Research

When Securing Your Company Data, Please Remember the Promiscuous

Written by Reflare Research Team | May 5, 2021 5:46:00 PM

Security is never stagnant. At best, it’s a game of cat and mouse where you try to outsmart the other party — with new security threats arising when you least expect them. However, there are some valuable lessons from the past that many have yet to learn.

First Published 6th January 2016  |  Latest Refresh 5th May 2021

"Life is short. Secure customer data."

4 min read  |  Reflare Research Team

A Year to Remember to Never Forget

Every new year brings new security trends that increase threats to specific targets. However, 2015 was a unique year, and one we can still learn much from today. Along with the usual DDoS and malware attacks, the mid-2010s gifted security experts such trends as increased extortions, government threats, and the rise of activist hacking.

These three specific trends continue to gain interest in the security industry and remain a significant driver for improving system protections.

The Extortion of Personally Sensitive Data

The first and most costly trend for businesses and customers is old-fashioned extortion. In 2015, we saw the fallout of the Ashley Madison hack. Hackers obtained 32 million user accounts from the company whose motto is “Life is short. Have an affair.” Privacy was paramount (yet obviously insufficient) for company operations, and the subsequent fallout left millions of users exposed.

Hackers first attempted to extort the company itself, but then turned instead toward its customers. Customers were emailed and even received phone calls to pay a fee to keep their privacy. This hack made world headlines and at the time was the biggest extortion hack to date.

Interestingly, post the hack, Ashley Madison bolstered up their security, did away with the bots, and pushed on trading. They learned their lesson the hard way, but if you need evidence that improvements in IT security can help turn around a brand decimated by a massive hack, look no further. In 2020, it was reported that Ashley Madison was bringing on over 17,000 new members per day during the COVID-19 pandemic.

For many, an increase in security equates to an increase in trust, and Ashley Madison has found this to be true.  However, the big lesson for others is not in a small-but-notable comeback, but in the security failure that led to the hack itself. Poor security practices led to this breach, and the extortion of their customer’s data was an utterly avoidable event. Have others learned from their mistakes? You be the judge, as there is no shortage of even larger extortion attacks happening again and again and again.

When Governments Know Everything, and Everything Gets Leaked

The second memorable trend of the year was government hacking. Government websites are not a new target, but even before the Trump-era arrived, escalating tensions between China and the US continued to put government employees and systems at risk. Over 21 million government employee records were exposed in 2015 when hackers were able to gain access to social security numbers, military records, classified data and even fingerprints.

At the time, it was the biggest government breach ever, and it allegedly stemmed from China. It was reported by Ars Technica that at least one person in China had full root access to every row in the database.

Hack for a Cause

Finally, the year saw the very public emergence of the hacking activist (hacktivist). Hacktivists are attackers who hack and deface systems to prove a point and make their cause heard.

All glory to the hypnotoad.

There have been many examples of hacktivism before the mid-2010s, but the visible rise of the hacktivist group Anonymous had garnished increased media attention under the banner of hacking systems "for a cause". 

Furthermore, these types of threats continued to grow in popularity as these hackers, as well as others, wanted their message and purpose to be observable in the public domain.

This observability gave rise to more frequent and sophisticated hacktivist attacks in the following years, which involved political initiatives such as elections, environmental issues and even terrorism. With the increased rise of many different social causes, having a clear understanding of your organisation's position on these topics will help uncover, evaluate and address potential hacktivist risks in your security portfolio.

It is vital that security professionals not only know, but also truly understand, the vulnerabilities of the past. The unfortunate reality is that many have yet to. The events of 2015 are worth committing to memory to ensure we do not repeat them. However, others falling victim to newer vulnerabilities is an ever-growing fountain of knowledge from which we should all learn.

To stay up to date with the latest information on these events and learn how to mitigate specific IT security risks before they land in your lap, we suggest you read a few more of our research briefs on similarly related topics.