2017 Was The Year Of Hacks. 2018 Probably Won't Be Better.
Once more unto the (data) breach, dear friends.
2017 was notable for some massive data breaches, unintended exposures of sensitive information on the internet and other unfortunate tech incidents. Some were intentional (looking at you, North Korea), and some were not (hello Equifax, nice of you to join us).
2018 probably won’t be any better.
Despite the promise of advancements in fields like AI and machine learning, and despite the hope that we would learn from our mistakes and adhere to better practices in the future, it isn’t clear yet those technologies ― or our own marginally improved habits ― will adequately defend us against increasingly more sophisticated attacks.
That conclusion comes from the cybersecurity company UpGuard, which detailed our current information security environment and the risks to it in its annual cyber risk report published Dec. 18.
“Unfortunately, with the increased pervasiveness of information technology, there has been no concomitant revolution in how professionals tasked with administering these increasingly multifaceted and complex systems do their jobs,” the authors said.
“Indeed, they are fighting this battle with weapons from the last war, and the results have been disastrous.”
With that in mind, here’s a look back at some of this year’s other notable data breaches, leaks and hacks:
Equifax
In September, consumer credit ratings agency Equifax revealed hackers had stolen the personal details of 143 million Americans (roughly half of all Americans), including highly sensitive information like their Social Security numbers.
Even more infuriating: Equifax waited five months to tell anyone. (The hack itself happened in the spring.) Then it bungled its response, initially forcing those affected to sign a legal document prohibiting them from joining a class-action suit, then inadvertently directing potential victims to a fake phishing site which proceeded to steal yet more information.
Dallas Emergency Sirens
Just before midnight on a Friday in early April, all 156 of the city of Dallas’ emergency sirens started sounding, simultaneously, for no apparent reason.
Tornado sirens going off downtown #Dallas. pic.twitter.com/4SpNmMQLTc
— Jay Hammond (@NYYankees4life) April 8, 2017
The hubbub lasted a full 90 minutes before the sirens could be manually overridden and shut down, during which time panicked residents flooded 911 with calls. Dispatchers who typically pick up within 10 seconds were so overwhelmed the wait time hit six minutes.
Officials blamed hackers for the intrusion into their emergency alert system ― a possibility Rocky Vaz, Dallas’ director of emergency management, said nobody had ever considered until it happened.
Deep Root Analytics
This summer, a Republican data analysis company called Deep Root Analytics left exposed a 1.1-terabyte online database containing the personal information of almost all of America’s 200 million registered voters.
In addition to the now-familiar leak of basic information like names, birthdays, addresses and phone numbers, Deep Root exposed deeply personal information about individual voters, including their likely stance on abortion, gun control, stem cell research, environmental issues and 44 other categories.
WannaCry
Not helping our situation: The National Security Agency has for years been diligently finding major weaknesses in commonly used pieces of software. Instead of alerting the affected companies about the vulnerabilities, however, it’s been hiding those aces up its sleeve for future use.
This year, a group of hackers calling themselves the Shadow Brokers stole a bunch of those exploits, then proceeded to turn them loose on the internet. North Korea used one such NSA-developed hacking technique to target Windows, resulting in a piece of ransomware called “WannaCry” that crippled an estimated 230,000 computers around the world.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Microsoft Chief Legal Officer Brad Smith remarked afterward, clearly not happy the NSA failed to alert the company to the vulnerability before North Korea stole the hacking idea. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
Power Quality Engineering
This Texas-based electrical engineering firm left a port open for an indeterminate amount of time this summer. UpGuard Cyber Risk Research Director Chris Vickery, who discovered the breach, was able to access and download highly sensitive data and schematics for PQE’s customers, including the city of Austin, Dell, Oracle, SBC Telecom (a subsidiary of AT&T), Texas Instruments and others.
And we aren’t using the term “highly sensitive” lightly here. One document, labeled, “Director of Central Intelligence Directive No. 6/9,” described in detail how to configure a “Sensitive Compartmented Information Facility.” If you aren’t familiar, the government uses SCIFs for its most sensitive intelligence briefings. The White House Situation Room? Yep, that’s a SCIF.
State Election Systems
We also learned this year that Russian hackers targeted election systems in 21 states during the 2016 presidential election (to say nothing of their activity on Facebook, Twitter, Reddit, etc.), as part of what the Department of Homeland Security called “a decade-long campaign of cyber-enabled operations directed at the U.S. Government and its citizens.”
