Data breaches and cyber-attacks happen daily. These attacks are often fairly mundane, resulting in temporary loss of productivity and new measures being put in place to prevent future incidents.
However, the scale and sophistication of some cyber-attacks cannot fail to attract widespread attention – nor can the damaging, potentially irreparable, fallout.
We take a look at some of the most notorious cyber-attacks of recent years, how they have impacted the affected companies and what we can do to prevent them in the future…
In 2015, marital affairs site Ashley Madison suffered a major hack, exposing the account information of 36 million users who had assumed their illicit activities would be kept private. The information published online even included that of people who had paid an extra fee to have it deleted.
Known as ‘The Impact Team’, the group behind the attack claimed it was easy to get into the site thanks to the poor encryption strategy, which allowed them to crack over 11 million user passwords in just 10 days.
The breach cost the company nearly $30 million in fines, improved security measures and damages. Many users also continue to be extorted and threatened to this day, despite it being almost five years since the attack occurred.
While in negotiations to sell the company to Verizon in 2016, Yahoo announced it had been targeted by attackers in 2014. The passwords involved had been hashed using the robust bcrypt algorithm — compromising the real names, email addresses, dates of birth and phone numbers of 500 million users.
But a couple of months later, Yahoo buried that earlier record, disclosing a breach by a different group of hackers had compromised one billion accounts in 2013. Then, in October 2017, Yahoo revised that estimate, revealing all three billion user accounts had been compromised.
The attack knocked an estimated $350 million off Yahoo’s sale price and to this day, it remains the biggest data breach in history.
In 2017, the WannaCry attack put ransomware on everyone’s radar. Using publicly available hacking tools for Windows systems, the attackers created a ransomware encryptor able to spread quickly over the Internet and local networks.
The four-day epidemic crippled more than 200,000 computers in 150 countries including critical infrastructure such as hospitals. In the UK, the NHS was the worst hit as the ransomware locked out users with error messages demanding the cryptocurrency Bitcoin.
More than 19,000 appointments were cancelled as a result, with the hack costing the NHS a reported £92 million. The NHS was criticised for leaving itself vulnerable to attack by using outdated IT systems, including Windows XP — a 17-year-old operating system.
The 2018 Cambridge Analytica scandal was a defining moment in the public understanding of personal data. The breach saw a personality quiz harvest the Facebook data of up to 87 million people without their consent. Some of this data was then shared with Cambridge Analytica and used to target political advertising in the US.
In a matter of days of the breach being revealed, more than $100 billion was knocked off Facebook’s share price and the scandal eventually led to CEO Mark Zuckerberg agreeing to testify in front of the United States Congress. Facebook was also fined £500,000 — the maximum allowed under the pre-GDPR data protection rules — by the UK watchdog.
Later in 2018, British Airways revealed hackers managed to breach its website and app, stealing data — including names, email addresses and credit card information — from about 500,000 customers in the process.
Cyber security experts suggested a piece of malicious code had been planted on the website or app, furtively extracting details and diverting them to a fraudulent site. This type of attack — known as a supply chain attack — is an increasing problem for websites that embed code from third-party suppliers.
British Airways was fined a record £183 million for the breach, with the Information Commissioner’s Office (ICO) claiming the information was compromised by poor security arrangements.
In the same year, Marriott International discovered hackers had stolen the data of an estimated 500 million customers. Compromised information included names, payment details and passport numbers.
The breach originally occurred in 2014 on systems supporting Starwood hotel group, with the attackers remaining in the system after Marriott acquired Starwood in 2016.
Marriott later pulled the hacked reservation system from its operations but the ICO said the hotel group failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems. As a result, Marriott was fined £99 million.
What have we learnt?
There is one thing all these cyber-attacks have in common: they could have been avoided. All of these attacks happened, at least in part, due to carelessness — a problem businesses of all sizes are guilty of now and again. The WannaCry ransomware epidemic also highlights that an attack doesn’t need to be against a specific organisation to create chaos.
Thanks to a sharp increase in the use of digital technologies in the workplace, there are now more ways for cyber criminals to gain access to networks than ever before. Prevention is, therefore, the best form of defence.
The evolving cyber-crime threat means businesses can’t afford to be reactive anymore. Instead, they must take a proactive approach by ensuring security is at the heart of all IT initiatives from the outset and embracing new technologies such as advanced threat detection provided by partners such as CyGlass.
To prevent a future cyber-attack, it is worth seeking the help of an uncompromising cyber security expert. At Burning Tree, we provide advanced Consulting Services and innovative Technology Solutions to help protect businesses of all sizes — contact us today to find out more.