Shadow Brokers

The mysterious hacking group known as the Shadow Brokers first surfaced in August 2016,
claiming to have breached the spy tools of the elite NSA-linked operation known as the Equation
Group. The Shadow Brokers offered a sample of alleged stolen NSA data and attempted to auction
off a bigger trove, following up with leaks for Halloween and Black Friday in 2016.
This April, though, marked the group's most impactful release yet. It included a trove of
particularly significant alleged NSA tools, including a Windows exploit known as EternalBlue,
which hackers have since used to infect targets in two high-profile ransomware attacks (see below).

The identity of the Shadow Brokers is still unknown, but the group's leaks have revived debates
about the danger of using bugs in commercial products for intelligence-gathering. Agencies keep
these flaws to themselves, instead of notifying the company that makes the software so the vendor
can patch the vulnerabilities and protect its customers. If these tools get out, they potentially
endanger billions of software users.

Wikileaks CIA Vault 7

On March 7, WikiLeaks published a data trove containing 8,761 documents allegedly stolen from
the CIA that contained extensive documentation of alleged spying operations and hacking tools.
Revelations included iOS and Android vulnerabilities, bugs in Windows, and the ability to turn
some smart TVs into listening devices.

Wikileaks called the dump "Vault 7," and the organization has followed the initial release with
frequent, smaller disclosures. These revelations have detailed individual tools for things like
using Wi-Fi signals to track a device's location, and persistently surveilling Macs by controlling
the fundamental layer of code that coordinates hardware and software.
WikiLeaks claims that Vault 7 reveals "the majority of [the CIA] hacking arsenal including
malware, viruses, trojans, weaponized 'zero day' exploits, malware remote control systems and
associated documentation." It is unclear, though, what proportion of the CIA toolbox the
disclosures actually represent. Assuming the tools are legitimate, experts agree that the leaks could
cause major problems for the CIA, both in terms of how the agency is viewed by the public and in
its operational abilities. And as with the Shadow Brokers releases, Vault 7 has led to heated debate
about the problems and risks inherent in government development of digital spy tools.

Cloudbleed
In February, the internet infrastructure company Cloudflare announced that a bug in its platform
caused random leakage of potentially sensitive customer data. Cloudflare offers performance and
security services to about six million customer websites (including heavy hitters like Fitbit and
OKCupid), so though the leaks were infrequent and only involved small snippets of data, they
drew from an enormous pool of information.

Google vulnerability researcher Tavis Ormandy discovered the problem on February 17, and
Cloudflare patched the bug within hours, but the data leakage could have started as early as
September 22, 2016. Leaked data was only deposited on a small subset of Cloudflare customer
sites, and usually it wasn't visible on the pages themselves. Search engines like Google and Bing
that crawl the web, though, automatically cached the errant data—everything from gibberish to
users' Uber account passwords and even some of Cloudflare's own internal cryptography keys—
making it all easily accessible through search.

Cloudflare worked with search engines ahead of and after the announcement to remove the leaked
data from caches, and experts noted that it was unlikely that hackers used the data malevolently;
the random leaks would have been difficult to weaponize or monetize efficiently. But any exposed
sensitive data creates risks. The incident was also significant as a reminder of how much rides on
large internet infrastructure and optimization services like Cloudflare. Using one of these services
makes sites much more robust and secure than they probably would be on average if owners
attempted to build defenses themselves. The tradeoff, though, is a single point of failure. A bug or
a damaging attack affecting a company like Cloudflare can impact, and potentially endanger, a
significant portion of the web.

198 Million Voter Records Exposed

Unfortunately, it's not uncommon to hear that a trove of voter data was breached or exposed
somewhere in the world. But on June 19, researcher Chris Vickery announced a discovery that
would give even the most jaded security expert pause. He had discovered a publicly accessible
database that contained personal information for 198 million US voters—possibly every American
voter going back more than 10 years.

The conservative data firm Deep Root Analytics hosted the database on an Amazon S3 server. The
group had misconfigured it, though, such that some data on the server was protected, but more
than a terabyte of voter information was publicly accessible to anyone on the web.
Misconfiguration isn't a malicious hack in itself, but it is a critical and all-too-common
cybersecurity risk for both institutions and individuals. In this case, Deep Root Analytics said that
the voter data, though publicly exposed, was not accessed by anyone besides Vickery—but it's
always possible that someone else discovered it, too. And though a lot of voter information is
readily available anyway (names, addresses, etc.), Deep Root Analytics specializes in compiling
revealing data, so being able to access so much pre-aggregated information would be a boon to a
cyber criminal.

