2015: The Year Data Breaches Became Intimate

Something new, even unprecedented, happened this year in our cyber world. The most noteworthy data breaches were not focused on financial data. Here’s a data breach recap from 2015 – along with my views on what these events tell us.

by / December 19, 2015
Word cloud by Dan Lohrmann

2015 was the year that data breaches became much more personal – even intimate.

For decades, data breaches have led to identity theft, with the loss of millions of records containing personal information that is financially sensitive, such as Social Security numbers and credit card numbers. More recently, online threats have been growing dramatically, with 2014 becoming the year that cyber danger doubled as measured by various metrics.

But in 2015, the top data breaches affected something more precious than personally identifiable information (PII). Data breaches included the most intimate details and actions in life – with the loss of millions of records containing biometrics (like fingerprints), career backgrounds, family relationships, voice recording of children playing with toys, secret liaisons and affairs, hospital records, private habits and much more. Some of this data was openly chronicled online as hackers even exposed car safety and the quality of health-care issues.

And make no mistake – these breach impacts were very dramatic, with the serious ramifications lasting well past New Year’s Eve. These breaches occurring in 2015 will continue to destabilize reputations, careers, partner relationships, automobile designs, international relations between countries, hospital use of medical devices and even maintenance on vehicles, well into the future. Tragic outcomes already include marriages being torn apart, pastors ending their ministries and one in 14 Americans losing their most sensitive background information. There were even reports of suicide after the Ashley Madison hackers revealed user names.

In another year packed with thousands of hacker exploits and cyberheadlines, five significant data breach stories stand out above the rest, in my view. They include the Office of Personnel Management (OPM) data breach, the Ashley Madison data breach, the VTech data breach of children’s activities, the explosion in the breadth and depth of data breaches at hospitals and health insurance companies – which include both financial and medical records – and the Jeep vehicle hack.

These five situations, when told together, tell a wider story about where cybersecurity challenges are heading. I cover these data breaches in detail in the next section.

Other significant data breach and cybersecurity stories included the GM OnStar data breach and the Hello Barbie doll data breach.

There were big vulnerabilities uncovered, such as a nasty Android vulnerability called "Stagefright,” as well as an onslaught of other cyberattacks facing consumers.

No doubt, as a result of these headline-grabbing data breaches and system vulnerabilities, society’s trust in online services took a negative hit in 2015. In addition, a great debate emerged regarding what personal data should be shared with the government (post-Snowden) to keep society safe from terrorists. Even as Europe put new privacy laws in place, U.S. politicians passed new cyberlegislation and political and industry experts argued over the future of encryption.

At the same time, it has also been a remarkable year for the growth of online commerce, social media and other public/private online services. Cyber Monday sales broke records again on the Monday after Thanksgiving, and Amazon.com continues to soar.

Nevertheless, in a world full of Facebook pictures, LinkedIn profiles and GoPro body cameras broadcasting live online, the definition of “secure online data” has now become an oxymoron for many in society.

Details Please: The Headlines that Defined Cybersecurity in 2015

     1. The OPM Data Breach – Without a doubt, the data breach at the OPM was unlike any other in history. Here’s an excerpt on the reasons why:

“The scope of the recent hack of the Office of Personnel Management (OPM), in which the records of millions of current and former federal employees were breached, is exponentially greater than the many other recent headline-generating breaches in the private sector. This breach not only impacts government employees but countless of their partners, associates, and confidantes, and the stolen information includes some of the most intimate details about the individuals affected. It also raises real questions about the government’s ability to safeguard the data in its possession, and makes somewhat disingenuous the government’s call to strengthen and enforce private-sector security systems. ...”

      2. Ashley Madison Data Breach – This data breach shined an entirely new and different perspective on maintaining the private information of customers, with embarrassing details being chronicled by hackers for all to see. This breach caused untold havoc in people’s lives, with one man reportedly losing his mind, his wife, his job and burning down his garage. But some experts say it is not the wake-up call many expected, and other legal and privacy ramifications are still unknown. There were many diverse perspectives on this Ashley Madison data breach with some observers coming forward saying that the hackers were justified in unmasking the customers of this "evil service."

      3. VTech Asia Data BreachThis story has shocked the world because of the impact to children and hackable toys. This breach even involved intimate conversations between parents and children and also between children.

“The hacker exposed the breach to the online publication Motherboard and claimed that the point of the hack was to expose VTech's bad security.

The hacker was able to steal names, mailing addresses, email addresses, IP addresses, download histories, the genders and birth dates of the children, pictures of the victims, chats conducted between parents and their children, and much more.

