Cyber Risk 2015: Part 1 – What went down
Originally Published By Andrew Sharpe, Jimmy Gill, and Mark Slaven on Thursday, April 7, 2016 8:47:57 AM
This is the first of a four part series of what happened in the cyber risk scene in 2015:
The past 12 months has been the year that cyber risk has really taken the spotlight. Although precise statistics will not be available for months yet, anecdotal observations and monthly data both show that there has been a substantial increase in both the number of cyber attacks and the attention that they receive have increased. This article is just a taste of what has gone down in the past year.
The most prominent hack of the year was almost without doubt the hack on Ashley Madison, an online dating company that specialises in facilitating extramarital affairs (our article can be found here). A combination of the sheer scale of the hack (which saw the records of around 32 million users dumped online) and the scandalous nature of the website led to media centres worldwide taking up the story and running with it for weeks. It acted as the perfect catalyst to remind people, and particularly those 32 million people involved, that our online lives are becoming progressively less private.
However, whilst it was the most publicised, the biggest hack was one that many Australians may not have heard of. In February 2015, Anthem Incorporated, the second biggest health insurer in the US, announced that records of approximately 78.8 million people had been stolen through a cyber attack. This included names, birthdays, social security numbers and other data of customers, former customers and some non-customers going back as far as 2004. Potentially more worrying was that it took 9 months to discover that the breach had occurred.
Similar (albeit less publicised) breaches were also reported by United Airlines in the US (see our article here), T Mobile, which occurred through a hack on data management company Experian that stored its customers data, and LastPass, a password management system which stored all passwords utilised by each user. Even children have not been exempt, with the widely reported hack on children’s toy producer, Vtech. This data included thousands of photographs of children taken on Vtech’s devices, and brings into question how easily hackers are able to intrude on our most private moments. More information about this hack and its implications can be found here.
Australians have not been exempt either. In January, it was revealed that Aussie Travel Cover had the records of between 770,000 – 870,000 customers were compromised (the number fluctuates between reports). This was controversial, as whilst the company told its agents and law enforcement upon finding out the hack occurred, it decided not to tell its policyholders until after it was leaked to and reported by the ABC. This was followed in June by a breach of 30,000 records owned by iiNet, an internet provider. Later in the year, hacks of retailers Kmart and David Jones were announced within two days of each other, although many details of these cyber attacks remain unknown to date (see our article here). In December, an employee working for debt collection agency ARC Mercantile published 31,150 records of individuals that owed money to Optus on Freelancer.com, purportedly with the view to obtaining some assistance in the recovery of that money. You can read more about this here.
There has also been a rise over the past couple of years in relation to smaller attacks. In particular, phishing and spear phishing (more information can be found here) have become far more common. The period between March to July in 2015 saw a 74% increase in these types of attacks, and there are no signs of slowing. They have also become far more sophisticated. Long gone are the days where a Nigerian prince had left you a sizeable inheritance. These days phishers masquerade as legitimate businesses like one of the big banks, the ATO or social media websites, and offer you minor but believable rewards for simply providing them with a small amount of information, or providing you a link to follow. This is made substantially easier when the phisher already has access to some of your information from an organisation that has been hacked, and pretends to be a representative of that organisation.
This, in turn, has led to a huge increase in the popularity of cryptolockers being accidentally downloaded when users click on what they believe to be legitimate links (more information can be found here). This means that users are either paying out ransoms or losing their data. Ransoms are also increasingly being paid by companies, rather than individuals, as cyber criminals target businesses as they are more likely to pay. The issues presented by cryptolockers in the US have prompted the FBI to recommend that most businesses just pay the criminal.
Not all hackers are bad, however. The past year has shown a variety of ethical hackers beating malicious hackers to the punch. The most memorable of these was the Chrysler hack (more details can be found here). This involved two hackers demonstrating their ability to gain control of a range of Chrysler vehicles, including the popular Jeep Cherokee, and ended in a recall of these vehicles to install a patch to plug the gap. Some have alleged that the issues go beyond the software and represent an issue with the hardware, leading to a class action being initiated in the US.
As a concluding thought, whilst 2015 has seen a rise in the number and publicity of cyber attacks, it appears that the scale of the attacks is diminishing. The largest cyber attack was on Anthem, causing the release of just under 80 million records, and the second largest was Ashley Madison, which related to around 37 million records being released. This pales in light of 2014, which saw announcements of cyber attacks that stole 145 million records from Ebay, 76 million from JP Morgan Chase, 70 million from Target and 56 million from Home Depot. These hacks also included far more sensitive pieces of data, including credit card numbers and sufficient information to manipulate publicly traded stocks.
Whilst there is still the odd large hack, bigger firms appear to have been improving their cyber security, and hackers appear to have changed their tack and are aiming towards smaller organisations. For example, it was revealed in October that approximately 500 Australian tax file numbers are being stolen daily from mostly smaller organisations, alongside payroll information, with the view to lodging fraudulent tax returns. In October, the ATO had identified approximately 5,000 cases of identity theft, which had led to around $27 million in fraudulent tax returns.
As the risk of a data breach grows, the security measures must correspondingly increase. As bigger firms invest more in their cyber security, smaller firms become more lucrative targets. Keep an eye out for the second part of Cyber Security 2015, which will look at how governments have begun to respond to and regulate this increased risk of cyber attacks.
If you have any questions, please do not hesitate to contact Andrew Sharpe, Jimmy Gill, Ahrani Ranjitkumar or Mark Slaven on +61 2 9261 1211.
