This article is written by Mittal Ayushi, pursuing Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho. The article has been edited by Zigishu Singh (Associate, LawSikho) and Dipshi Swara (Senior Associate, LawSikho).
Cyber-attack or data breaches in this era are no less than an epidemic in itself. Any cyber intrusion infiltrating our computer system kills the sanctity of network security, pouring our system with deadly and malicious viruses. Such data breaches come under the category of offences. A cyber threat can be disastrous for our work, finances, transactions, country’s economy and in fact our very identities, the most common amongst them being the offence of hacking.
In this article, you will get a glance over the ten landmark cases of hacking in human history.
Case : Yahoo!
- The FBI was apprised by Yahoo in 2014 about 26 of its accounts getting hacked. But it was late 2016 that dwarfed the 2014 revelations and it became the biggest hack in history. Hackers aligned with Russian agents accessed Yahoo’s user database and the Account Management Tool.
- Later in March 2017, Yahoo stated that all 3 billion user accounts were hacked.
- The FBI, after investigating the case for more than two years, indicated that out of four people involved, two of them were Russian spies, Dmitry Dokuchaev and Igor Sushchin. The other two were Aleksey Belan, a Latvian hacker and a commercial hacker Karim Baratov both hired by the Russian agents.
- The attack was so clinical that it took the U.S. Federal Bureau of Investigation two years to understand the full scale of the hack and till that time Yahoo users data was already on sale on the Dark web.
- Data of significantly important users such as the deputy chairman of Russia, an officer in Russia’s Ministry of Internal Affairs, officials of states bordering Russia, U.S. government workers, a U.S. airline worker and an employee of a Swiss Bitcoin wallet company were compromised.
- It was just one wrong click that turned Yahoo’s system upside down.
- Targeting the employees, a spear-phishing email was sent in 2014, it required just one person to click on that link, that’s it. It gave access to approximately 500 million people’s email messages and personal information.
- Hackers installed a backdoor on Yahoo’s server so that they don’t lose access and then in December 2014 they stole a backup copy of the user database.
- By using the recovery email address and email domain they were able to identify the targets required by the Russian spies.
- Using cryptographic values (also called ‘nonces’) they generated access cookies which allowed hackers to gain free entry to a user’s email account without even a password.
Names, phone numbers, birthdates, cryptographic values unique to each account, password recovery emails, password challenge questions and answers.
Impact: 3 billion user accounts
- Disclose the breach to Security agencies as soon as possible and take action.
- Cybersecurity training should be taken seriously to guard against such phishing attacks.
- Clean your mailbox regularly,
- Don’t provide real data/answers to security questions, if possible.
- Keep checking your email forwarding rules.
- Refrain yourself from reusing the passwords
- Beware of phishing emails, open only those coming from trusted sources.
Case : Adobe Systems Inc.
- Adobe with a history of security vulnerabilities announced in October 2013 that their IT infrastructure had been hacked and information of approximately 2.9 million accounts was compromised.
- Later on, they revealed that it was 38 million users account data.
- It was one of the worst data breaches in United States history since the source code of their most popular end-user software such as Adobe Reader and Publisher was hacked and leaked on a criminal server.
- Security Journalist Brian Krebs and Security expert Alex Holden were the ones who discovered the stolen source code on the dark web.
- Along with Adobe, Hackers also hacked some other entities using the same username and password, some of the worst affected entities were Facebook, Diapers.com, wherein users might have used the same credentials.
- Hackers took advantage of the password security breach, especially password hints of the publisher and by studying the pattern of the source code they could identify the loopholes in the software like Acrobat Reader, Flash, Fireworks and Photoshop etc.
- It has unfortunately given them access to 150 active usernames and passwords, which led them to steal banking data too but because of high-quality encryption by Adobe, banking data was unusable.
- Hackers exploited mistakes of software developers wherein they used an insecure encryption method such as ECB (Electronic Code Book) mode, under which equal passwords wind up looking the exact same when encrypted making it much easier for hackers to crack them.
- Secondly, they were encrypting every single one of their passwords with the same key, which was easily identified by the Hackers.
Names, active user logins, encrypted passwords, credit card numbers and their expiry date.
Impact: 38 million user accounts.
- Network infrastructure should be protected like a crown jewel.
- Ask your users to change their passwords regularly.
- Users should insist on using strong and complex passwords.
Case : Marriott International (Starwood)
- In late 2018, Marriott International announced that over 383 million people’s information about who stayed at Starwood hotel was hacked.
- Marriott was quite unfortunate in acquiring the Starwood hotel chain (it includes Westin, Sheraton, St. Regis, and W hotels) in 2016, two years after acquiring they found that hacking may have been going on since 2014.