Macron Campaign Hack

Two days before France's presidential runoff in May, hackers dumped a 9GB trove of leaked
emails from the party of left-leaning front-runner (now French president) Emmanuel Macron. The
leak seemed orchestrated to give Macron minimal time and ability to respond, since French
presidential candidates are barred from speaking publicly beginning two days before an election.
But the Macron campaign did release statements confirming that the En Marche! party had been
breached, while cautioning that not everything in the data dump was legitimate.

The attack was less strategic and explosive than the WikiLeaks releases of pilfered DNC emails
that dogged Hillary Clinton's presidential campaign in the US, but Macron also had the advantage
of observing what had happened in the US and preparing for potential assaults. Researchers did
find evidence that the Russian-government-linked hacker group Fancy Bear attempted to target
the Macron campaign in March.
After the email leak heading into the election, the Macron campaign said in a statement,
"Intervening in the last hour of an official campaign, this operation clearly seeks to destabilize
democracy, as already seen in the United States' last president campaign. We cannot tolerate that
the vital interests of democracy are thus endangered."

WannaCry Heard Around the World:

Ransomware’s 2017 coming out party came and went on the back of WannaCry. This malicious
software broke out on Friday, May 12th, 2017, infexting more than 230,000 computers in over 150
countries and disabling parts of the UK’s National Health Service, as well as Spain’s Telefonica,
FedEx and more were hit – that is until a 22-year-old British web security researcher was able
to disable the attack by registering a domain that corresponded to one used to track attack activity.
While email played its part, most of the attack propagated through NSA-derived exploits of
Windows XP, including EternalBlue and DoublePulsar, and is supposed to have been led by a
North Korean cyber squad referred to as “The Lazarus Group” (who writes this stuff?). Because
many of the affected organizations were running Windows XP and Windows Server 2003,
Microsoft issued an unusual patch for these unsupported systems, while those that were already
supported had patches issued months before the attack took place.

HBO’s Game of Hacks:

Think of this as ransomware without the “ware”. In May, 1.5 terabytes of data were stolen from
HBO, including yet-unreleased episodes and scripts from their hit show “Game of Thrones”.
Recently, an indictment for an Iranian man by the name of Bezad Mesri was unveiled in a
Manhattan U.S. District Court, facing charges for computer fraud, wire fraud, extortion and
identity theft. The reason being that he effectively held the data ransom for $6 million worth of
Bitcoin from HBO – when HBO balked at the breach, Mr. Mesri released episodes, scripts and
more. The breach didn’t have too much of an effect on the GoT season finale, however, which
clocked in 16.5 million viewers when including streaming services.

No it’s NotPetya:
In June, companies throughout the U.S. and Europe were hit by NotPetya, a strain of ransomware
similar to Petya which had been at the head of several outbreaks in 2016. Shipping giant Maersk
was one of the most prominent victims, ultimately claiming more than $200 million in losses due
to the attack shutting down terminals in four different countries and disrupting operations for
weeks, but all without data lost. Merck, Fedex and even Mondelez International reported losses
due to NotPetya as well, with Mondelez claiming a 5% drop in quarterly sales due to shipping and
invoicing delays caused by the attack.
Facebook and Google Fall for Targeted Phishing:
What does anyone need $100 million for? Well, aside from jet-skis and lavish parties, one
Lithuanian man, Evaldaus Rimasauskas, might need that much or more for his legal defense – if
he can get his accounts unfrozen, of course. The 48-year-old successfully forged email addresses,
invoices and contracts to swindle Facebook and Google out of approximately $100 million while
posing as a Taiwanese manufacturer charging for electronics supplies. The two tech giants, with
no shortage of egg on their faces, said they were able to recoup funds after detecting fraudulent
activities, limiting the damage to their accounts but not to their security reputations. Rimasauskas,
on the other hand, face multiple counts of fraud, aggravated identity theft and money laundering,
but at least he’ll have a story to tell in prison.