The past 12 months has been the year that cyber risk has really taken the spotlight. Although precise statistics will not be available for months yet, anecdotal observations and monthly data both show that there has been a substantial increase in both the number of cyber attacks and the attention that they receive have increased. This article is just a taste of what has gone down in the past year.
Cyber attacks internationally
The most prominent hack of the year was almost without doubt the hack on Ashley Madison, an online dating company that specialises in facilitating extramarital affairs (our article can be found here). A combination of the sheer scale of the hack (which saw the records of around 32 million users dumped online) and the scandalous nature of the website led to media centres worldwide taking up the story and running with it for weeks. It acted as the perfect catalyst to remind people, and particularly those 32 million people involved, that our online lives are becoming progressively less private.
However, whilst it was the most publicised, the biggest hack was one that many Australians may not have heard of. In February 2015, Anthem Incorporated, the second biggest health insurer in the US, announced that records of approximately 78.8 million people had been stolen through a cyber attack. This included names, birthdays, social security numbers and other data of customers, former customers and some non-customers going back as far as 2004. Potentially more worrying was that it took 9 months to discover that the breach had occurred.
Similar (albeit less publicised) breaches were also reported by United Airlines in the US (see our article here), T Mobile, which occurred through a hack on data management company Experian that stored its customers data, and LastPass, a password management system which stored all passwords utilised by each user. Even children have not been exempt, with the widely reported hack on children’s toy producer, Vtech. This data included thousands of photographs of children taken on Vtech’s devices, and brings into question how easily hackers are able to intrude on our most private moments. More information about this hack and its implications can be found here.
Cyber attacks in Australia
Australians have not been exempt either. In January, it was revealed that Aussie Travel Cover had the records of between 770,000 – 870,000 customers were compromised (the number fluctuates between reports). This was controversial, as whilst the company told its agents and law enforcement upon finding out the hack occurred, it decided not to tell its policyholders until after it was leaked to and reported by the ABC. This was followed in June by a breach of 30,000 records owned by iiNet, an internet provider. Later in the year, hacks of retailers Kmart and David Jones were announced within two days of each other, although many details of these cyber attacks remain unknown to date (see our article here). In December, an employee working for debt collection agency ARC Mercantile published 31,150 records of individuals that owed money to Optus on Freelancer.com, purportedly with the view to obtaining some assistance in the recovery of that money. You can read more about this here.
Nature of Cyber Attacks
There has also been a rise over the past couple of years in relation to smaller attacks. In particular, phishing and spear phishing (more information can be found here) have become far more common. The period between March to July in 2015 saw a 74% increase in these types of attacks, and there are no signs of slowing. They have also become far more sophisticated. Long gone are the days where a Nigerian prince had left you a sizeable inheritance. These days phishers masquerade as legitimate businesses like one of the big banks, the ATO or social media websites, and offer you minor but believable rewards for simply providing them with a small amount of information, or providing you a link to follow. This is made substantially easier when the phisher already has access to some of your information from an organisation that has been hacked, and pretends to be a representative of that organisation.
This, in turn, has led to a huge increase in the popularity of cryptolockers being accidentally downloaded when users click on what they believe to be legitimate links (more information can be found here). This means that users are either paying out ransoms or losing their data. Ransoms are also increasingly being paid by companies, rather than individuals, as cyber criminals target businesses as they are more likely to pay. The issues presented by cryptolockers in the US have prompted the FBI to recommend that most businesses just pay the criminal.
Not all hackers are bad, however. The past year has shown a variety of ethical hackers beating malicious hackers to the punch. The most memorable of these was the Chrysler hack (more details can be found here). This involved two hackers demonstrating their ability to gain control of a range of Chrysler vehicles, including the popular Jeep Cherokee, and ended in a recall of these vehicles to install a patch to plug the gap. Some have alleged that the issues go beyond the software and represent an issue with the hardware, leading to a class action being initiated in the US.
Conclusions
As a concluding thought, whilst 2015 has seen a rise in the number and publicity of cyber attacks, it appears that the scale of the attacks is diminishing. The largest cyber attack was on Anthem, causing the release of just under 80 million records, and the second largest was Ashley Madison, which related to around 37 million records being released. This pales in light of 2014, which saw announcements of cyber attacks that stole 145 million records from Ebay, 76 million from JP Morgan Chase, 70 million from Target and 56 million from Home Depot. These hacks also included far more sensitive pieces of data, including credit card numbers and sufficient information to manipulate publicly traded stocks.
Whilst there is still the odd large hack, bigger firms appear to have been improving their cyber security, and hackers appear to have changed their tack and are aiming towards smaller organisations. For example, it was revealed in October that approximately 500 Australian tax file numbers are being stolen daily from mostly smaller organisations, alongside payroll information, with the view to lodging fraudulent tax returns. In October, the ATO had identified approximately 5,000 cases of identity theft, which had led to around $27 million in fraudulent tax returns.
As the risk of a data breach grows, the security measures must correspondingly increase. As bigger firms invest more in their cyber security, smaller firms become more lucrative targets. Keep an eye out for the second part of Cyber Security 2015, which will look at how governments have begun to respond to and regulate this increased risk of cyber attacks.
If you have any questions, please do not hesitate to contact Andrew Sharpe, Jimmy Gill, Ahrani Ranjitkumar or Mark Slaven on +61 2 9261 1211.