Jeanette Manfra, acting deputy under secretary for cybersecurity and communications, told the Senate Select Committee on Intelligence in June that there’s no evidence the Russians successfully changed votes or altered the outcome of the election. Instead, it’s more likely the cyberattacks were “intended or used to undermine public confidence in electoral processes.”
Uber
In November, yet another skeleton fell out of Uber’s closet when it acknowledged it paid hackers $100,000 to keep quiet about an October 2016 breach that led to the disclosure of 57 million customers’ personal data. 600,000 Uber drivers also had their names and driver’s license numbers stolen.
Uber maintains there’s no evidence the data was used for nefarious purposes. While that may be true, it’s nevertheless deeply concerning the company tried to bury the news instead of disclosing the breach immediately to the affected customers and proper government authorities.
Pentagon and Defense Contractor Blunders
2017 saw several breaches of sensitive information from both the Pentagon and the contractors it works with. In one of the more egregious instances, a defense contractor failed to secure a web server containing top-secret intelligence documents. Satellite surveillance of North Korea’s missile arsenal, battlefield imagery from Afghanistan, and what appears to be authentication keys that granted access to Pentagon servers were all left exposed.
In another, separate breach, the Pentagon itself was at fault when United States Army Intelligence and Security Command (INSCOM) accidentally left critical data exposed, including intelligence so sensitive it was marked as restricted from even being shared with US allies.
Alteryx
This marketing and analytics firm left a database containing detailed information on 123 million American households (that’s basically all of them) unsecured and open to the public. The database in question likely came from Experian, another consumer credit rating agency, and contained 248 data points on each household in question, including basic information like addresses and phone numbers, and more descriptive data like whether you’re more of a dog person or a cat person, what magazines you subscribe to, and the number and ages of your kids.
“If you’re an American, your information probably was exposed,” Vickery told HuffPost.
Where do we go from here?
Are hacks and breaches like these just the new normal? Absolutely not, UpGuard co-founder Mike Baukes told HuffPost in an email.
“We should never accept this systemic insecurity as the new normal,” he said. “That is a cop-out that excuses the status quo as somehow acceptable, instead of a frighteningly insecure state of affairs in which the personal and financial information of the most vulnerable citizens is endangered by cyber risk.”
Rather than acceptance, Baukes said he hopes these increasingly more brazen and damaging attacks will spur people to action. Fortune 500 companies and civil servants alike need to commit more resources to mitigating the risk, and politicians at the federal level need to step up as well to protect constituents who are hacking victims.
“As of right now, there is no federal, unified breach disclosure law; state laws vary greatly on just when breaches must be disclosed to affected individuals,” he noted.
“While regulations already exist governing the disclosure of particularly sensitive information, like medical records, there should be a federal breach disclosure law mandating timely notification and the preservation of relevant data by any government agencies or private corporations falling prey to data theft.”
Also on HuffPost
Love HuffPost? Become a founding member of HuffPost Plus today.
Las Vegas Shooting
According to Las Vegas police, Paddock began shooting at about 10 p.m., as an estimated 22,000 people attended the festival, which was headlined by country music star Jason Aldean. Mandalay Bay Resort is adjacent to the concert venue.
Paddock was found dead from a self-inflicted gunshot wound when police breached his room on the 32nd floor. His motives remain unclear.
The 58 deaths and nearly 600 injuries make the attack the worst mass shooting in modern U.S. history.
New York City Truck Attack
According to police, on Oct. 31, Saipov drove a rented pickup truck onto the Hudson River Park's bike path in lower Manhattan and intentionally steered the vehicle into cyclists and runners.
After traveling about a mile, the truck crashed into a school bus. Police say Saipov was shot in the abdomen when he exited the vehicle wielding what were later determined to be a paintball gun and a pellet gun. Authorities allegedly found evidence in the truck indicating his allegiance to terrorist groups.
Saipov, who immigrated to the United States from Uzbekistan in 2010, pleaded not guilty in November to numerous criminal charges, including eight counts of murder. He is awaiting trial.
Charlottesville Vehicle Attack
At the time of her death, Heyer was among a large group of anti-racist demonstrators who were gathered to protest a white supremacist rally in the city.
"If you're not outraged, you're not paying attention," reads Heyer's last public post on Facebook.