- Marriott did not migrate the reservation system which was used by the Starwood chain, making it their biggest mistake ever.
- The U.S. government claimed that it was Chinese government espionage to acquire data of government employees and intelligent officers as Marriott is the top Hotel service provider to them.
- In an extremely rare action by the U.S. Department of Justice, criminal charges were filed against foreign Chinese intelligent officers.
- Marriott faced a $123 million fine by the UK authorities.
- Marriott noticed that a security tool flagged an unusual database query by a user with administrator privileges, but they found that the person to whom that account was assigned and the one who made the query were different.
- Accenture who was running IT and Info security for Starwood discovered that a tool called Mimikatz is used for extracting username and passwords along with a malware Remote Access Trojan(RAT), which might have been placed via phishing email.
- Hackers used the flaws in the Starwood systems as the credit card numbers were stored in encrypted form, wherein the encryption keys were stored on the same server itself.
Names, contact details, address, passport number, Preferred Guest numbers, travel information, credit card numbers and expiration dates along with other personal information.
Impact: 500 million customers
- Secure your system assuming that your data is compromised.
- During transitions (e.g. Marriott-Starwood merger) security systems should be thoroughly checked and modified.
- Use two or multiple factor authentication wherever possible, especially when employees are trying to access sensitive information.
Case : Sony Pictures Entertainment
- On one fine Monday morning in November 2014, Sony Pictures employees discovered that they have been hacked by a computer worm popularly known as the ‘Guardians of Peace’.
- Hackers stole 100 terabytes of data which included confidential information of films, scripts, emails etc.
- The company had to cancel various broadcasts of movies and paid approximately 8 million dollars in compensation.
- The data hacked was available to download for journalists only and they have very well grabbed the opportunity.
- The evidence linked the North Koreans involvement as they were furious because the company was about to release a comedy movie ‘THE INTERVIEW’, relating to the assassination of North Korean Leader Kim Jong Un.
- There were serious flaws in the system including firewall, servers and routers, this has already been revealed by the security auditors.
- Hackers used these flaws to enter into the system and took all the private data and deleted the original copies from the servers and left a threatening message to release the information if the company did not comply with their demands.
Film scripts, 47000 employees names, addresses, social security numbers, salaries and personal email etc.
Impact: 100 terabytes of data
- Invest well in network security and never ignore your security auditors recommendations.
Case : Target Corporation(Target)
- In 2013, Target’s computer security firm FireEye alerted the Target Minneapolis team about the suspicious activity, which they ignored to some extent.
- Later in the same year, data of the U.S. second-largest discount retail chain was hacked, stolen and moved out of their servers to the Russian servers.
- This biggest hacking was discovered by the U.S. Department of Justice and the company were made to compensate over 18 million dollars for settlement.
- Using the RAM Scraping technique hackers installed malware in the cash register inorder to read the complete information from the credit cards.
- The network credential of an HVAC provider was compromised because of a phishing email, giving them clear access to the internal system of Target.
Banking data of 50 million customers and Personal data which included names, postal addresses etc.
Impact: 110 million customer data
- Even after having a well-protected security system, you are not responding to the security system alerts, it can all go in vain, this is what happened to Target.
Case : AdultFriendFinder.com
- 2015 was the first time when adultfrienfinder.com was hacked, over four million sensitive user account information such as birth dates, sexual preferences and pseudonyms, etc. was made public.
- Then next year again the site got strangled by the attack of hackers and this time it was way bigger than the last one. Twenty years of personal information of users was pirated.
- Along with adultfrienfinder.com, other adult websites like Stripshow.com, Cams.com, Penthouse.com and iCams.com were also hacked.
- Local File Inclusion (LFI) vulnerability was used by hackers to exploit, they introduced a local or remote file into the online resource of adultfrienfinder.com
- It happened because the site used quite a weak hashing algorithm SHA-1 to protect passwords, thus making it easier for hackers to seep gradually into the internal database.
Usernames, birth date, pseudonyms, account passwords, email addresses, deleted account data
Impact: 412.2 million user data
- Data security should be professionalised, security audit should be a mandate for all types of companies dealing with user data.
- Privacy rules need to be more stringent.
Case : Equifax
- Nearly one and a half months later American credit reporting agency Equifax revealed that they were hacked because of application vulnerability and inadequate system segmentation.
- The Chinese state-sponsored hackers infiltrated the system because of lapses in the system and laid back the approach of the company to the security alerts.
- The top management of Equifax was accused of insider trading, as stocks were sold just before the revelation of the hacking.
