According to a report by the Identity Theft Resource Center (ITRC), the number of data breaches tracked in 2016 in the U.S. reached an all-time record of 1,093 incidents and exposed more than 36 million records. The most headline-making breaches affected the healthcare sector (e.g., Centene, 21st Century Oncology), federal and local governments (e.g., U.S. Department of Homeland Security, the National Security Agency, the U.S. Navy) and IT companies (e.g., Verizon Enterprise Services, Seagate, LinkedIn, Yahoo). Cyber attacks ranged from traditional web-app attacks to relatively new methods such as ransomware. In addition, 2016 is remarkable for several major state-sponsored attacks, which affected large companies like the Federal Deposit Insurance Corporation and Mossack Fonseca.
The situation in 2017 is not getting any better, as the wave of data breaches continues to roll on. In March 2017, a faulty backup exposed the entire working database (over 1 billion records) of notorious spam operator River City Media (RCM). Three weeks later, hackers breached America's Job Link Alliance, a job portal offered by the Department of Labor, and stole personal details from over 1 million job seekers.
As cyber threats evolve, it is high time that we look back at some of the worst breaches of 2016 and see what we can learn from them to avoid making the same mistakes in future:
Mossack Fonseca. Due to the political context, the Mossack Fonseca hack became one of the most controversial data breaches of all time. Named the “modern-day Watergate,” this hack exposed 11.5 million files, comprising 2.6 terabytes in total. The peculiarity about the case is that the attack was ridiculously simple: Hackers exploited older versions of popular open-source web server software to get access to confidential records.
==> This breach confirms that any organization, regardless of its size or type, can fall victim to cybercrime. Even if you entrust your sensitive data to a well-known company, there is no guarantee that it will not become publicly available due to simple negligence. It also highlights that poorly designed patches can introduce more problems than you might think, leaving the door open for various cyber threats. Timely patching of vulnerable systems and updating applications is critical to preventing most infections and mitigating the risk of data leaks.
Friend Finder Network. The attack on this famous adult dating service exposed more than 400 million user accounts, including over 15 million deleted accounts and thousands of .gov and .mil accounts. (It is their second breach since 2015.) The service was reportedly hacked through a local file inclusion exploit that enabled culprits to gain access to all of the network’s sites. Moreover, Friend Finder either stored user passwords in plain text or hashed them weakly, which, according to Leaked Source, cannot be secure “by any stretch of the imagination.”
==> The lesson to learn from this data breach is simple: Organizations should make password security one of their top priorities and take appropriate measures to mitigate the risk of identity theft. Companies that take responsibility for customers’ sensitive data need to focus on building processes and controls that reduce the probability of credentials being stolen and learn from the mistakes of their peers (just remember the Brazzers and Ashley Madison attacks) to ensure similar incidents won’t happen again.
Yahoo. The Yahoo case is a perfect example of how an undetected breach can spiral out of control. In September 2016, the company revealed that more than 500 million of passwords were compromised by an unauthorized third party. Later, in December 2016, the company discovered another attack, which occurred in 2013 and compromised more than 1 billion of sensitive records. Cybersecurity experts criticized Yahoo for its inability to detect security incidents associated with the data theft and its overall lax attitude towards security. Moreover, Yahoo did not force affected users to change their passwords immediately after each breach had been identified, because the company’s management believed this would drive users away from the service.
==> This breach should remind businesses that, more than ever, they need to be proactive and focus on securing sensitive customer data, as well as follow the law and ethical standards for timely breach disclosure. The potential costs of reputational damage and the impact on future activities far outweigh the cost of admitting your mistakes and underrating remediation efforts.
Mitigating cyber risks
Research shows that most of companies that became victims of data breaches in 2016 had one thing in common: They lacked visibility into their IT environments — namely, the state of their IT systems, the volume and type of data moving across their networks, and the activities of privileged users. Slow response time following the initial intrusions and insufficient IT security policies also made organizations more vulnerable to security incidents and cyber crime.
There are several ways for your business to mitigate contemporary cyber risks:
- Keep up with the latest cybersecurity trends.
- Gain a better understanding of what is going on in your critical IT systems, file servers and databases.
- Learn from the mistakes of your peer mistakes and proactively adjust your security strategies to the evolving cyber-threat landscape.
By becoming more vigilant and security-savvy, your organization can ensure that attackers will not be able to re-use old tactics to invade your networks and gain access to sensitive data.
About Michael Fimin
Michael Fimin is the CEO and co-founder of Netwrix, provider of a visibility platform for data security and risk mitigation that enables control over changes, configurations and access in hybrid cloud IT environments, identifies the three worst hacks of the year and the critical lessons businesses can learn from each of them.