Data breaches were very much alive in 2015. With more than 178 million American records exposed, 2015 surpassed the preceding years in illustrating the even greater potential damage of data breaches. Increasing knowledge of the potential damage from hacks also called for greater urgency in best security practices, leading many industries to discover their security shortcomings. Creating better security in 2016 will require two approaches: first, learning from mistakes in the past and then, anticipating potential mistakes in the future. Take a look at the biggest data breaches of 2015 and what we learned from each one.
Anthem: The year began with one of the biggest breaches that the healthcare industry has ever seen. In February 2015, the health insurance company, Anthem, was hacked, compromising 80 million customer records and exposing customer social security numbers, email addresses, addresses, phone numbers, and birthdates. The effects of a breach of this size are lasting for the customers involved and will take years to resolve.
Scott Rea, DigiCert’s Senior PKI Architect, identified two major areas for improvement for Anthem (and companies like Anthem). First, he identified that Anthem lacked sufficient authentication. If two-factor authentication had been deployed by Anthem, the hackers would have needed an administrator’s trusted device or physical token to access the data. Second, Anthem’s data was not encrypted when it was stored in the database. Without basic encryption, the data was left vulnerable to hackers. Authentication and encryption are essential components of any security structure.
Office of Personnel Management: In what was believed to be the worst attack against a U.S. government agency, The Office of Personnel Management was hacked in 2015. OPM first announced the breach of their data in June, but continued to uncover and reveal more details of the breach as late as September. The breach leaked 5.6 million fingerprints of current and former employees, and other personal information of 21.5 million individuals is reported to have been leaked as well. While experts have said that stolen fingerprints cannot currently be used fraudulently, others estimate that technological advancements will make them useful in the future.
According to this article by Ars Technica, OPM had struggled with their security infrastructure for quite some time, and although they were making efforts to close their security gaps, they had still not succeeded in creating a centralized security organization. Additionally, OPM was not well organized with the data that they did have; there was no comprehensive inventory of servers, databases, or network devices. Organization is a key component to any successful security plan.
Ashley Madison: If there was one hack that had everyone talking this year, it was the Ashley Madison hack in August. The controversial extramarital dating site was targeted specifically by cybercriminals on account of their moral disagreement with the site and its cancellation policies. The hackers did not just access the data for themselves, however, but they made the information public revealing user names, first and last names, and hashed passwords for 33 million accounts; partial credit card data, street names, and phone numbers for huge numbers of users; records documenting 9.6 million transactions, and 36 million email addresses.
The Ashley Madison hack only increased in its severity when the supposedly encrypted passwords of 15 million users were revealed to be weak, crackable passwords. The alleged encryption was faulty, and left Ashley Madison users even more vulnerable than they had been with their personal information revealed. Password encryption is a necessity in today’s Internet.
Understanding security errors of the past helps us improve the security for the future, but looking backwards is only the first step. Experts must also look forward in anticipation of what will happen next. See NBC News’s predictions for 2016 to read up on what experts are anticipating for the upcoming year.