2017 has been an interesting year for hacking.
The US is still reeling from the accusations that Russian hackers infiltrated its presidential election in 2016. Whilst the country’s intelligence community has confirmed that Russia did hack at least 21 states last year, the actual effects are still undetermined.
As well, this year there were two of the biggest global hacks: the WannaCry malware that infiltrated the UK’s National Health Service and NotPetya, the malware which took down most of the Ukraine’s national government.
Ex-FBI fraud guru Frank Abagnale, told Verdict that this is just the state of play now.
My life’s work is now about helping businesses protect against fraudsters. Anyone who lives in the US or UK can count on the fact that they’ve already been hacked. Any business connected to the internet is likely being probed this very minute by hackers.
Here are some of the biggest hacks in 2017.
The data surrounding an Aviva hack is different to the typical data breach. According to security intelligence group RedLock, hackers were infiltrating the cloud servers of companies such as Aviva to use the resources to mine bitcoins.
Bitcoin is an electricity-intensive process. A report by energy tariff comparison service PowerCompare revealed that mining the cryptocurrency consumers more electricity than at least 159 countries, including Ireland.
Other websites have been found to be using its users’ computer resources to mine for other cryptocurrencies this year, including The Pirate Bay.
The data breach of one of the largest credit agencies in the world, Equifax, was one of the biggest hacks in 2017. At least 143m people were implicated in the hack, including nearly 700,000 people in the UK.
In the hack, hackers were able to access information including birth dates, addresses, Social Security and credit card numbers. Equifax says this was as a result of a “website application vulnerability.”
A class-action lawsuit was filed against Equifax, seeking billions in damages.
Like with many hacks, they aren’t discovered at the time and the fallout can take years to work out. This is the situation for image-sharing site Imgur, which has revealed that 1.7m email addresses and passwords were intercepted in a data breach back in 2014.
The company didn’t find out about the 2014 hack until late in November after security researcher Troy Hunt notified Imgur.
Imgur says the hack is still under investigation, however, it believes it was as a result of a password encryption system that was in use at the time. This form of hashing algorithm was probably cracked with brute force, which is when applications try to decode encrypted data by trying as many possible combinations in sequence.
“We take the protection of your information very seriously and will be conducting an internal security review of our systems and processes. We apologise that this breach occurred and the inconvenience it has caused to you.”
The official website of the so-called Islamic State (ISIS) was hacked earlier this year, revealing details about its nearly 2,000 subscribers.
A Muslim hacktivist collective, named Di5s3nSi0n, hacked the Amaq website which the terrorist organisation uses to publicise its activities.
In addition, the hacking group Anonymous regularly targets Isis. It often chooses to fill its social media accounts with pro-gay messages and gay porn on Twitter.
5. Russian hacking
The Russian hacking of the US election, the French election, and even Brexit hasn’t left the headlines in 2017. However, what is new this week is that the FBI failed to notify US officials who were being subject to Russian hacking attempts about the threats.
The Associated Press reported this weekend that of the 80 Americans targeted by the Russian hacking group Fancy Bear, who was behind the Democratic National Convention hacks, the FBI only notified two of the policymakers.
The FBI declined to discuss the investigation but said:
“The FBI routinely notifies individuals and organisations of potential threat information.”
The subject of Russian hacking is so complex that it is going to continue into 2018 and beyond.
Taxi startup Uber disclosed that it was subject to a massive data hack in 2016. Two individuals hacked the user data stored on a third-party cloud service. They managed to access the information of 50m Uber riders as well as 7m drivers across the world. The company attempted to cover it up by offering the hackers $100,000 not to release the information.
The startup is currently being sued for negligence in a complaint representing the Uber drivers and customers in the US whose data was implicated.
As well, the company is currently doing damage control across the world as regulators launch investigations into what went wrong.
In one of the first attacks of the year, the Israeli-based mobile phone hacking firm Cellebrite was itself hacked. Around 900GB of data was released to Motherboard by a hacker who had taken on a firm.
The information included usernames and passwords to log into Cellebrite’s databases.
The company creates a device which can rip personal data from mobile phones. It is popular with government officials and law enforcement across the world. The hacker told Motherboard:
“When you create these tools, they will make it out. History should make that clear.”
Global consulting firm Deloitte, which also runs a cyber intelligence centre, was breached in a password hack this year. The hacker gained access to Deloitte’s email server’s administration account, giving them access to internal inboxes and some client data.
A spokesperson from Deloitte said the company has now implemented a comprehensive security protocol including a review of its current cyber security, as well as employing new external and internal security experts.
9. US voting data
The sensitive personal data of nearly 200m US citizens was accessible to anyone on the internet for 12 days this year. The public Amazon cloud server used by Deep Root Analytics, a marketing firm contracted by the Republican National Committee (RNC) was made vulnerable earlier this year.
Chris Vickery, a cyber risk analyst from security firm UpGuard discovered the available data. He told the Washington Post:
“With this data you can target neighborhoods, individuals, people of all sorts of persuasions. I could give you the home address of every person the RNC believes voted for Trump.”
What are governments doing about widespread hacks?
In Europe, the General Data Protection Regulations (GDPR) will come into force in 2018 that will see companies targeted for not protecting customer data. In the UK, the government has introduced the Data Protection Bill which enshrines these regulations into law. Under the new regulations, companies will be liable for fines up to £17m or four percent of their global turnover, if they fail to comply.
The UK’s information commissioner, Elizabeth Denham, said:
“We are pleased the government recognises the importance of data protection, its central role increasing trust and confidence in the digital economy, and the benefits the enhanced protections will bring to the public.”
As well, the Australian government is introducing a similar law in 2018. Firms could be fined up to AUS$17bn if they act negligently and don’t notify customers when they’re hacked.