2015: The Year the Data Breach Got Personal

1891

The year hackers got your fingerprints, your health records, and your love life.

2015 will go down as another landmark year for big-time data breaches. Once relegated to the pages of industry publications, and shared like traditional war stories amongst groups of information security professionals at community events, data breach stories are now almost a permanent fixture in the mainstream media.

Of course, major breaches are not a new thing. In prior years we’ve seen some sizable events that have all, in some way, gone down in the annals of information security history. What made 2015 different?

It was the year data breaches got personal.

Your Credit Cards, Your Medical Records, Your Life

By now, many of us have had to replace a credit card because it was at risk as the result of a breach. It’s frustrating, inconvenient, and seems to be happening with increasing frequency.

On the positive side, because of the increased frequency, responding to a compromised card record has become relatively run of the mill. Cards can be cancelled and reissued within a couple of days. The potential damage caused by a stolen card is a known quantity.

For other types of stolen records, it is not as easy to respond to or mitigate the risk associated with their loss. I’m talking about records containing deeply personal information, which have become the target of choice for malicious actors.

The Most Personal Data Breaches Of 2015: Health Insurers

In February, Anthem, the second largest health insurer in the US, announced it had suffered a breach involving just under 80 million records. These records included social security numbers, dates of birth, addresses, contact information, and employment information for Anthem’s direct and indirect customers. This data is everything a person with malicious intent would require to perform identity theft.

Another major U.S. health insurer, Premera Blue Cross, reported a similar breach affecting a potential 11 million people.

If you spend a short amount of time browsing the black markets of the Internet, it’s easy to see why healthcare records are being targeted. A stolen credit card number fetches at most a couple of dollars while a record including a social security number can be sold for $10 or more.

Your Fingerprints and Your Love Life

In June, the U.S. Office of Personnel Management, the agency that processes many security clearances for the U.S. government, reported that it had been the victim of a cyber attack. Highly sensitive personal information, regarding people with access to the most sensitive information the U.S. government has in storage, was now in the hands of an unauthorized party with malicious intent. The total number of records stolen was around 21 million, and this included 5.6 million sets of fingerprints (really bad news if you’re a secret agent).

In July, a very different kind of service, but one that stored just as much sensitive information, was compromised. Ashley Madison, an online dating site that specializes in catering to married folks who wish to engage in extramarital activities, found its entire user database leaked online. The parent company alluded to the fact that whoever leaked the information had some degree of internal access.

Whatever your opinion of the site’s clientele, it is worth noting that the release of the data had a very tangible impact on the lives of those who were exposed by the breach. Many were shamed publicly on social media, and there have even been reports of suicides linked to the breach.

So What Can We Learn About Data Breaches in 2015?

Data can be a lot of things, but one thing it isn’t anymore is a mere splattering of 0’s and 1’s that happened to be stored together. Data represents people’s lives, their identities, and their livelihoods. If you’re involved in handling or processing such data, you must begin to think of data in these terms.

As attackers and breaches get more personal, so too must the defenders and their security strategies. Security professionals must come out from the trenches, and work closer with other areas of the business than ever before.

Everyone has something at stake when it comes to security.

About Mike Sheward
Mike ShewardMike is the Principal Product Manager, Security at ExtraHop Networks. Mike Sheward CISSP, HCISPP, CCFP, CISA, CISM, CEH, CHFI, OSCP has worked in various information security roles for about a decade. During that time he’s built a reputation of being someone reliable, who quietly “gets it,” and can get the job done. Whether the job involves testing the security of a web application or network (penetration testing), performing a digital forensics investigation, creating engaging content regarding information security, building a security operations team, or simply having a discussion about the best way to do something securely.

In this article