- Hackers entered their system through the consumer complaint portal using the software Apache Struts vulnerability, Equifax could have patched it when Apache Software Foundation released a patch for the vulnerabilities.
- But lapses in their IT department and internal process refrained them from doing it.
- The next biggest flaw was their inadequate system segmentation, because of which hackers were able to move internally from the web portal to other servers accessing the usernames and passwords and extracting the data for months in encrypted form.
- It was later revealed that one of their security tools (public key /encryption certificate) was not renewed by Equifax, which led to this hacking being hidden for months.
Credit card details of 209,000 consumers, driving license details of about 143 million consumers and personal information which included sensitive data of Social Security numbers, birth dates and addresses etc.
Impact: 147.9 million customers.
- Patches released by software companies should be taken seriously.
- Never neglect to renew the security certificates.
- Segment your system properly, else it will be like moving in the garden without restrictions for intelligent hackers.
- Monitor your data and security system 24/7 like a baby.
Case : Heartland Payment Systems
- In 2009 Heartland Payment System(HPS) created history with the largest data breach in the U.S.
- Its network was hacked by Albert Gonzalez, a Cuban American and two unnamed Russian accomplices.
- Hacked by introducing malware into their system for over four months.
- HPS noticed the hack when credit card agencies like Visa and MasterCard informed them about some unusual transactions.
- This malware was found out by HPS and they thought that they had removed it. 6 months later it was noticed that it’s all over in their system and extracting the data since then.
- HPS heavily paid for this infiltration amounting to 170 million dollars.
- Hackers used the very known SQL injection (Vijayan, 2009) attack on HPS website and executed malicious statements to the Acunetix server.
- They entered their system through user input on the website, which is always a vulnerable area and installed a sniffer program on the database which allowed them to steal all the database.
Credit details of the consumers.
Impacted: 134 million credit cards.
- Never rely only on firewalls, the network should be secured from every nook and corner with multiple layers of security software and authentications.
- Hire competent staff for such an important job to do.
Case : eBay
- eBay discovered the hacking not until early May, their data was compromised since late February.
- The company informed their users after two weeks leaving their personal information more vulnerable in the hands of hackers who belonged to the Syrian Electronic Army. They couldn’t do much to the financial database because it was encrypted.
- Hackers accessed three of their corporate employees’ log-in credentials via phishing methods.
- They have used the website vulnerability to cross-site scripting (XSS), which is a code injection attack on the user’s browser.
- Hackers used the ‘forget password page’ to enter, whenever user used ‘forget password’ link, eBay sends the reset link to the user’s email and if that link is clicked, hackers utilised the ‘re-input value’ in order to create an HTTP request to eBay’s server for setting a new password selected by the hacker.
Usernames, contact details, addresses, encrypted passwords and date of births.
Impact:145 million user accounts
- Using layers of security systems, will create hindrance at various levels for hackers and will definitely alert the users.
- Never leave any sensitive data without encryption.
- Hire a good system security agency and well-trained staff to monitor the activities.
- Make SOPs for managing such crises and a well-trained response team.
Case : WannaCry ransomware attack
- Hackers exploited the vulnerabilities in the operating system of Microsoft Windows.
- Ransom of 600 dollars’ worth of bitcoin was demanded.
- The threat to delete the file permanently or making sensitive data public was made if a ransom was not paid.
- Around 4 million dollar loss was estimated due to this cyber-attack globally.
- By misusing a hack known as EternalBlue developed by the National Security Agency of the U.S.A. and allegedly made public by another hacker group called Shadow Brokers, hackers took access to the system.
- Months before the attack, Microsoft has released a security patch for protecting the operating system from such a breach, but most of us are not in the habit of regularly updating the operating system, thus clearing the path for these hackers to use such malicious hacks like EternalBlue.
- EternalBlue helped hackers to spread all over and installed the backdoor called ‘DoublePulsor’ on compromised systems.
2,30,000 computer’s data globally.
Impact: 150 countries.
- Keep your software along with the operating system up-to-date.
- Avoid opening suspicious emails or websites and by no chance click on any links with unverified addresses or attachments.
Going through the above cases, one thing is quite clear that if you are hacked then definitely there are some loopholes in your system security or you have clicked some phishing emails. Although, with the invention of hundreds of security software one can put layers of security making it difficult for hackers to peep in. But along with this individuals should have a basic know-how about phishing emails, changing passwords, two-factor authentication, not using the same passwords and especially avoid using personal info such as date of birth as password etc. Taking these few minuscule steps also one can avoid huge data breaches and live securely in this cyber world.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: