Once more unto the (data) breach, dear friends.
2017 was notable for some massive data breaches, unintended exposures of sensitive information on the internet and other unfortunate tech incidents. Some were intentional (looking at you, North Korea), and some were not (hello Equifax, nice of you to join us).
2018 probably won’t be any better.
Despite the promise of advancements in fields like AI and machine learning, and despite the hope that we would learn from our mistakes and adhere to better practices in the future, it isn’t clear yet those technologies ― or our own marginally improved habits ― will adequately defend us against increasingly more sophisticated attacks.
That conclusion comes from the cyber security company UpGuard, which detailed our current information security environment and the risks to it in its annual cyber risk report published Dec. 18.
“Unfortunately, with the increased pervasiveness of information technology, there has been no concomitant revolution in how professionals tasked with administering these increasingly multifaceted and complex systems do their jobs,” the authors said.
“Indeed, they are fighting this battle with weapons from the last war, and the results have been disastrous.”
With that in mind, here’s a look back at some of this year’s other notable data breaches, leaks and hacks:
Equifax In September, consumer credit ratings agency Equifax revealed hackers had stolen the personal details of 143 million Americans (roughly half of all Americans), including highly sensitive information like their Social Security numbers.
Even more infuriating: Equifax waited five months to tell anyone. (The hack itself happened in the spring.) Then it bungled its response, initially forcing those affected to sign a legal document prohibiting them from joining a class-action suit, then inadvertently directing potential victims to a fake phishing site which proceeded to steal yet more information.
Dallas Emergency SirensJust before midnight on a Friday in early April, all 156 of the city of Dallas’ emergency sirens started sounding, simultaneously, for no apparent reason.
The hubbub lasted a full 90 minutes before the sirens could be manually overridden and shut down, during which time panicked residents flooded 911 with calls. Dispatchers who typically pick up within 10 seconds were so overwhelmed the wait time hit six minutes.
Officials blamed hackers for the intrusion into their emergency alert system ― a possibility Rocky Vaz, Dallas’ director of emergency management, said nobody had ever considered until it happened.
Deep Root AnalyticsThis summer, a Republican data analysis company called Deep Root Analytics left exposed a 1.1-terabyte online database containing the personal information of almost all of America’s 200 million registered voters.
In addition to the now-familiar leak of basic information like names, birthdays, addresses and phone numbers, Deep Root exposed deeply personal information about individual voters, including their likely stance on abortion, gun control, stem cell research, environmental issues and 44 other categories.
WannaCryNot helping our situation: The National Security Agency has for years been diligently finding major weaknesses in commonly used pieces of software. Instead of alerting the affected companies about the vulnerabilities, however, it’s been hiding those aces up its sleeve for future use.
This year, a group of hackers calling themselves the Shadow Brokers stole a bunch of those exploits, then proceeded to turn them loose on the internet. North Korea used one such NSA-developed hacking technique to target Windows, resulting in a piece of ransomware called “WannaCry” that crippled an estimated 230,000 computers around the world.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Microsoft Chief Legal Officer Brad Smith remarked afterward, clearly not happy the NSA failed to alert the company to the vulnerability before North Korea stole the hacking idea. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
Power Quality EngineeringThis Texas-based electrical engineering firm left a port open for an indeterminate amount of time this summer. UpGuard Cyber Risk Research Director Chris Vickery, who discovered the breach, was able to access and download highly sensitive data and schematics for PQE’s customers, including the city of Austin, Dell, Oracle, SBC Telecom (a subsidiary of AT&T), Texas Instruments and others.
And we aren’t using the term “highly sensitive” lightly here. One document, labeled, “Director of Central Intelligence Directive No. 6/9,” described in detail how to configure a “Sensitive Compartmented Information Facility.” If you aren’t familiar, the government uses SCIFs for its most sensitive intelligence briefings. The White House Situation Room? Yep, that’s a SCIF.
State Election SystemsWe also learned this year that Russian hackers targeted election systems in 21 states during the 2016 presidential election (to say nothing of their activity on Facebook, Twitter, Reddit, etc.), as part of what the Department of Homeland Security called “a decade-long campaign of cyber-enabled operations directed at the U.S. Government and its citizens.”
Jeanette Manfra, acting deputy under secretary for cybersecurity and communications, told the Senate Select Committee on Intelligence in June that there’s no evidence the Russians successfully changed votes or altered the outcome of the election. Instead, it’s more likely the cyber attacks were “intended or used to undermine public confidence in electoral processes.”
UberIn November, yet another skeleton fell out of Uber’s closet when it acknowledged it paid hackers $100,000 to keep quiet about an October 2016 breach that led to the disclosure of 57 million customers’ personal data. 600,000 Uber drivers also had their names and driver’s license numbers stolen.
Uber maintains there’s no evidence the data was used for nefarious purposes. While that may be true, it’s nevertheless deeply concerning the company tried to bury the news instead of disclosing the breach immediately to the affected customers and proper government authorities.
Pentagon and Defense Contractor Blunders
2017 saw several breaches of sensitive information from both the Pentagon and the contractors it works with. In one of the more egregious instances, a defense contractor failed to secure a web server containing top-secret intelligence documents. Satellite surveillance of North Korea’s missile arsenal, battlefield imagery from Afghanistan, and what appears to be authentication keys that granted access to Pentagon servers were all left exposed.
In another, separate breach, the Pentagon itself was at fault when United States Army Intelligence and Security Command (INSCOM) accidentally left critical data exposed, including intelligence so sensitive it was marked as restricted from even being shared with US allies.
Alteryx This marketing and analytics firm left a database containing detailed information on 123 million American households (that’s basically all of them) unsecured and open to the public. The database in question likely came from Experian, another consumer credit rating agency, and contained 248 data points on each household in question, including basic information like addresses and phone numbers, and more descriptive data like whether you’re more of a dog person or a cat person, what magazines you subscribe to, and the number and ages of your kids.
“If you’re an American, your information probably was exposed,” Vickery told HuffPost.
Where do we go from here?Are hacks and breaches like these just the new normal? Absolutely not, UpGuard co-founder Mike Baukes told HuffPost in an email.
“We should never accept this systemic insecurity as the new normal,” he said. “That is a cop-out that excuses the status quo as somehow acceptable, instead of a frighteningly insecure state of affairs in which the personal and financial information of the most vulnerable citizens is endangered by cyber risk.”
Rather than acceptance, Baukes said he hopes these increasingly more brazen and damaging attacks will spur people to action. Fortune 500 companies and civil servants alike need to commit more resources to mitigating the risk, and politicians at the federal level need to step up as well to protect constituents who are hacking victims.
“As of right now, there is no federal, unified breach disclosure law; state laws vary greatly on just when breaches must be disclosed to affected individuals,” he noted.
“While regulations already exist governing the disclosure of particularly sensitive information, like medical records, there should be a federal breach disclosure law mandating timely notification and the preservation of relevant data by any government agencies or private corporations falling prey to data theft.”