The IT Certification Resource Center

Featured Deal

Get CompTIA, Cisco, or Microsoft training courses free for a week.
Learn More ❯

Historic Hacks of the 2010s, Part 1

Earlier this year, we revisited hack attacks from the infancy of the internet era, and then from the 2000s. Now we're moving forward in time to the immediate past and the present, where no hack is too big to conceive of.

Note: This is Part 1 of 2. To read Part 2, click here.

 

OPM Theodore Roosevelt Federal BuildingThe decade from 2010 to the present is when hacking has become both disturbingly commonplace and devastatingly effective. To use a disturbing analogy for a disturbing reality, the immediate past is when hackers became true big game hunters and started organizing some of the biggest trophy hunts you can imagine.

 

All too often, in recent years, it’s seemed like high-profile targets have been cracked as easily as a tour company picking a lion and passing the rifle to the rich first-world businessman in brand new khaki jodhpurs.

 

In this installment, we’ll cover the years 2010 to 2014. The fun will continue from there.

 

U.S. Office of Personnel Management (2012 thru 2014)

 

Beginning in 2012, China-based hackers breached the computer systems of the U.S. Office of Personnel Management (OPM) and made off with the personnel records of 22 million current and former federal employees.

 

This hack hit the mother lode of information by accessing employee SF-86 forms. These forms are used to conduct background checks before granting security clearances to employees; they contain an astounding amount of personal information.

 

Completing an SF-86 is an onerous task that can take weeks. Agencies that request you fill one out also strongly suggest you keep a copy for your own files. The form literally contains a record of your entire life: financial information and history, investments, medical problems, legal and illegal drug and alcohol use, arrest records, any existing or past security clearances, actual fingerprint data, and other sensitive materials that could be used for nefarious purposes.

 

One prominent victim, former FBI Director James Comey put it best when he bemoaned to the press, “My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, and their addresses. So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”

 

Hacking off with such sensitive information was actually pretty simple, since OPM didn’t even have an IT security staff in place until 2013. They were doing nothing to prevent outside intrusion. OPM did detect the breach in March of 2014 — and immediately began an investigation. Sadly, while the investigation was ongoing, two months later in May another breach occurred. The second breach itself was not discovered until the following year.

 

Aftermath: In June of 2015, Donna Seymour, OPM’s CIO, mailed a form letter to the 22 million victims stating that OPM “takes very seriously its responsibility to protect your information.” To show how much they cared, they also threw in free credit monitoring and identity fraud insurance to anyone who wanted it.

 

Had Seymour stopped there she would have been OK. Unfortunately, her missive continued, “Nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose.” Seymour retired in February 2016, two days before she was to appear before a congressional committee to testify about the breach.

 

The U.S. House Committee on Oversight and Government Reform put out a 241-page report detailing all the things OPM failed to do to safeguard data. Unfortunately, in true government fashion, it took 15 months to release the findings. During the interim, the media had thoroughly covered the breach and before the report arrived, federal and state agencies were already implementing recommended security protocols.

 

Lessons Learned: The OPM breach is chock-a-block full of irony because the stolen information came from the SF-86 form. The very form used by the feds to determine a person’s trustworthiness to handle classified information — something which they themselves failed miserably to do.

 

Government agencies are only as secure as the people who run them. No matter who you are, you are ultimately responsible for the security of your private data. And, if you think you can trust the government to take good care of you, just ask former Director Comey — or better yet, a Native American.

 

Target (2013)

 

We’ve all had days that start out normally and then go completely off the rails. Such was the case one morning for Daniel Mitsch, vice president of Fazio Mechanical Services in Sharpsburg, Penn. That was when the U.S. Secret Service dropped in to ask about a data breach of Target stores nationwide.

 

Fazio Mechanical was a humble provider of refrigeration, heating, and air conditioning systems. Understandably, Mitsch had no idea why the Secret Service wanted to speak with him. It happened that one of Fazio’s customers was the retail giant Target, and hackers had used Fazio’s network credentials to plant malware on a small number of checkout registers across the country.

 

Sometime before Thanksgiving that year, hackers uploaded malware designed to steal credit card information to a select few registers in various Target stores. The initial hack was designed to test how well their malware performed.

 

The implanted malware worked like a charm, and within two weeks had spread to the majority of point-of-sale (POS) devices companywide resulting in the theft of credit and debit card numbers for 110 million customers. The purloined info included people’s full names, home addresses, e-mail addresses and phone numbers.

 

At first, investigators were unsure why Target had allowed external network access for an HVAC vendor. It turns out that large retail operations typically permit such vendors to access their networks as a way to reduce costs by maintaining temperatures in an acceptable range and troubleshooting any system problems that may arise.