Three high-profile hacks from last year, and what we learned from them

In Information Security ByTeam Acumin / 11th April 2016

There is a worldwide conflict going on between organisations of all sizes and hackers and, despite the efforts of cyber security personnel, each year there are a number of notable hacks. Last year saw plenty of high-profile incidents make the mainstream news, but what lessons can we learn from them?

1. Ashley Madison

Ashley Madison, the dating site for people that want to have an affair, has a relationship that relies on secrecy. Users naturally do not want their spouses to know that they are looking for potential sexual partners.

The 2015 Ashley Madison hack resulted in over 30 million user details being accessed. Though personal data has not been made public, it caused anxiety amongst its users who feared that they could be exposed to their family.

Not everyone is sympathetic to the plight of Ashley Madison customers. Some have ethical objections to people actively seeking an affair, and some believed that members “deserved it”. The counter argument is that not everyone who joined the site actually had an affair and what people do in their private life is their own business.

No matter what moral stand you have on Ashley Madison members, the data breach has implications for all membership websites. To address this issue, the website Have I Been Pwned?, is a free resource where people can find out if their personal data has been leaked from the Ashley Madison site, as well as other high-profile security leaks.

A similar breach took place on AdultFriendFinder in 2015 when nearly four million membership details were hacked. The hackers demanded money to keep the data private. AdultFriendFinder refused and the records were made public. As the site targets people looking for sexual relationships or flings, exposing members can lead to embarrassment and severe stress.

Making membership sites secure is vital. It does not matter whether the site deals with adult themes or not; members of websites expect that their privacy will be respected and not leaked.

2. Bitdefender

Bitdefender sells anti-virus and security software. In July 2015, it admitted that hackers exposed a number of customer accounts and password details, but it played down the incident by claiming that very few of their customers’ details had been accessed. The anonymous hacker, who went under the name of DetoxRansome, demanded $15,000, which Bitdefender did not pay. The company said that it has plugged the hole in its systems to prevent a similar hack happening again.

Bitdefender uses Amazon cloud services to hold some of its data, but Amazon says that, though it provides cloud infrastructure, each user of its service is responsible for the security of any applications that run on Amazon servers.

This incident shows that even companies that are in the business of cyber security are not impervious to attacks.

3. Telecom Regulatory Authority of India (Trai)

Not all cyber privacy breaches are caused by malicious persons. Last year, the Telecom Regulatory Authority of India issued a consultation document on net neutrality. It invited comments from service providers, associations and other interested parties. The response was overwhelming, with over one million comments posted. This caused the website to crash for a while.

In the spirit of transparency, Trai published all the comments on its website, but did not keep the email addresses of the commentators private.

An Indian hacking group, AnonOps, objected to this, arguing that spammers could have easily harvested the emails to send out spam. It mounted a denial-of-service (DoS) attack in April 2015 that crashed the website. It justified the attack by saying that its aim was to protect the privacy of the commentators.

The lessons to be learned

What these three high-profile hacks reveal is that no company, no matter how large they are, is 100% immune to determined hackers.

The first thing that breached companies need to deal with is media attention. After TalkTalk was hacked in October 2015, its Chief Executive Officer Dido Harding appeared on television to explain what had happened. She could not say exactly what data had been stolen and admitted that not all customer data was encrypted. She defended this by saying that encrypting customers’ data was not a legal requirement.

Her words did not inspire confidence amongst TalkTalk customers. As a result, it’s estimated that around 25,000 TalkTalk customers left after they heard the news about the hack.

TalkTalk is not a good example of using the media to assure customers after a cyber attack becomes public. Once news about an attack is known, it is very difficult to restore confidence in the security of a business’ IT systems.

Even when companies do pay ransom demands to hackers, they can suffer financial loss through customers leaving and the consequent fall in their share price.

The average user cannot prevent security breaches. One method to limit potential damage on membership sites is to create a new free email address using Hotmail or Outlook address each time you sign up to a website. If the email is leaked, then it will not be one you regularly use. This works, but many people would not see this tactic as worth the effort.

If a company has your credit card details, then as soon as you hear of a suspected breach, a call to the credit card company can cancel the card.

Some security experts view cyber attacks like a war, with the hackers determined to create chaos through their hacking, and cyber security personnel developing better systems and security protocols to combat the hackers.

There are many companies researching more sophisticated technologies to protect their company IT systems. No matter how efficient these systems are, it could be that no security system will ever be 100% secure. In many areas of life, including travel, sporting events and social life, we know that there is a certain amount of risk. As long as cyber security risks are minimised, they may become acceptable.

The public expects companies to be vigilant in their cyber security efforts by employing expert cyber security personnel and utilizing the best encryption and security software.