Historic Hacks of the 2010s, Part 1
Note: This is Part 1 of 2. To read Part 2, click here.
The decade from 2010 to the present is when hacking has become both disturbingly commonplace and devastatingly effective. To use a disturbing analogy for a disturbing reality, the immediate past is when hackers became true big game hunters and started organizing some of the biggest trophy hunts you can imagine.
All too often, in recent years, it's seemed like high-profile targets have been cracked as easily as a tour company picking a lion and passing the rifle to the rich first-world businessman in brand new khaki jodhpurs.
In this installment, we'll cover the years 2010 to 2014. The fun will continue from there.
U.S. Office of Personnel Management (2012 thru 2014)
Beginning in 2012, China-based hackers breached the computer systems of the U.S. Office of Personnel Management (OPM) and made off with the personnel records of 22 million current and former federal employees.
This hack hit the mother lode of information by accessing employee SF-86 forms. These forms are used to conduct background checks before granting security clearances to employees; they contain an astounding amount of personal information.
Completing an SF-86 is an onerous task that can take weeks. Agencies that request you fill one out also strongly suggest you keep a copy for your own files. The form literally contains a record of your entire life: financial information and history, investments, medical problems, legal and illegal drug and alcohol use, arrest records, any existing or past security clearances, actual fingerprint data, and other sensitive materials that could be used for nefarious purposes.
One prominent victim, former FBI Director James Comey put it best when he bemoaned to the press, "My SF-86 lists every place I've ever lived since I was 18, every foreign travel I've ever taken, all of my family, and their addresses. So it's not just my identity that's affected. I've got siblings. I've got five kids. All of that is in there."
Hacking off with such sensitive information was actually pretty simple, since OPM didn't even have an IT security staff in place until 2013. They were doing nothing to prevent outside intrusion. OPM did detect the breach in March of 2014 — and immediately began an investigation. Sadly, while the investigation was ongoing, two months later in May another breach occurred. The second breach itself was not discovered until the following year.
Aftermath: In June of 2015, Donna Seymour, OPM's CIO, mailed a form letter to the 22 million victims stating that OPM "takes very seriously its responsibility to protect your information." To show how much they cared, they also threw in free credit monitoring and identity fraud insurance to anyone who wanted it.
Had Seymour stopped there she would have been OK. Unfortunately, her missive continued, "Nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose." Seymour retired in February 2016, two days before she was to appear before a congressional committee to testify about the breach.
The U.S. House Committee on Oversight and Government Reform put out a 241-page report detailing all the things OPM failed to do to safeguard data. Unfortunately, in true government fashion, it took 15 months to release the findings. During the interim, the media had thoroughly covered the breach and before the report arrived, federal and state agencies were already implementing recommended security protocols.
Lessons Learned: The OPM breach is chock-a-block full of irony because the stolen information came from the SF-86 form. The very form used by the feds to determine a person's trustworthiness to handle classified information — something which they themselves failed miserably to do.
Government agencies are only as secure as the people who run them. No matter who you are, you are ultimately responsible for the security of your private data. And, if you think you can trust the government to take good care of you, just ask former Director Comey — or better yet, a Native American.
We've all had days that start out normally and then go completely off the rails. Such was the case one morning for Daniel Mitsch, vice president of Fazio Mechanical Services in Sharpsburg, Penn. That was when the U.S. Secret Service dropped in to ask about a data breach of Target stores nationwide.
Fazio Mechanical was a humble provider of refrigeration, heating, and air conditioning systems. Understandably, Mitsch had no idea why the Secret Service wanted to speak with him. It happened that one of Fazio's customers was the retail giant Target, and hackers had used Fazio's network credentials to plant malware on a small number of checkout registers across the country.
Sometime before Thanksgiving that year, hackers uploaded malware designed to steal credit card information to a select few registers in various Target stores. The initial hack was designed to test how well their malware performed.
The implanted malware worked like a charm, and within two weeks had spread to the majority of point-of-sale (POS) devices companywide resulting in the theft of credit and debit card numbers for 110 million customers. The purloined info included people's full names, home addresses, e-mail addresses and phone numbers.
At first, investigators were unsure why Target had allowed external network access for an HVAC vendor. It turns out that large retail operations typically permit such vendors to access their networks as a way to reduce costs by maintaining temperatures in an acceptable range and troubleshooting any system problems that may arise.
Aftermath: Fazio Mechanical immediately went "shields up" in an effort to protect their reputation. Issuing a PR statement, they declared their IT system and security measures to be in full compliance with industry standards. They also made clear that they did not perform remote monitoring of HVAC and refrigeration systems for Target stores, stating their "data connection with Target was exclusively for electronic billing, contract submission, and project management."
Target was widely faulted for not incorporating a two-factor authentication process for remotely accessing the network by third parties. That's what was required at the time by Payment Card Industry Data Security Standards (PCI DSS).
Within days, 47 different state governments were knocking on Target's door demanding customers be "made whole." The company ended up shelling out more than $300 million to satisfy various class-action suits, offered free credit report monitoring to affected customers, and upgraded its POS systems to handle chip and PIN technology.
The corporation also suffered a temporary dip in stock price, but got past that problem by demanding that a number of longtime executives, including CEO and Chairman of the Board Gregg Steinhafel and CIO Beth Jacobs, fall on their swords.
Lessons Learned: Besides reminding everyone to not underestimate the ingenuity of cybercriminals, and the value of application control software on POS systems, the breach made the importance of network segmentation to prevent hackers from using one access point to enter an entire network glaringly clear.
As one of the pioneers of wide-open internet era in the 1990s, Yahoo! seemingly offered something for everyone. Founded in 1994 by Jerry Yang and David Filo, a couple of engineering students at Stanford University, the company rocketed to the internet stratosphere as a web portal and search engine.
Yahoo! was the sixth-most-visited website in the world in 2016 with more than 7 billion monthly page views. Each day, hundreds of millions of users would communicate back-and-forth via Yahoo! Mail, check financial markets with Yahoo! Finance, and read up on world happenings on Yahoo! News.
Yahoo! always thought big, so it is no wonder that they were on the bad end of the mother-of-all data breaches. In September 2016, the Company announced that 500 million user accounts had been hacked in 2014 by a "state-sponsored actor." Users were understandably miffed that the Yahoo! could overlook a massive hack for so long. The company did make an effort to remediate the hack. Unfortunately, it was egregiously anemic — they sent notices to just 26 users.
Things would go from bad to worse three months later when Yahoo! revealed that an even earlier hack back in 2013 had accessed the personal information and passwords for 1 billion user accounts. Up to this point, 2013's hack was the largest in history. What really made the company look bad was that it waited a whole year after discovering that breach to hire a dedicated CIO.
In 2017, justifiably angry users redlined into absolute outrage when Yahoo! revised their earlier estimate of a measly 1 billion user accounts hacked. In a humiliating mea culpa, the company disclosed that every account ever opened on the platform had been hacked — an astounding 3 billion!
Aftermath: Although Yahoo! was slapped with a number of class-action suits, they did continue to rank first in a number of areas — unfortunately all bad. They were the first public company to be punished for nondisclosure of a known data breach; the U.S. Securities and Exchange Commission slapped them with a $35 million fine. They became the first company to settle a federal securities class-action suit for a cyberattack by coughing up an additional $80 million. As of 2017, Yahoo! was continuing their attempt to settle a major class action suit with users for $118 million.
At the time of the disclosure (and cover-up), Yahoo! was negotiating with Verizon to sell off its operations. The deal went forward but, taking advantage of the bad press, Verizon got a sweet $350 million off the purchase price. Verizon has since changed Yahoo!'s name to Altaba and, in spite of owning the two largest data breaches in history , Yahoo! domain websites are still used by a ton of people. As of January 2019, they are ranked eighth worldwide.
Lessons Learned: The first lesson is to not wait to investigate data breaches. Begin immediately; you never know what else you might uncover. The second lesson is to name your company carefully because it may come back to haunt you. Yang and Filo claimed the name was slang for a "rude and unsophisticated" person. In actuality, it comes from Gulliver's Travels and refers to a race of deformed human creatures that live in trees and throw their excrement at anyone who approaches.