According to reports, the breach affected 6,368,509 children and 4,854,209 parents. Nearly 3 million of those children are in the U.S., and millions more are in Europe. ...”

A bit of encouragement came in this toy story when a man was arrested in the UK, who reportedly was responsible for the data breach.

Although completely separate, the Hello Barbie data breach was lumped together with the VTech data breach in the minds of many parents to prompt more fears regarding toys that connect into cyberspace. Experts asked: Do we really trust toys to “phone home?” If yes, what are the privacy implications to the data collected?

      4. Hospital and Health Insurance Data Breaches, including the Anthem data breach, UCLA Health System data breach, and many other medical data breach examples that include sensitive medical records. The number of security breaches soared for electronic medical records in 2015. “Health record security breaches have soared this year, with more than 94 million electronic medical records compromised so far. That's more than double the total number of records compromised over the six years before 2015. ...”

What makes this category of data breaches unprecedented was the volume of patient records potentially involved. “Investigators determined that the hackers had gained access to parts of UCLA Health's computer network where some patient information was stored.

Those parts of the network contained names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as some medical information such as patient diagnoses and procedures. ...”

Another medical data example came from this Wired magazine article: “Excellus spokesperson Cane confirmed in a phone call with WIRED that between 10 [million] and 10.5 million customers had their data potentially accessed in the breach. Beyond just Excellus itself, the company says that even some of its insurance partners within the Blue Cross Blue Shield network may be affected, accounting for about 3.5 million of those victims. Everyone affected will receive a letter from Excellus, along with two years of free credit monitoring from the company.

Excellus’ data includes some of its customers’ most personal information imaginable, revealing not only details like Social Security numbers but even violating the privacy of their medical history. ...”

One of the scariest of all medical concerns involves the FDA ordering health-care facilities to stop using the Hospira pump, due to hacking concerns.

       5. Jeep Hack – Hacking cars became big news in 2015. Many Jeep owners were asked to patch their vehicles manually.

This vehicle data breach story also bled over into the ability to hack other domestic and foreign manufacturers' motor vehicles.

Three Cyber Trends that Are Developing

So what insights can we gain from these cybersecurity developments? Here are three key takeaways from 2015:

- Physical and cyber threats are merging as never before. The lists of data breaches from hospitals to cars to dating websites shows that more is at risk than just your credit report. As the Internet of Things (IoT) grows, so will the form of data breaches and the ways that lives are impacted.

- A rise of the significant impact from insider threat and blended cyber threats. As end users continue to click on links leading to malware and ransomware, and as key insider staff are blamed for data breaches, the importance of internal teams and end-user training has never been higher.

- Shortages in skilled cyber professionals continues to grow as threats increase. Even as more cyber threats and online attacks come from more sources and countries than ever before, there continues to be a lack of comprehensive solutions to solve our problems. Indeed, new products are being released with vulnerabilities. History is repeating itself with cybersecurity.     

Final Thoughts on 2015: Why Not Just Proclaim Another "Year of the Breach?"

Similar to last year, several industry commentators have called 2015 – The Year of the Data Breach. Others, have proclaimed The Year of the Breach 2.0. While I agree that the number of breaches continue to climb rapidly, I think these summaries are too generic and need more specificity in our current cyberenvironment.  

Why? With the Internet of Things (IoT), robots, drones, virtual reality and many other new technologies set to take off as we head toward 2020, the overall number of data breaches will continue to increase. Will every year be the year of the breach? (We could just raise the version number each year – almost like iPhone model minus 4.)

The broader questions revolve around how these trends impact society. Or, how are consumers, security pros, business leaders and others reacting to new data breach developments?

But why is the trend regarding data breaches involving more intimate information so important? Answer: At a personal level, fixing your credit report after identity theft is much easier than fixing your professional reputation, medical history or even broken personal relationships.

Furthermore, changing credit card numbers is relatively easy, when compared with the difficulties that may arise from stolen biometric or medical information. As the virtual world and the real world merge together in new ways, this trend portends even more severe impacts in the future. While we haven’t seen many examples (yet) regarding the changing of data to cause harm, that may become a next step.

I’ll leave predictions for 2016 and beyond to another column, but buckle your cybersafety belts for even more dramatic challenges ahead as a result of different types of data breaches. What is even clearer now as we head into 2016 is that data breaches have a major impact on customer loyalty.

Nevertheless, I think is important to note that online life continues to thrive overall, and identity theft and other online threats such as cyberterrorism are only two of many fears facing society – and not even the top concerns for most people.

Despite our many cyberchallenges, there is plenty to be thankful for from 2015.

Happy New Year.