The number of cyber attacks has grown up steadily during the last few years. In 2016, 758 million malicious attacks occurred according to KasperskyLab, (an attack launched every 40 seconds) and there is no doubt that 2019 will break the record. In 2017, ransomware was under the spotlight with the WannaCry and NotPetya attacks which temporarily paralysed many large companies and organizations. The types of cyber attacks are almost as numerous as the number of hackers. From individuals’ personal information to confidential industrial product data, the field is vast and the consequences can be multiple: impersonation, banking data fraudulent use, blackmail, ransom demand, power cuts, etc. Often, it is the exploitation of system and network vulnerabilities that is responsible for cyber attacks, but these can often be avoided. Indeed, many vulnerabilities are known and referenced.
2019 update: If your website or your supplier gets hacked and credentials and other sensitive information is exposed, chances are this opens new entry points for the adversaries to enter your organization. This accounts for any ‘as-a-service’ product and means that the (shared) responsibility shift from looking at your own vulnerabilities towards ensuring your suppliers are doing the same levels of due diligence is just as important. As many organization are moving to the cloud, with employees using this for personal and business use. There is potential for more staff to fall victim to increasingly advanced phishing emails (or text messages) such as CxO fraud and DevOps teams continue to make the same mistakes during both development and deployment.
Below are a few examples of companies that have fallen victim and paid a high price for it. The ranking is presented in increasing order of impact based on number of victims.
Here is our Top 10 of the world's largest cyberattacks
10. Adobe was going through hell
Adobe announced in October 2013 the massive hacking of its IT infrastructure. Personal information of 2.9 million accounts was stolen (logins, passwords, names, credit card numbers and expiration dates). Another file discovered on the internet later brought the number of accounts affected by the attack to 150 million (only 38 million active accounts). To access this information, the hackers took advantage of a security breach at the publisher, specifically related to security practices around passwords. The stolen passwords had been encrypted instead of being chopped as recommended. Fortunately, if this had led to banking data also being stolen, it was at least unusable because of a high-quality encryption by Adobe. The company was attacked not only for its customer information, but also for its product data. Indeed, the most worrying problem for Adobe was the theft of over 40GB of source code. For instance, the entire source code for the ColdFusion product was stolen as well as parts of the source codes for Acrobat Reader and Photoshop. If other attacks were to be feared, they did not ultimately take place.
9. Panic at Sony
In April 2011, Sony’s PlayStation Network was attacked. The multiplayer gaming service, online gaming purchasing and live content distribution of the Japanese brand contained the personal data of 77 million users which was leaked. Banking information of tens of thousands of players was also compromised. After the intrusion discovery, PSN, as well as Sony Online Entertainment and Qriocity, were closed for one month. To appease their users, Sony paid 15 million dollars in compensation plus a few million dollars in legal fees in addition to having to refund the people whose bank accounts had been illegally used. This cyber attack could have been largely avoided. Indeed, hackers used a well-known network vulnerability that Sony chose to ignore. Data was unencrypted and could easily be hijacked thanks to a very simple SQL injection.
Unfortunately, in November 2014...
... a subsidiary, Sony Pictures Entertainment, was attacked by malware and more precisely, by a computer worm. The “Guardians of Peace” stole 100 terabytes of data including large quantities of confidential information such as film scripts, compromising emails and personal data of 47 000 employees (names, addresses, emails, social insurance numbers, salaries etc. Business executive and producer Amy Pascal was ejected from her position because of the shocking content of her emails (judged insulting to then-President Barack Obama). In addition, the company cancelled the broadcast of several movies and paid the equivalent of 8 million dollars in compensation to its employees and former employees. The cyber attack could have once again been avoided. Sony Pictures had carried out an audit of its security system a few months prior to the incident, and this audit had revealed serious failures in the infrastructure management, including a firewall and several hundred terminals (routers and servers) that were not managed by competent teams.
8. The South Korean nightmare
The South Koreans learned in January 2014 that data from 100 million credit cards had been stolen over the course of several years. In addition, 20 million bank accounts had also been hacked. For fear of having their bank accounts emptied, more than 2 million South Koreans had their credit cards blocked or replaced. Behind the theft was an employee of the Korea Credit Bureau (KCB), a solvency company. He stole personal information from customers of credit card companies when he worked for them as a consultant by simply copying the data to an external hard drive. He then resold the data to credit traders and telemarketing companies.
7. Target targeted
Target, the second-largest US discount retail chain, was the victim of a large-scale cyber attack in December 2013. Data from 110 million customers was hijacked between November 27 and December 15 including banking data of 40 million customers and personal data (names, postal addresses, telephone numbers, and email addresses) of another 70 million customers. And it was not Target who discovered the attack. The American secret services had detected abnormal bank movements and warned the brand. According to several US security services, the hacker group was located in Eastern Europe. It had installed malware in cash registers to read information from the credit card terminals. This technique is known as RAM Scraping. Once the data had been hijacked, the attackers resold it on the black market. Target was ultimately required to pay over 18 million dollars as a settlement for state investigations into the attack.
6. Alteryx data leak exposes 123 million households
A marketing analytics firm left an unsecured database online that publicly exposed sensitive information for about 123 million U.S. households. The data included 248 fields of information for each household, ranging from addresses and income to ethnicity and personal interests. Details included contact information, mortgage ownership, financial histories and whether a household contained a dog or cat enthusiast. Names were not included.
