2015’s big hacks, attacks and security blunders

The security breaches, blunders, and disasters of 2015 tanked our trust in health insurance providers, credit agencies, the IRS, car manufacturers, connected toys for kids, and even “adult” dating sites. These stories shaped 2015, and forever changed the way we see data privacy and security. Most importantly, these painful moments in computer security affected millions, shaped government policy and validated our paranoia.

Anthem: Shields down

Someone left the cake out in the rain In February at Anthem (the second largest health insurer in the US) when it acknowledged its database of sensitive customer information had been stolen and dumped online. The names, birth dates, medical IDs/Social Security numbers, email and mailing addresses, and employment information of around 80 million customers was snatched — even Anthem’s CEO was in the haul. It was a theft that personally impacted millions of Americans, making us all wonder if Anthem’s security team had called in sick one too many times.

IRS: Denial of problem

We were pretty sure we’d reached peak breach-ageddon when the IRS came clean in May about closing a website security hole that fraudsters had been exploiting since February. It first estimated 100,000 taxpayers were affected, but upped that number to 300,000 in August. Attackers used people’s stolen info from other sources (names, addresses, and Social Security numbers) to access tax return info, and have everything needed to pull off massive identity theft scams.The IRS is something we’re forced to trust, and its 2015 security screwup undermined that in spades.

Wassenaar Arrangement: Cyber arms are for hugging

Few knew what a Wassenaar was until arguments about the multi-country arms export agreement streaked through May’s headlines like a septuagenarian, reliving his cold-war-era college days. Jimmies were rustled when infosec professionals took a look at the US government’s proposed rules for putting weapon export control rules on code and went… ballistic. The drama escalated when ACLU’s infosec pundit Christopher Soghoian got confrontational about it with hackers on Twitter, having previously characterized the exploit trade as “merchants of death” selling “bullets for cyberwar.” Infosec got its way and the government backpedaled. The public learned why equating code with bombs is neither that simple nor correct, and infosec got its very own Donald Trump.

US Office of Personnel Management: Charging into the breach

In June, the US Office of Personnel Management made headlines when its classified employee database was hacked. Up to 18 million government employees were exposed; cleared spies and lab employees alike had their secrets spilled (and lives put at risk), as well as FBI director James Comey. The mess leveled up in September when OPM added 5.6 million fingerprints to the losses. It’s safe to say that an intelligence disaster of this scale is unprecedented and its effects are still unknown; current and former intelligence officials said the threat to national security is so massive that it “will last for decades and cost billions of dollars to monitor.”

Hacking Team: They just couldn’t hack it

If you want to be an evil dick when you grow up, you put posters of Hacking Team employees on your walls and dream. Possibly due in part to its flair for selling surveillance software to despotic regimes and its excess of arrogance, June’s very public hack, dump and takedown of Hacking Team got a standing ovation from pretty much everyone who isn’t a dictator. The Italian company reacted with cavalier denial to the public humiliation, making them win the unofficial title of “most deserving to be pwned.” Hacked by hackers: it was hackenfreude, indeed.

Car Hackers: Good enough for ‘CSI: Cyber’

Two security researchers teamed up with a journalist in July — just before their car hacking presentation at Black Hat — to pull off and publicize a dangerous, live traffic demo in which they seized control of a moving Jeep. Fortunately the only thing injured was Chrysler/Jeep’s security reputation. The stunt hack resulted in Chrysler recalling 1.4 million vehicles for security fixes; it elevated paranoia about tech and car safety; and netted the researchers high-paying jobs as well as a CSI: Cyber appearance.

Ashley Madison: Not the droids you’re looking for

Thanks to the Adult FriendFinder breach in May and the Ashley Madison hack-and-dump in August, anyone who read a headline in 2015 won’t be giving their real information to any “walk on the wild side” dating website, ever. In the Adult FriendFinder breach, up to 60 million users experienced public exposure of their private information, including race, relationship status, sexual orientation and more. With Ashley Madison, a hacker with a fetish for traditional values angrily released the data of tens of millions (many of which were later found to be fake accounts), as well as the company’s juicy internal communications and proprietary business info. Users who forked over $19 for Ashley Madison’s “Paid Delete” service to wipe them from the system were not pleased to see themselves in the dumped database — finding out the hard way that the company’s profile removal guarantee was a sham.

VTech: Their security team is still in its infancy

The most terrifying security blunder of the year award, if we must have one, goes to Hong Kong toy manufacturer, VTech. In late November a concerned hacker alerted media that VTech wasn’t using SSL or encrypting passwords properly for its line of children’s tablets. For them, stealing VTech’s data was … child’s play. This security nightmare ended up exposing the (unencrypted) data of 6.4 million children, which VTech said included names, email and mailing addresses, download histories, passwords, password recovery info, IP addresses, photos and audio recording, all matched to kids’ names, genders and birth dates.

[Image credits: Carl Court/Getty Images; AP Photo/Andrew Harnik; Joe Raedle/Getty Images; Gareth Cattermole/Getty Images]