14 DAY TRIAL // 2015 is almost over, and it's time to take a retrospective look at the biggest security incidents that happened during the past year.
Since most companies try to hide the real figures of a security incident, or the investigation reveals much smaller or much bigger numbers than previously thought, we're not going to waste our time trying to classify them. So, in no particular order, here are this year's biggest security incidents.
Hacking Team
In June, an unknown hacker breached the servers of the Hacking Team, an Italian-based security exploit vendor, and leaked their database, internal emails, and the source code of their spying toolkit on GitHub.
While the press was busy demonizing the Hacking Team's leadership for selling its spying tools to abusive third-world governments, cyber-crime gangs quickly found zero-day bugs in the trove of leaked data and started embedding those vulnerabilities in their own attack arsenals.
What made the Hacking Team incident even worse is that Adobe took its sweet time to fix the numerous zero-day flaws found in Flash, and more and more users decided that it was time to disable Flash in their browser for good. This also included Mozilla and Google, who for a few days also disabled Flash in Firefox and Chrome, letting Adobe know that their product was not that crucial to its users anymore.
If we were to rank all hacks, the Hacking Team incident would certainly be number one on our list, being the "hack that kept on giving" the whole year.
Ashley Madison
In July, a group of hackers that call themselves "The Impact Team" breached the servers of the Ashley Madison online dating portal, stole the site's database, internal emails, and the source code of some internal apps.
All the data was eventually leaked online, and like in no other data breach before, the consequences were extremely serious, with people getting extorted by online crooks for having extra-marital relationships, and some Ashley Madison users even committing suicide.
Later in the summer, a group of hackers also managed to crack the passwords of 11 million accounts.
VTech
At the end of November, VTech, a Chinese company that builds and sells electronic learning toys, suffered a data breach during which attackers managed to steal personal information of 4.8 million parents and 200,000 children. A later investigation proved the number was 6.7 million.
The data breach, huge in its own right, became a much bigger deal than it actually was because it involved the personal details of so many kids.
While it's somewhat easy to keep an eye on your credit score and bank accounts after a data breach as an adult, few parents take the same steps for their children.
Leaked children information can be safely stored away by cyber-crime syndicates and used many years after for online fraud or forging fake identities, without the affected person being able to track down the source of the data breach.
OPM
OPM, the US Office of Personnel Management, is a federal institution that manages employees working for the US government, whether in the military or office buildings around the country.
The data breach that originated in March but only came to light in June grew from the initial 4 million records figure to 18 million and then 21.5 million by the end of July, and to make it even worse, in September, investigators also announced that the fingerprints of 5.6 million government employees were stolen.
Right from the get-go, US officials suspected China, and they were right. China did acknowledge the hack, but blamed it on rogue hackers, and not its cyber-intelligence forces. Chinese officials arrested the hackers at the end of September, as a sign of good faith for the upcoming US-China anti-spying pact.
Juniper
The most recent addition to this list is the hidden backdoor found in Juniper's NetScreen firewall equipment that was running the ScreenOS operating system.
During an internal code audit, Juniper's devs discovered something that they labeled as "unauthorized code" inside the ScreenOS code, which at a later investigation proved to be a fully functioning backdoor that granted attackers access to the device and even allowed them to decrypt VPN traffic.
Currently, the source of the backdoor code is unknown, with one camp saying it was secretly added by the NSA, and another blaming China, where sections of the operating system were written.
Gemalto
This hack didn't take place in 2015, and it was not actually a hack, but a failed attempt. The Intercept, the same newspaper that leaked the Edward Snowden revelations, leaked documents linking the NSA and Britain's GCHQ to attempted cyber-attacks in 2010 and 2011 on Gemalto, a Dutch maker of mobile phone SIM cards.
According to Gemalto, the attackers targeted its inventory of cryptographic keys. These cryptographic keys are currently used to encrypt and secure mobile communications for 400 mobile and wireless carriers in 85 countries. If the keys had fallen into the NSA & GCHQ's hands, they would have been able to listen in on everyone's conversations and Internet traffic.
LastPass
In June, LastPass, one of the most used and beloved password managers, announced a breach when unknown attackers managed to steal some email addresses, encrypted master passwords, and hints for those passwords.
The good news was that most password strings were hashed and salted, meaning it would take some time to get them cracked, and would also require some serious server resources to do so.
The hack is notable because this was one of the first instances when people realized what serious implications can come out of hacking a password management service.
T-Mobile via Experian
T-Mobile didn't get hacked in this case, but Experian did, a credit reporting company that handles the data of some T-Mobile customers that wanted to take up loans to buy devices from T-Mobile's shops.
With 15 million records leaked, containing all the sensitive details a fraudster would ever wish for, this incident needs mentioning just because of the sheer numbers.
TalkTalk
And the award for "the most hated company of the year" goes to TalkTalk, after managing to lose 4 million user records in February, another 4 million records in October, and 2.4 million records in August, when one of its subsidiaries, Carphone Warehouse, also suffered a data breach.
In total, TalkTalk lost 10.4 million user records in three different incidents this year alone. If the company hasn't fired its CSO by now, then customers need to find another ISP, as it sure looks like they don't know what they're doing over there.
CIA Director John Brennan
Three teenagers that call themselves CWA (Crackas With Attitude) managed to hack the personal email of CIA Director John Brennan, in one of the most high-profile cases of social engineering that can serve as an example in infosec training manuals.
Even worse, the hackers continued their attacks by hacking FBI Deputy Director Mark Giuliano's and his wife's email accounts, and even getting access to JABS (Joint Automated Booking System), an application used to record and manage arrests of US citizens.
Soon after, CWA went dormant, and to this day, US investigations have not caught them.