All of this was exposed on a publicly accessible AWS S3 storage cache. Protect your data in the cloud with continuous assessment of misconfigurations
5. Equifax: a tricky crisis management
Equifax, an American credit company, revealed (first six weeks after the fact), that it had suffered a cyber attack over the course of a number of months. Detected in July of 2017, it contained the personal data (names, birthdates, social insurance numbers, drivers license numbers) of 143 million American, Canadian and British customers as well as 200,000 credit card numbers. Complaints against the company as well as suspicions of insider trading were levied since the vulnerability of Apache Struts used by the hackers was well known and several executives of the company sold stock just days before the security breach was made public.
4. Adult Friend Finder exposed
In 2015, the dating site was attacked for the first time. The information (pseudonyms, dates of birth, postal codes, IP addresses, and sexual preferences) of 4 million accounts was made public on a forum only accessible on Tor. Had it been recovered by malicious actors, the data could have been used for spam campaigns, identity theft or blackmail. However, no banking data had been hijacked.
But the following year...
...Adult Friend Finder faced a new attack, much more violent than the first one. This time it was not 4 million accounts pirated but more than 400 million. The stolen information was less sensitive but in total, 20 years of personal data was stolen. Attackers used a LFI (Local File Inclusion) breach, a technique that consists of introducing a local or remote file into an online resource. In addition, some former users had the unpleasant surprise to learn their personal information had not been deleted despite their account cancellations. This hacking record largely dethroned the Ashley Madison site cyberattack.(In August 2015, the Ashley Madison extramarital dating site was hacked and personal data (names, email addresses, phones, sexual preferences) of more than 30 million users across more than 40 countries was harvested)
3. Marriott hotels: privacy of 500 million customers compromised
Information from up to 500 million guests at the Marriott-owned Starwood hotel group has been compromised, including banking data. The rift had been open since 2014 and was first spotted September 2018. Even if, as Marriott says, the number of customers that suffered a breach of personal information is anywhere near 327 million, the implications are massive. Information accessed includes payment information, names, mailing addresses, phone numbers, email addresses, passport numbers, and even details about the Starwood Preferred Guest (SPG) account, a high-end card recently launched by the American Express credit card issuer for regular travellers.
"Marriott was first alerted to a potential breach in September, it said, when an internal security tool found someone was trying to access its database. It then found that people seemed to have been in the database since 2014, and they had copied information apparently with a view to taking it."
Marriott now face $123 million fine by UK authorities over this breach.
2. Theft of more than one billion passwords
In August 2014, the IT security company Hold Security revealed that Russian hackers had stolen 1.2 billion logins and passwords on 420,000 websites around the world. And this could potentially have allowed the group of hackers "CyberVor" to access 500 million email accounts. Hackers used programmed botnets to visit sites and perform vulnerability tests in order to exploit SQL injection vulnerabilities and access databases. While the attack is significant on account of its scale, it has ultimately had no major consequences. According to the FBI, the information has only been used in a large spam campaign on social networks (for instance) while the real intent of this hacking record remains a mystery for the organization.
1. Yahoo!: hackers favourite target?
In 2014, Yahoo! announced it had suffered a cyber attack in 2014 that affected 500 million user accounts constituting the largest massive hacking of individual data directed against a single company. Names, dates of birth, telephone numbers and passwords were stolen. While the company assured users that banking data had not been affected, it nonetheless recommended caution. Prior to this event, in 2012, the hacker “Peace” had sold 200 million usernames and passwords for $1900.
Because bad things always come in threes...
... in March, Yahoo! confessed to being hacked once again. This time, "only" 32 million accounts were affected. But the cyberattack relaunched the investigation of the 2014 hack, as the attackers used a tool stolen that year, allowing them to create malicious cookies and log in without passwords. A direct result of this is that the firm was bought by Verizon in 2017 for $ 4.5 million instead of the $ 4.8 million announced in 2016. Update (Dec 2018): Yahoo has now admitted that all of the 3 billion user accounts had been hacked in 2013. This cyber-attack is the most significant in Internet history.
Will you be the next?
While the previous cyber attacks are impressive, many more are taking place every day in different business sectors or through different means. This summer, the ransomware Wannacry and NotPetya made headlines. More recently, HBO lost 1.5 terabytes of data, including TV show episodes, scripts, manager emails and some Game of Thrones actors’ phone numbers. Dozens of US energy suppliers have also been attacked and hackers can cut electricity anywhere in the United States at any time. How to protect against cyber attacks? Updating IT systems is the first step, but the best is to continuously detect vulnerabilities and fix them quickly to avoid attacks. This is why our full stack security solutions were developed: to allow our customers to better manage their vulnerabilities and give them the means to improve the security of their systems.
2019 update: The answers to many of the risks identified in this blog are mostly unchanged and most of them in theory are simple. However, implementing the right solutions for your business and especially maintaining their effectiveness heavily depends on the organization and training its employees to be aware of illicit activity.
Our security experts suggest you have a solid security baseline (or ‘Cyber Hygiene’), in which you ensure the most obvious risks are addressed early. Amongst this should be a continuous Vulnerability Management program, with periodic manual pen tests on key-risk areas. After setting this baseline, you should start addressing focus areas that are most crucial to your organization and in turn the most likely areas a hacker would be interested in. For example, if you see an increase in targeted phishing campaign towards C-level executives, you want to have specific phishing and awareness campaigns around that specific topic.
For organizations with in-house development teams, embracing the ‘Shift-left’ mentality would be a logical next step. As you want to ensure your deliverables are as secure as possible before delivering it to your customers. In doing so, you might want to roll-out an effective developer security awareness program and help the DevOps teams to become more agile and change to DevSecOps-champions. Integrating a flexible security scanning solution into the development lifecycle, which helps the developers instead of only providing them with more work.
Critically take a look at what your organization’s security needs are and employ the right security solution that best fit in with your business goals and your staff.