As 2017 comes to a close, we are making our lists and checking them twice. Time to find out who we thought was more naughty than nice this year. This cybersecurity naughty list discussion includes everything from big news data breaches such as Equifax and Uber down to stolen hard drives and password issues. Feel free to add your naughty list nominations in the comments.
Cybersecurity Naughty List 2017
- Equifax breach of 145 million consumer records. The Equifax breach will have long-running repercussions that we can not begin to see or imagine. It was too much data on way too many people. The way it has been handled is an example of how NOT to respond to a data breach. The fact that the breach was a result of unpatched software just throws more salt in the wounds. We haven’t heard the end of this one for years to come.
- Uber pays a hacker to keep quiet about a data breach. First, what the heck were they thinking! These things always come out one way or another. They just assumed they had an honest hacker and everything could be kept on the down low? This one comes from a company that has struggled to have positive news stories come out for a while. But, risking it all on keeping a hacker quiet may be more than some consumers can handle. I do enjoy their service and it has made a huge difference in transportation options but this data breach is just another in a long list of problems. This is just the first time we see big news about a company pay off the hacker trying to keep things quiet. It will likely not be the last.
- TDO – The Dark Overlord hacker gang continues to successfully attack a wide variety of entities. However, this year they went way over the line when they threatened school children after hacking the school system networks. Threatening children takes things to a level beyond naughty in our book.
- WannaCry and NotPetya Attackers show the world just how connected we really are in 2017. Within hours the ransomware attack in May we call the Wanncry attack had spread throughout the world. If not for a single researcher in Britain finding a shutdown option in the code it may have been much worse. NotPetya followed soon after and shutting down large businesses in a manner not considered possible. Just ask FedEx and Nuance how things happened in their world that day and beyond. These are probably just the first round of worldwide, fast-spreading attacks.
- Shadow Brokers and Wikileaks. These guys are the root of some of the problems we see like WannaCry and NotPetya. The secrets and tools used by the NSA and the CIA to spy on everyone via their computers turn out to be a lucrative option for criminals, too. This will also be something that may take years to understand just how much it provided tools for the criminals as well as the spies in the end.
- Deep Root Analytics exposed a database of 198 million American voters. There is so much wrong with this one it is almost impossible to discuss. We have a major issue trusting that any data is safe, yes. However, to be this careless with data this important shows either a great degree of hubris or incompetence. Either way, this case deserves to be on the naughty list for sure.
- Hackers make hundreds of emergency sirens blast at the same time in Dallas. The idea may have been just to see if it could be done for fun. However, the glaring flaw in our emergency response systems cannot be overlooked. This one is a tough one because you hope it did open some eyes but the fact they did it and didn’t just report it makes them land on the naughty list.
- 8,000 HACKABLE BUGS FOUND IN PACEMAKERS. There really doesn’t need to be much more said than that one statement. Security must matter more than it has been to some of these device developers.
- Yahoo revised it’s numbered to 3 billion user accounts were hacked. Yahoo just stays on the naughty list with their breach. The gift that keeps on giving. The only thing that keeps this from being much worse than the Equifax case is the type of data is nowhere near as rich and validated. It may never be known whether or not Yahoo really did know it was happening and tried to cover it up or minimize the extent in their data breach reports. Even if they never really knew about it, you still need to wonder who was watching the hen house.
- eCW $155 million settlement with FTC and $999 million civil lawsuits filed. We discussed this one extensively in episode 109. This is yet another one that will keep playing out for some time. The class action suit that was recently filed will take years to work through the courts. Who knows just how far down a rabbit hole into software development processes we may end up.
- Denton Health Group, a member of the HealthTexas Provider Network, lost an unencrypted hard drive with backup files loaded with patient data from 2009 until 2016. Really, all those years on a portable hard drive and it is not encrypted. How can this still be happening?
- Anyone still using a password on that list we discussed last week as their password for ANYTHING! We talked about this a good bit in the last episode. If you are using old passwords that you are certain do not really meet proper standards then shame on you. You get coal for sure this year!
Our cybersecurity naughty list for 2017 hits a lot of the high low notes. Sadly, it isn’t extensive. When we closed out 2016 there was a certain expectation that things were going to get worse before they got better. It has certainly proven to be true over the last 12 months. Unfortunately, 2018 isn’t shaping up to be the end of worse before better territory yet. If you are going to make a naughty list, please don’t let it be this one next year!