THE Equifax Breach:

September 7th was perhaps a day that will live in cyber security infamy. Equifax, one of the U.S.’s
“big three” credit agencies, announced a breach that may have affected 143 million consumers,
losing data as sensitive as Social Security and driver’s license numbers. A vulnerability present in
one of their web interface tools, Apache Struts (which had been patched months prior) allowed
hackers to work their way towards sensitive information from within Equifax’s software systems.
Taking place between May and July, and with the attack announced in September, it certainly
raised a few eyebrows that some Equifax executives had sold stock options between the
announcement and the time at which the attack actually took place.

Tied for Most Ironic – Deloitte:

On September 25, Deloitte announced that it had been hacked in March, despite the global
professional services firm being named one of “the best cyber security consultancies in the world”
by Gartner. Missing the gimme of cyber security, two-factor authentication, the firm gave up
access to all areas of its email system when attackers were able to acquire a single password from
one administrator. With 244,000 staff members, apparently only 6 clients had highly sensitive
information violated, but the breach certainly serves as a thumb in the eye of some of the highest-
flying cyber security “experts” out there.

3,000,000,000 Yahoo!s:
On October 9th, Yahoo followed up on a 2016 announcement that more than 1 billion user
accounts may have been compromised in a 2013 breach. As it turns out, every single Yahoo
customer was impacted by that breach: 3 billion accounts across email, Tumblr, Fantasy Sports
and Flickr were stolen, still without resolution as to the perpetrators. This is the same breach that
ultimately cost Yahoo shareholders $350 million from Verizon’s purchase of the company this
year, though the effect of the updated breach figures are undisclosed (if there were any).

The NSA:
Earlier in November, reports began to spread that the National Security Agency, the chief “Cyber
Warfare” arm of the United States and the same agency whose leaked methods allowed the
WannaCry attack to reach the breadth that it did, experienced a breach in which “The Shadow
Brokers”, a group presumed to be of Russian, Chinese or North Korean origin, uncovered a trove
of methods and exploits used by the NSA’s “Tailored Access Operations” Group. Thus far, the
source of the breach is publicly thought to be an insider leak, but the breadth and completeness of
the leak continues to provide major concerns across the cybersecurity community.

Honorable Mention: The Email Prankster

While most cyber attacks are about the money, some are simply about causing distress among the
rich and powerful. That was at least the stated goal of the Briton James Linton, who gained fame
on Twitter and away from the keyboard as “@Sinon_Reborn”, an email prankster who fooled
many among the British political and banking elite, Harvey Weinstein, Eric Trump, Anthony
Scaramucci and more. Using nothing more than an iPhone out of his bedroom in a semi-detached
Manchester home he shares with his girlfriend, he spoofed email addresses and display names,
posing as associates of and starting email conversations with those mentioned above, as well as
Goldman Sachs CEO Lloyd Blankfein, Morgan Stanley CEO James Gorman and Citigroup CEO
Stephen Bird (who even mentioned in their conversation that they had a “filtering system” to
protect against these very attacks). The list of James’s exploits goes on, but hopefully he can find
a job and pay down his debtsnow that his identity is revealed.

What have we learned from this year of cyber security

disasters?
Well, nothing… at least for most of us, but this always seems to be the discourse in the security
industry. Too few are affected by the data breaches, not enough people with stolen identities
actually experience and understand the consequences of their data being compromised, and the
data apocalypse still hasn’t come (though some say it’s coming soon, though we’ve got more
on how you can address GDPR and Email Compliance).
Ultimately, to extend the metaphor of “crossing the rubicon”, it was years before that famous event
led to disaster for the masses, but by the time those disasters started happening, nothing could be
done. Fortunately, most businesses can take this protection into their own hands without having to
rely on their existing partners to protect their data or that of their customers by deploying spam
filtering, phishing protection, URL and Attachment Defense, Secure Email Encryption, Data Loss
Prevention, Email Archiving and more to ensure you won’t be left holding the bag when the data
thieves (or actual thieves) come.
If you’re not going to take these efficient steps to protect your data and that of your customers, at
the very least make sure you update your software – for most part, the patches you need are already
there.

