagline was “Life’s short. Have an affair” helped potential two-timers meet other like-minded people. The hackers, calling themselves The Impact Team, dumped 60 gigabytes of user information onto the web after threatening the parent company Avid Life Media to cease and desist. There has been one confirmed suicide connected to the dump and a few unconfirmed as well.
Karma can be a real killer.
Telecom Customers – TalkTalk and T Mobile/Experian
Got a cellular plan? If you live in the US or the UK you might be wishing you didn’t.
In October, British telecom giant TalkTalk revealed that the credit card and bank information of up to 4 million customers had been stolen in a hack on their servers. The hackers turned out to be a bunch of teenagers and 20-year-olds, leaving many people scratching their heads as to how strong the company’s security measures could have actually been.
Also in October, US mobile giant T Mobile let customers know that their credit applications processor, Experian, had been hacked. Who was affected? Anyone who had applied for financing through T Mobile between September 2013 and September 2015. In total, more than 15 million Americans had their social security numbers, dates of birth, addresses, both physical and email, passport numbers and driver’s license numbers hacked. T Mobile stresses that credit card information was not stolen, but with the scope of the other information that was stolen, pulling off identity fraud wouldn’t be hard at all.
The US Government – OPM
In what was arguably the most damaging hack of 2015, The Office of Personnel Management, which is sort of like the Human Resources department for the Federal Government, saw the incredibly sensitive information of millions government employees stolen. The theft was likely carried out by Chinese hackers, although that theory has yet to be proven. The biometric identifiers such as fingerprints for over 5.6 million federal employees were stolen, along with other identifying information, including social security numbers for over 21 million other employees. The hack also accessed many employees’ extremely sensitive clearance forms. OPM Director Katherine Archuleta stepped down in July and the truth is that the American public may never know the true scope of what was breached.
US Taxpayers – The IRS
As if paying taxes wasn’t bad enough.
In May, the IRS announced that their database had been hacked using the “Get Transcript” feature. Personal information and tax returns of over 300,000 Americans had been stolen. The feature in question that allows tax filers to view their tax information for specific years was secured by multiple identification-verification questions that apparently were not strong enough to deter hackers. Using information stolen from previous, less significant hacks, hackers were able to bypass security questions and steal tax returns totaling over $50 million.
Vacationers – Hilton Hotels and Trump Hotels
Feeling like you need to de-stress after all the security breaches on 2015? Maybe don’t do to a hotel.
Here is a little more of “The Donald” in your diet for you. In October, the billionaire presidential hopeful’s high-end hotel chain, Trump Hotels, disclosed that they had been victims of a “data security incident” and malware had been active on their system between May 2014 and June 2015. Compromised information included credit card numbers, expiration dates, and CVV numbers.
Then, Hilton Hotels announced that they too had been victims of a hack to the credit card processing system of their hotel restaurants, gift shops and bars (though not their booking system). Starwood, White Lodging and the high-end Mandarin Hotel chains were all similarly targeted this year.
Americans covered by health care policies – Anthem
In February, America’s 2nd largest health care insurance provider, Anthem, was hacked, exposing the social security numbers, dates of birth and addresses of one-third of the American population. Medical and financial information wasn’t stolen but all in all, the information that was taken is enough to commit identity fraud by enterprising crooks.
Hacks are everywhere
Aside from the aforementioned hacks, there were countless smaller hacks, in which your average Joe’s sensitive information was exposed. If you were involved in one of those “smaller” hacks, it probably matters a lot to you, even if it didn’t make headline news. The good news is that with every breach, companies from toy makers to restaurants see more and more how important it is to secure their infrastructures as much as possible, regardless of the industry.
Here’s to a hack-free 2016!