People are often quick to adapt – now we don’t seem to blink an eyelid when we read news about another hacked server and the loss of a few million records of personal data. Only the most spectacular cases often attract our attention such as an attack on a high profile target like the German parliament or incidents where vast amounts of data were stolen, for example the Yahoo breach. And the bar is constantly being raised of what needs to happen to catch our attention. News which used to grab headlines throughout the media is now limited to specialist magazines or blogs. Nevertheless, companies are paying attention to such threats as a high priority. A study by PriceWaterhouseCoopers lists cybercrime as the second most reported economic crime. In the study, 32 percent of companies said they had already been victims of cybercrime and 34 percent expected an incident in their company over the next two years. Analysing the development of cybercrime in the last few years reveals interesting trends. A infographic on Bestvpn.com lists the 10 most serious incidents according to the impact or the quantity of stolen data. Although the list is based on incidents in America, the findings are impressive. Even the last place begins at 50 million data records stolen from the retailer Home Depot in 2014.
Yahoo manages to take third place with an estimated 1.5 billion records of stolen data but the top two positions are even more critical because of their sensitivity and the significance of the organizations affected. Even though the 21.5 million records of data stolen from the US Office of Personnel Management (OPM) may seem trivial compared to Yahoo’s 1.5 billion, the seriousness of a breach of extensive records with social security numbers, dates of birth, financial checks and fingerprints is clearly much higher. This data can be used to create complete fraudulent identities based on data on individuals who are not considered as a threat by the American authorities. The cause of the breach was reported by an official investigation as a combination of obsolete technology and the misappropriation of credentials stolen from a service provider which was used to access the system. If credentials with elevated rights can be used without two-factor authentication, security risks posed by legacy backend technology is no longer relevant, it’s already too late.
BestVPN sees the most critical incident yet as the IoT attack on Twitter, Netflix, Paypal and Spotify in October 2016. The actual attack took place against DNS provider Dyn.com, which managed the domains for these companies. The unique aspect of this DDoS attack was the type of zombie devices used: Instead of PCs with malicious software, the attack combined several hundreds of thousands of networked devices such as cameras, baby monitors or digital video recorders. The devices were either connected to the Internet without any security measures or still used default passwords. Such insecure devices are easy prey for any creative hacker who could easily find them with a few scripts from the Internet and install their DDoS software.
On reviewing the incidents in detail, it is noticeable that neither unknown nor incredibly sophisticated attack methods were used. Most attacks succeed through trivial means: No password, unchanged default passwords, lack of two-factor authentication or just ignoring security warnings. This may at first seem extremely frustrating, however there is a silver lining – just by taking simple steps to improve security companies can avoid similar attacks to the 10 biggest security incidents of all time.