This could have been a ‘Biggest Hacks of 2015’ type post, which concentrated on the volume of data stolen from companies, but we felt that concentrating on volume alone didn’t paint the landscape well enough. For example, some companies did take adequate security precautions but then still fell victim to sophisticated attacks (giving support to the increasingly stated view that nobody is unhackable). Instead, we looked at instances where companies worked to gain consumer trust and gathered personal details but then didn’t follow basic security measures to repay that trust. We sincerely hope that, following the amount of high profile data breaches in 2015, businesses take note, tighten security, and remove the need for a sequel blog in 2016.
The following companies did not do enough to protect their customers:
When it was discovered: February, 5 August, 21 October.
Company: Talk Talk, a pay television, telecommunications, internet and mobile network provider. Originally founded in 2003 as a subsidiary of Carphone Warehouse, it became a standalone company in 2010.
How many people affected: 157,000 customers.
What specifically was stolen: 28,000 card details, 15,000 bank account numbers and sort codes, dates of birth, email addresses, names and phone numbers.
How trust was abused: Its security systems were not able to defend against a distributed denial-of-service (DDoS) attack – an often used and common way of creating a distraction while access is gained in other areas – but the main reason it makes this list is due to its failure to encrypt the data that was eventually stolen. Making sensitive data useless to would-be thieves once stolen is considered a vital security element by experts. And TalkTalk knew it was an attractive target to hackers: this was its third loss of data due to cyber crime in the space of 12 months.
When it was discovered: 15 July
Company: Founded in 2002, Ashley Madison is an online dating service and social networking service marketed to people who are married or in a committed relationship
How many people affected: 32m customers
What specifically was stolen: Customer profiles and records, including names and addresses, secret sexual fantasies and credit card transactions, and employee emails and documents.
How trust was abused: Given the nature of the business, customers were assured that once they decided to no longer use the services (and deleted their accounts), all data would be removed from its systems. However, despite also paying a deletion fee, it turns out that not all data was deleted and was therefore stolen in the cyber attack. As reported on krebsonsecurity.com although the “full delete” feature promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — weren’t actually removed.
When it was discovered: 14th November
Company: VTech, a manufacturer of age-appropriate learning products. It offers a selection of learning toys, games, and apps as well as content and tools.
How many people affected: 6.4m child account details, 4.9m parent account details.
What specifically was taken: Headshots of children, names, dates of birth, gender, content from private chat messages between parents and children, passwords, IP addresses, postal addresses, secret question and answers.
How trust was abused: When you cater for the most vulnerable section of society in an environment that is a known security risk, you must be able to demonstrate that you are leading the pack when it comes to security technology and process. VTech did not do this. It used such simple methods of encryption for passwords that they were cracked by just googling the code. Other equally important elements like secret answers and questions were left in plain text. Standard additions like SSL – used to ensure that all data passed between a web server and a browser remains private – was not present. It also allowed its security system to stagnate, relying on what is now considered to be outdated security systems and processes. Security expert Troy Hunt gives a very detailed analysis of the attack.
If a business decides that it needs to store personal data then board meetings, end of year catch ups, monthly reviews and annual reports etc. must make room for data security to be covered as a topic. And they must do it now: cyber criminals are developing sophisticated attacks faster than companies can implement defensive measures, and this trend is unlikely to stop any time soon given the relatively low-risk high-reward nature of cyber crime in general – but that’s a whole different topic all by itself. We’ll cover that another time.
Yoti’s system has been built in such a way that (in the event of a breach) the amount of information the criminal could take is limited and strongly encrypted.
By Alex Harvey
Ask me anything: @alextharv