Yahoo
Date: 2013-14
Impact: 3 billion user accounts

Details: In September 2016, the once dominant Internet giant, while in negotiations to sell itself to
Verizon, announced it had been the victim of the biggest data breach in history, likely by “a state-
sponsored actor,” in 2014. The attack compromised the real names, email addresses, dates of birth and
telephone numbers of 500 million users. The company said the "vast majority" of the passwords
involved had been hashed using the robust bcrypt algorithm.

A couple of months later, in December, it buried that earlier record with the disclosure that a breach in
2013, by a different group of hackers had compromised 1 billion accounts. Besides names, dates of
birth, email addresses and passwords that were not as well protected as those involved in 2014, security
questions and answers were also compromised. In October of 2017, Yahoo revised that estimate, saying
that, in fact, all 3 billion user accounts had been compromised.

The breaches knocked an estimated $350 million off Yahoo’s sale price. Verizon eventually paid $4.48
billion for Yahoo’s core Internet business. The agreement called for the two companies to share
regulatory and legal liabilities from the breaches. The sale did not include a reported investment in
Alibaba Group Holding of $41.3 billion and an ownership interest in Yahoo Japan of $9.3 billion.

Yahoo, founded in 1994, had once been valued at $100 billion. After the sale, the company changed its
name to Altaba, Inc.

eBay
Date: May 2014
Impact: 145 million users compromised
Details: The online auction giant reported a cyberattack in May 2014 that it said exposed names,
addresses, dates of birth and encrypted passwords of all of its 145 million users. The company said
hackers got into the company network using the credentials of three corporate employees, and had
complete inside access for 229 days, during which time they were able to make their way to the user
database.

It asked its customers to change their passwords, but said financial information, such as credit card
numbers, was stored separately and was not compromised. The company was criticized at the time for
a lack of communication informing its users and poor implementation of the password-renewal process.

CEO John Donahue said the breach resulted in a decline in user activity, but had little impact on the
bottom line – its Q2 revenue was up 13 percent and earnings up 6 percent, in line with analyst
expectations.

Equifax
Date: July 29 2017

Impact: Personal information (including Social Security Numbers, birth dates, addresses, and in some
cases drivers' license numbers) of 143 million consumers; 209,000 consumers also had their credit card
data exposed.

Details: Equifax, one of the largest credit bureaus in the U.S., said on Sept. 7, 2017 that an application
vulnerability on one of their websites led to a data breach that exposed about 143 million
consumers. The breach was discovered on July 29, but the company says that it likely started in mid-
May.

Heartland Payment Systems

Date: March 2008
Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's
data systems.

Details: At the time of the breach, Heartland was processing 100 million payment card transactions per
month for 175,000 merchants – most small- to mid-sized retailers. It wasn’t discovered until January
2009, when Visa and MasterCard notified Heartland of suspicious transactions from accounts it had
processed.

Among the consequences were that Heartland was deemed out of compliance with the Payment Card
Industry Data Security Standard (PCI DSS) and was not allowed to process the payments of major credit
card providers until May 2009. The company also paid out an estimated $145 million in compensation
for fraudulent payments.

A federal grand jury indicted Albert Gonzalez and two unnamed Russian accomplices in 2009.
Gonzalez, a Cuban-American, was alleged to have masterminded the international operation that stole
the credit and debit cards. In March 2010 he was sentenced to 20 years in federal prison. The
vulnerability to SQL injection was well understood and security analysts had warned retailers about it
for several years. Yet, the continuing vulnerability of many Web-facing applications made SQL
injection the most common form of attack against Web sites at the time.

Target Stores
Date: December 2013
Impact: Credit/debit card information and/or contact information of up to 110 million people
compromised.

Details: The breach actually began before Thanksgiving, but was not discovered until several weeks
later. The retail giant initially announced that hackers had gained access through a third-party HVAC
vender to its point-of-sale (POS) payment card readers, and had collected about 40 million credit and
debit card numbers.

By January 2014, however, the company upped that estimate, reporting that personally identifiable
information (PII) of 70 million of its customers had been compromised. That included full names,
addresses, email addresses and telephone numbers. The final estimate is that the breach affected as many
as 110 million customers.

Target’s CIO resigned in March 2014, and its CEO resigned in May. The company recently estimated
the cost of the breach at $162 million.

