Cheaters, Kids And Feds: 2015 Data Breaches Didn’t Discriminate

Security experts analyze the biggest cyberattacks of the year

(Illustration: R. A. Di Ieso/Vocativ)
Dec 17, 2015 at 7:45 PM ET

It used to take a massive credit card hack to get the attention of the general public, but now large-scale criminals are bypassing wallets and going straight for the jugular—targeting government agencies, health care organizations and companies that hold information about children and adulterers.

Cyberattacks at Target, Home Depot and eBay in 2014 were a sobering alert to the general public that retail companies can’t be trusted with our bank information, but this year, hackers dug deeper into the private lives of their victims and scored more valuable data.

This was the year where the criminal you needed to watch out for was that digital criminal. They are now the most high-profile criminal out there, other than ISIS,” said Sam Pfeifle, publications director at the International Association of Privacy Professionals. 

Here are the five largest, most impactful data breaches of 2015, according to security experts.

Several health care organizations were targeted in cyber attacks in 2015. Millions of customers were affected by data breaches at UCLA Health, Premera Blue Cross and Excellus Health Plan, but none of these incidents were nearly as shocking as when Anthem, the second-largest health care company in the U.S., revealed in February that data of nearly 80 million of its customers had been breached.

In addition to the high number of those affected, the breach was also alarming because it took weeks for Anthem to discover it and because the information was far more sensitive than what had been leaked in previous headline-grabbing attacks, which mostly exposed credit and debit card information.

“Once someone learns that you have a particular disease and learns your blood type, or your DNA—you can’t start over like ordering another credit card,” said Ben Johnson, chief security strategist at Bit9+Carbon Black. 

Financial information only gets a hacker so far. The more personal the information, the more value. On the dark net, medical credentials are worth about 10 to 20 times as much as credit card information. That information can be used to file false claims with insurance companies or order drugs.

Of course, there are other ways to get troves of personal information. The breach of the U.S. Office of Personnel Management began in March, was discovered by the OPM in April and announced publicly by the OPM in June. The director of the OPM, Katherine Archuleta, resigned in July shortly after the announcement that records on 21.5 million individuals had been stolen, over three million more than the original estimate released to the public. The attack affected about a third as many people as the Anthem hack did, but far more personal information was leaked.

“It’s was basically all the laundry you’ve got,” said Pfeifle. “[The OPM] had access to background-check information on everybody who applies for some sort of clearance for the federal government. It’s not just [your] social security number and your own private information. It’s also information about who your family and friends are and what your interactions are like. These are full profiles of these people.”

Beyond the sheer number of individuals affected, the breach showed the vulnerability of a sector of the U.S. government that focuses specifically on handling sensitive personal information. “If we accept the narrative that this is a state-sponsored attack from the Chinese government, and most clues point towards that, then these hackers are generally interested in information that has a strategic use, not a monetary use,” security journalist Brian Krebs told Vocativ in July. “If they wanted to recruit spies, I can think of no better cache of information to go after. You have all the information about what they do, where they do it.”

The July hack of Ashley Madison, a dating site for cheaters, garnered widespread media coverage, not so much for the number of people affected (many of the accounts were fake) or the sophistication of the hack (the data was, relatively speaking, less secure than that breached in the Anthem and OPM hacks), but because it unfolded like a realtime nation-wide soap opera.

“Ashley Madison, due to the huge volume of significant and highly personal data, had a serious impact on many lives,” Troy Hunt told Vocativ. Hunt created the site Have I Been Pwned?, which allows people to see if they’ve been affected by a hack. The security researcher saw a 58,000 percent increase in traffic the day after the Ashley Madison hack, as hundreds of thousands rushed to the site to see if they or anyone they knew was outed as a potential adulterer. Journalists gleefully exposed public figures, like Josh Duggar and Christian YouTube celebrity Sam Rader, whose infidelity-seeking ways were exposed in the data breach.

“The Ashley Madison breach really raised some interesting question about if some people’s personal information is more valuable and more worthy of protection than others.” said Pfeifle. “As soon as they published the Ashley Madison data online everybody was as quick as they could be to go look at that information and go breach those people all over again … People didn’t have a whole lot of compunction in violating [the Ashley Madison users’] privacy over and over again because they thought those people had done something morally bankrupt.”

While Ashley Madison hackers targeted the “immoral,” another notable hack targeted the innocent. A cyberattack on electronic toy maker VTech exposed the data of 200,000 children. “It was the largest disclosure of personally identifiable kids’ data we’ve seen,” said Hunt.

The breach was revealed the week of Thanksgiving, and it served as a disquieting lesson to parents who let young children enter their personal information on electronic devices. “There’s nothing that gets parents more angry and agitated than finding out that a company lost information about their children,” said Pfeifle. “So now, potentially, hackers have access to home addresses and ages and names of kids as young as you can imagine—as young as can use electronic devices.”

The victims aren’t the only ones getting younger—one of the most significant hacks of the year was executed by teenagers.  The “TalkTalk [breach was notable] due to the sophistication of the attackers,” said Hunt. “They were kids—legally children—and yet they managed to easily breach an organization of that scale.”

In October, U.K. telecom company TalkTalk revealed that its customer database had been hacked for the third time in a year, and that customers’ addresses, numbers and bank information was being held for ransom. After the previous attacks, TalkTalk had assured their customers that their data was secure, so the news was especially aggravating for users. TalkTalk was initially evasive about how they were responding to the hack, then admitted some customer data had never been encrypted in the first place. “That exacerbated the situation, so people didn’t really feel like TalkTalk knew what they were doing,” said Johnson.

Stay Tuned

Each security expert Vocativ surveyed said these hacks stood out because they were unprecedented. And while they believe the personal nature of these major breaches are helping the public to realize that we all need to focus more on encryption and security, they’re not expecting the companies that collect and store our data to catch up with the growing threat anytime soon. “The overarching theme I keep coming back to each and every year is ‘unprecedented,'” Hunt said. “We’re seeing attacks at a scale never seen before, but we keep saying the same thing each and every year. In all likelihood, we’ll be doing a 2016 retrospective in a year from now and talking about how unprecedented those events will have been.”