2017 Cyber Review
2017 has been quite a year for Cyberattacks; we’ve had some of the worst attacks and data breaches in history. For this blog, we thought we’d do a roundup of the year and look at 2017’s cyberattacks.
We’ll start with one that didn’t happen during 2017 but was big news throughout the year: the Yahoo hack(s). The hack took place in late 2014 and affected over 500 million users. Yahoo announced the attack in September 2016. The exposed data included names, email addresses, encrypted passwords, birthdays, and phone numbers, as well as encrypted and unencrypted security questions and answers. Yahoo claimed that no financial information or card credentials were exposed.
The problem escalated when the company announced a second data breach in late December 2016 dating back to August 2013, which was initially estimated to have affected 1 billion accounts. Throughout the course of 2017, more and more details emerged of the attacks including that staff knew about the 2014 hack a few months after the breach but failed to inform the users until nearly two years later (!), and that all 3 billion Yahoo account holders had been impacted by the hacks making it the biggest data breach in history.
Deloitte, one of the largest accountancy firms in the world, fell victim to an attack in November 2016, but it was only discovered in March 2017. Hackers gained access to Deloitte’s email server through an administrative account that did not have two-factor authentication enabled. It was later confirmed that 143 million US customers and 400,000 UK customers had had their information accessed or stolen. The accessed data included names, birth dates, email addresses and telephone numbers. Deloitte reported that passwords, postal addresses and financial information were not accessed.
May saw the outbreak of the huge WannaCry attack which affected organisations worldwide. In Britain, the NHS was the worst affected with over a third of NHS trusts being impacted. This meant that around 7000 NHS appointments were cancelled, pen and paper was resorted to, and patients were turned away. The NHS was just one of the victims with many other organisations and companies being affected, including international shipper FedEx and Spanish telecommunications company Telefonica. It was later discovered that the NHS could have prevented the attack if they had followed basic cybersecurity measures.
This ransomware attack spread throughout Europe in June 2017, just weeks after the major WannaCry attack. The attack began in Ukraine, paralysing the government, metro network, and the central bank. It then spread throughout the rest of Europe, affecting Russian oil company Rosneft, Danish logistics company Maersk, and British advertising agency WPP. It continued to spread throughout Europe and scarily resulted in the radiation levels at Chernobyl being monitored manually.
In June, the major telecommunications provider Verizon, that coincidentally now owns Yahoo, suffered a major security breach after 14 million customers’ details were left unsecured online. The exposed data included names, phone numbers and account PINs; enough data to access customers' accounts. The data was left unsecured after a misconfiguration by a third party vendor.
Finally, we can’t round up 2017 without mentioning Uber. Uber’s hack took place in October 2016, but wasn’t exposed until a year later. Hackers obtained login credentials allowing them to access confidential data that was stored on a server in an unencrypted format. The hackers stole data about 57 million drivers and riders, including driving license numbers, names, email addresses and phone numbers. Uber did not disclose the hack, despite knowing about it, and paid the hackers $100,000 to delete the stolen data and keep the breach quiet.
Whilst the above attacks are notable for their scale, there were countless smaller breaches too. We need to work on protecting the data that we deal with and ensuring that our own businesses are secure.
On a more positive note, 2017 hasn’t been a completely terrible year. If nothing else, these cyberattacks have raised awareness of the issue; a government survey revealed that the proportion of UK businesses deeming cyber security as a high or very high priority has risen from 2016, and the number of businesses who think cyber security is a very low priority for them has shrunk from 13% in 2016 to 7% in 2017.
We certainly hope that 2018 isn’t littered with cyberattacks in the same way that 2017 was. The awareness that the high-profile attacks have raised will hopefully translate into businesses acting against cyber threats and being better protected.