The company was credited with making significant security improvements. However,
a settlement announced in May 2017 that gave Target 180 days to make specific security improvements
was described by Tom Kellermann, CEO of Strategic Cyber Ventures and former CSO of Trend Micro,
as a “slap on the wrist.” He also said it, “represents yesterday’s security paradigm,” since the
requirements focus on keeping attackers out and not on improving incident response.

TJX Companies, Inc.

Date: December 2006
Impact: 94 million credit cards exposed.

Details: There are conflicting accounts about how this happened. One supposes that a group of hackers
took advantage of a weak data encryption system and stole credit card data during a wireless transfer
between two Marshall's stores in Miami, Fla. The other has them breaking into the TJX network through
in-store kiosks that allowed people to apply for jobs electronically.

Albert Gonzalez, hacking legend and ringleader of the Heartland breach, was convicted in 2010 of
leading the gang of thieves who stole the credit cards, and sentenced to 20 years in prison, while 11
others were arrested. He had been working as a paid informant for the US Secret Service, at a $75,000
salary at the time of the crimes. The government claimed in its sentencing memo that companies, banks
and insurers lost close to $200 million.

JP Morgan Chase
Date: July 2014
Impact: 76 million households and 7 million small businesses

Details: The largest bank in the nation was the victim of a hack during the summer of 2014 that
compromised the data of more than half of all US households – 76 million – plus 7 million small
businesses. The data included contact information – names, addresses, phone numbers and email
addresses – as well as internal information about the users, according to a filing with the Securities and
Exchange Commission.

The bank said no customer money had been stolen and that there was “no evidence that account
information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social
Security numbers – was compromised during this attack."

Still, the hackers were reportedly able to gain “root" privileges on more than 90 of the bank’s servers,
which meant they could take actions including transferring funds and closing accounts. According to
the SANS Institute, JP Morgan spends $250 million on security every year.

In November 2015, federal authorities indicted four men, charging them with the JP Morgan hack plus
other financial institutions. Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein faced 23 counts,
including unauthorized access of computers, identity theft, securities and wire fraud and money
laundering that netted them an estimated $100 million. A fourth hacker who helped them breach the
networks was not identified.

Shalon and Orenstein, both Israelis, pleaded not guilty in June 2016. Aaron was arrested at JFK Airport
in New York last December.

US Office of Personnel Management (OPM)

Date: 2012-14
Impact: Personal information of 22 million current and former federal employees
Details: Hackers, said to be from China, were inside the OPM system starting in 2012, but were not
detected until March 20, 2014. A second hacker, or group, gained access to OPM through a third-
party contractor in May 2014, but was not discovered until nearly a year later. The intruders exfiltrated
personal data – including in many cases detailed security clearance information and fingerprint data.

Last year, former FBI director James Comey spoke of the information contained in the so-called SF-
86 form, used for conducting background checks for employee security clearances. “My SF-86 lists
every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their
addresses,” he said. “So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All
of that is in there.”

A report, released last fall by the House Committee on Oversight and Government Reform summed
up the damage in its title: “The OPM Data Breach: How the Government Jeopardized Our National
Security for More than a Generation.”

Sony's PlayStation Network

Date: April 20, 2011
Impact: 77 million PlayStation Network accounts hacked; estimated losses of $171 million while the
site was down for a month.
Details: This is viewed as the worst gaming community data breach of all-time. Of more than 77
million accounts affected, 12 million had unencrypted credit card numbers. Hackers gained access to
full names, passwords, e-mails, home addresses, purchase history, credit card numbers and
PSN/Qriocity logins and passwords. "It's enough to make every good security person wonder, 'If this
is what it's like at Sony, what's it like at every other multi-national company that's sitting on millions
of user data records?'" said eIQnetworks' John Linkous. He says it should remind those in IT security
to identify and apply security controls consistently across their organizations. For customers, "Be
careful whom you give your data to. It may not be worth the price to get access to online games or
other virtual assets."

In 2014, Sony agreed to a preliminary $15 million settlement in a class action lawsuit over the breach.

Anthem
Date: February 2015
Impact: Theft of personal information on up to 78.8 million current and former customers.
Details: The second-largest health insurer in the U.S., formerly known as WellPoint, said a
cyberattack had exposed the names, addresses, Social Security numbers, dates of birth and
employment histories of current and former customers – everything necessary to steal identity.

Fortune reported in January that a nationwide investigation concluded that a foreign government
likely recruited the hackers who conducted what was said to be the largest data breach in healthcare
history. It reportedly began a year before it was announced, when a single user at an Anthem
subsidiary clicked on a link in a phishing email. The total cost of the breach is not yet known, but it is
expected to exceed $100 million.

Anthem said in 2016 that there was no evidence that members' data have been sold, shared or used
fraudulently. Credit card and medical information also allegedly has not been taken.

RSA Security
Date: March 2011
Impact: Possibly 40 million employee records stolen.

Details: The impact of the cyberattack that stole information on the security giant's SecurID
authentication tokens is still being debated. RSA, the security division of EMC, said two separate hacker
groups worked in collaboration with a foreign government to launch a series of phishing attacks against
RSA employees, posing as people the employees trusted, to penetrate the company's network.

EMC reported last July that it had spent at least $66 million on remediation. According to RSA
executives, no customers' networks were breached. John Linkous, vice president, chief security and
compliance officer of eIQnetworks, Inc. doesn't buy it. "RSA didn't help the matter by initially being
vague about both the attack vector, and (more importantly) the data that was stolen," he says. "It was
only a matter of time before subsequent attacks on Lockheed-Martin, L3 and others occurred, all of
which are believed to be partially enabled by the RSA breach." Beyond that was psychological damage.
Among the lessons, he said, are that even good security companies like RSA are not immune to being
hacked.

Jennifer Bayuk, an independent information security consultant and professor at Stevens Institute of
Technology, told SearchSecurity in 2012 that the breach was, “a huge blow to the security product
industry because RSA was such an icon. They’re the quintessential security vendor. For them to be a
point of vulnerability was a real shocker. I don’t think anyone’s gotten over that,” she said.

Stuxnet
Date: Sometime in 2010, but origins date to 2005
Impact: Meant to attack Iran's nuclear power program, but will also serve as a template for real-world
intrusion and service disruption of power grids, water supplies or public transportation systems.
Details: The immediate effects of the malicious Stuxnet worm were minimal – at least in the United
States – but numerous experts rank it among the top large-scale breaches because it was a cyberattack
that yielded physical results.

Its malware, designed to target only Siemens SCADA systems, damaged Iran’s nuclear program by
destroying an estimated 984 uranium enrichment centrifuges. The attack has been attributed to a joint
effort by the US and Israel, although never officially acknowledged as such.

VeriSign
Date: Throughout 2010
Impact: Undisclosed information stolen

Details: Security experts are unanimous in saying that the most troubling thing about the VeriSign
breach, or breaches, in which hackers gained access to privileged systems and information, is the way
the company handled it – poorly. VeriSign never announced the attacks. The incidents did not become
public until 2011, and then only through a new SEC-mandated filing.

As PCWorld put it, “VeriSign buried the information in a quarterly Securities and Exchange
Commission (SEC) filing as if it was just another mundane tidbit.”

VeriSign said no critical systems such as the DNS servers or the certificate servers were compromised,
but did say that, "access was gained to information on a small portion of our computers and servers." It
has yet to report what the information stolen was and what impact it could have on the company or its
customers.

Adobe
Date: October 2013
Impact: 38 million user records
Details: Originally reported in early October by security blogger Brian Krebs, it took weeks to figure
out the scale of the breach and what it included. The company originally reported that hackers had stolen
nearly 3 million encrypted customer credit card records, plus login data for an undetermined number of
user accounts.

Later in the month, Adobe said the attackers had accessed IDs and encrypted passwords for 38 million
“active users.” But Krebs reported that a file posted just days earlier, “appears to include more than 150
million username and hashed password pairs taken from Adobe.” After weeks of research, it eventually
turned out, as well as the source code of several Adobe products, the hack had also exposed customer
names, IDs, passwords and debit and credit card information.

In August 2015, an agreement called for Adobe to pay a $1.1 million in legal fees and an undisclosed
amount to users to settle claims of violating the Customer Records Act and unfair business practices. In
November 2016, the amount paid to customers was reported at $1 million.