Hackers exposed all your dirty secrets this year
After a year of painful data breaches, we know a lot more about how vulnerable our information is on the Internet.
- 2022 Eddie Award for a single article in consumer technology
The year was full of painful reminders that our data isn't safe.
Hackers really kicked our asses this year, and that's not just the eggnog talking.
The year started with shock waves spreading from a breach so egregious it could have been the plot of a "Die Hard" movie. Cyberattackers broke into Sony Pictures' computer system weeks before the new year, disrupting the company's ability to do business. They threatened to bomb theaters that showed a Sony-produced movie called "The Interview," a satire about a talk show host who gets sucked into a plot to kill North Korea's leader.
If that wasn't enough, the same hackers leaked Sony emails, airing dirty laundry about executives and exposing unequal salaries between male and female movie stars.
The Sony hack changed the way we think about data breaches. Sure, we've all stressed about stolen credit cards and have gone through the hassle of replacing them. But the Sony attack was a different animal. It prompted an executive order from President Barack Obama that imposed sanctions on North Korea for allegedly orchestrating the hack, and a diplomatic war of wills broke out between nations.
People watched as these hackers embarrassed one of the world's most influential movie companies, which itself is part of tech behemoth Sony. The attack "had a real impact on the Sony bottom line," said Dmitri Alperovitch, co-founder of cybersecurity firm Crowdstrike.
And that was just the beginning.
Hack the halls of cyber folly, fa la la la la la la la la. After all the breaches this year, we can only toast to a better 2016.
From our private affairs to our employment records, everything about us is online, and with motives ranging from money to pure malice, hackers are attempting to get that information. Not every hack is created equal, though, and we learned something different from each one this past year.
Vigilante hacking
The Ashley Madison hack captured our attention like a slow-motion car crash. Starting in July, the "Impact Team," a group of hackers (or one hacker, we still don't know), stole information from the adultery-focused dating site. The hackers threatened to publish data on more than 30 million users unless the company shut down.
Initially, Ashley Madison sought to assure users that credit card information hadn't been stolen. The company was legally required to make that announcement, but it highlighted the absurdity of the situation. Nobody cared about their credit cards; their reputations, marriages, jobs and lives could be at stake. Some of them had even paid Ashley Madison prior to the hack to erase their account information, but the company hadn't done so.
Ultimately, Ashley Madison refused to give in to the Impact Team's demands. So the hackers posted the data online.
The effect on Ashley Madison's users was catastrophic. Two suicides were tentatively connected to the data breach, and people named in the hack report they're still being subjected to extortion attempts.
Indeed, the hack showed us there are far worse places to be hit than the wallet. What's more, money isn't the only thing motivating hackers. Some are just drawn to wreak havoc to serve an agenda.
"Those guys are getting bolder," said Keith Graham, an executive at cybersecurity company SecureAuth. "They truly are."
Government does no better
In June, reports of a hack on the US government hinted that a few million Social Security numbers had been compromised. If only that were all.
By the end of July, the Office of Personnel Management (OPM) said two breaches had compromised the Social Security numbers of more than 21 million people. Also exposed was highly personal information from federal background checks, along with millions of fingerprints. Anyone who'd applied for federal security clearances since the turn of the millennium was affected.
Politicians pointed fingers at China as the source of the hack, and OPM Director Katherine Archuleta resigned. Multiple unions filed lawsuits against the government on behalf of federal employees.
To protect those affected, the government contracted with services that monitor credit and detect identity theft. But reports soon surfaced of the CIA pulling several officers out of the US embassy in Beijing because the breach had blown their cover and exposed them as spies.
That's right: A hack in Washington may have outed members of the US spy network on the other side of the world.
The breach revealed the federal government to be just as disorganized with its sensitive information as Sony and Ashley Madison.
Not even a password-protection company is safe
Every geek friend of yours has probably told you to have a different password for every website you visit. Of course, that's a lot of work.
There's an app for that, promising to protect your cache of passwords with a super-secure service.
You know where this is going, right?
In June, one of those password manager services, called LastPass, said it had been hacked.
Mercifully, the damage caused by LastPass' hackers was minimal compared with the attacks on Sony, Ashley Madison and the federal government. Hackers got the usernames of LastPass account holders, the hint for the password to their account, and a scrambled version of that password.
"I think it is probably lost on most people that the risk [of exposure] was as close to zero as it could be with LastPass, whereas OPM was a national disaster," said LastPass CEO and co-founder Joe Siegrist.
Still, there's the psychological toll many LastPass users were suddenly confronted with. If a company dedicated to their security could be hacked, how could they ever be secure?
The unfriendly skies
This reported hack might have flown under your radar.
In July, Bloomberg News reported that unnamed sources at United Airlines had disclosed a data breach from earlier in the year. Among the data allegedly scooped up were flight manifests, which could provide a record of customer movements.
United has never confirmed the hack. It said at the time that the reports were "pure speculation," and it has declined to provide any update for this story. Articles said the reportedly hacked information didn't include credit card numbers or any other kind of data that would have triggered a legal requirement to report the breach.
The lesson here? Some companies may be telling us only what they absolutely have to. The rest you might never hear about.
Pour yourself another eggnog.