Heyer's mother, Susan Bro, told HuffPost that her daughter attended the rally because she "was about bringing an end to injustice." Heyer "was not about hate," she said. "Heather was about stopping hatred."
Fields, 20, was reportedly known to hold racist and anti-Semitic views.
The suspect has been charged with second-degree murder and is awaiting trial.
Texas Church Shooting
A pregnant woman and several children ― including the 14-year-old daughter of church pastor Frank Pomeroy ― were among the dead. The ages of the wounded and dead ranged from 18 months to 77 years.
An armed citizen halted the attack when he shot Kelley in the leg and torso, causing the 26-year-old gunman to flee in his car.
The suspect was later found dead in nearby Guadalupe County. Authorities said that in addition to the injuries Kelley sustained when he was shot at the church, he had a self-inflicted gunshot wound to the head.
"We have the freedom to choose, and rather than choose darkness like the young man did that day, we choose the light," Pomeroy said during a Sunday service held one week after the tragedy.
Daniel Shaver Police Shooting
On Jan. 18, 2016, Brailsford and several other officers had responded to the La Quinta Inn & Suites in Mesa to investigate a report that someone had pointed a gun out a fifth-floor window. They suspected Shaver was involved.
Shaver, a 26-year-old father of two, can be heard crying and appears confused in video recorded by Brailsford's body camera. In the footage, he says "Please do not shoot me" as he obeys a command to crawl toward the officers.
As he inched forward, Shaver reached toward his waistband, according to Brailsford, who then fired five rounds from his AR-15 rifle. Court documents obtained by HuffPost indicate the weapon was inscribed with the words "You're fucked." Shaver died at the scene.
No weapon was found on or near Shaver's body. A detective assigned to investigate the case said it appeared Shaver was attempting to pull his pants up when he was shot. Brailsford was fired from the police department and accused of second-degree murder and reckless manslaughter.
The Maricopa County jury that sat through the six-week trial found Brailsford not guilty on Dec. 7.
"I just don't understand how anybody could... say, 'not guilty,' that this is justified, that Daniel deserved this, and that Philip Brailsford doesn't deserve to be held accountable for his actions," Shaver's wife, Laney Sweet, told CBS News.
'Seminole Heights Slayer'
The accused serial killer, police said, killed four people -- Ronald Felton, 60; Anthony Naiboa, 20; Monica Hoffa, 32; and Benjamin Mitchell, 22 – between Oct. 9 and Nov. 14. The victims were all fatally shot within one mile of each other.
Donaldson, 24, was arrested on Nov. 28, after the manager of the Tampa McDonald's he worked at contacted police and said Donaldson had brought a handgun to work. The caliber of the weapon matched cartridge casings found at the crime scenes, and a hoodie found in Donaldson's car had blood on it, police said.
The suspect has pleaded not guilty to four counts of premeditated murder. He is scheduled to return to court in January so the state can determine whether to seek the death penalty.
Tampa Mayor Bob Buckhorn has made his views clear on the penalty Donaldson should face if he's convicted.
"If he is found guilty, he should die," Buckhorn told The Washington Post. "It's that simple."
Serial Killer Todd Kohlhepp
Kohlhepp, authorities said, confessed to murdering seven people between 2003 and 2016. He was arrested after police found a missing woman chained inside a storage container on his property.
Authorities suspect Kohlhepp, who is serving seven consecutive life sentences without the possibility of parole, is responsible for other unsolved crimes – something the serial killer alluded to in a recent letter sent to the Spartanburg Herald-Journal in South Carolina.
"Yes, there is more than seven," Kohlhepp wrote, according to the newspaper. "I tried to tell investigators and I did tell FBI, but it was blown off."
He added: "At this point, I really don't see any reason to give numbers or locations."
The investigation into the confessed killer is ongoing.
Teacher Kidnapping Case
Authorities issued an Amber Alert for the teen after her parents reported her missing on March 13. At that time, authorities said they suspected Cummins, a former Culleoka Unit School health science teacher, had abducted her. A witness allegedly saw him kiss the teen prior to her disappearance.
On April 20, the teenager and Cummins were found on the other side of the country, in a remote area of Siskiyou County, California, more than 2,000 miles from where the search began.
Cummins faces charges of taking a minor across state lines for sex, and obstruction of justice. He has pleaded not guilty to the charges. A trial date has not yet been set.
This article originally appeared on HuffPost.
