lolloj - Fotolia
Top 10 cyber crime stories of 2015
Computer Weekly takes a look back at the top cyber crime stories of 2015
Cyber crime stepped up another gear in 2015, with an unprecedented number of data breaches, underlining the costs of cyber attacks and the importance of protecting personal data.
The year saw a growing recognition that personal data is high-value data, that no business or organisation is immune from attack, and that cyber crime is professional and organised.
The most high-profile companies to be hit by data breaches in 2015 included the US Office of Personnel Management; US health insurance firms Anthem and Premera; cheating website Ashley Madison; hotel chains Mandarin Oriental, Hilton and Trump Hotels; mobile and broadband firm TalkTalk and Hong Kong-based toymaker VTech.
Sony Pictures admitted that it was unprepared for the cyber attack that hit the company in November 2014 and counted the cost of losing company executives, direct costs associated with the breach and the cost of related privacy lawsuits.
On the positive side, 2015 saw continued and increased collaboration between law enforcement organisations around the world to combat cyber crime through disrupting cyber crime infrastructures.
There has also been a significant number of arrests by police forces in the UK and around the world.
In the face of increased cyber criminal activities, security consultants are advising companies and organisations to take a risk-based approach to cyber defence.
Businesses have been advised to pay particular attention to defences against ransomware and distributed denial of service (DDoS) attacks, which proved popular with criminals in 2015.
2015 has also seen the emergence of several cyber criminal gangs, such as the DD4BC gang that is using DDoS, or the threat of DDoS as a way of extorting money from internet-dependent businesses.
Here are Computer Weekly's top 10 cyber crime stories:
1. No sensible business ignores cyber threats, says Kemp Little
Cyber attacks are real and do hurt, attendees heard at a seminar on preventing and recovering from cyber attacks at law firm Kemp Little in London.
“The potential business impacts [of cyber attacks] combined with increasing levels of awareness among consumers mean that no sensible business is still ignoring this threat,” said Nicola Fulford, head of data protection and member of the cross-departmental cyber security team at Kemp Little.
2. Cost of UK cyber breaches up to £3.14m
The average cost of the worst breaches at large UK organisations is between £1.4m and £3.14m, according to the government’s 2015 information security breaches survey conducted by PricewaterhouseCoopers (PwC).
This represents an increase of 233% to 273% from a year ago, while the cost of breaches for small businesses is between £75,000 and £311,000, up by between 115% and 270% from 2014.
3. Data breach will cost TalkTalk £35m
The costs of the TalkTalk data breach could reach between £30m and £35m, the firm's chief executive, Dido Harding, has revealed.
Speaking to the BBC, she said the one-off costs, which have not yet hit the books, will cover the initial response, the cost of calls into its call centres, additional IT costs, and lost revenues.
Police have arrested five people in connection with the incident who have all been released on bail until 2016.
4. Hackers publish another 13GB of Ashley Madison data
The Impact Team hacking group targeting cheating site Ashley Madison released two sets of sensitive data, including emails of the CEO of the parent company Avid Life Media (ALM).
On 19 August 2015, the group carried out its threat to publish user records if ALM did not take down Ashley Madison and dating site Established Men, first publishing 9.7GB and then 13GB of data.
In the VTech breach, the personal details of five million parents and more than six million children were exposed, Athem breach exposed up to 80 million records, while 11 million records were exposed at Premera.
5. Mandarin Oriental hack highlights security risk of legacy point of sale systems
The theft of credit card data from the Mandarin Oriental hotel group highlighted the security risk of legacy point of sale (POS) systems, say security experts.
The hotel group confirmed credit card data was stolen from an “isolated number” of payment card systems at hotels in Europe and the US, after the company’s network was hacked.
The Hilton hotel group was hit by a similar attack, as was Starwood Hotels – which owns Sheraton and Westin, the Trump Hotel Collection, Hard Rock’s Las Vegas Hotel & Casino, the Las Vegas Sands casino, and FireKeepers Casino and Hotel.
6. Most DDoS attacks hiding something more sinister, Neustar warns
Most distributed denial of service (DDoS) attacks now appear to be aimed at distracting IT and security teams, a survey by communications and analysis firm Neustar revealed in September 2015.
In March the company revealed that DDoS losses can cost as much as £100k an hour, while Imperva warned in June that DDoS attacks were starting to resemble APTs.
7. DD4B cyber extortion gang ramps up operations
A gang using distributed denial of service (DDoS) attacks to extort bitcoins since July 2014 ramped up operations despite a bounty of $26,000, according to Arbor Networks.
The gang, calling itself DD4BC (DDoS for Bitcoin), has been rapidly increasing the frequency and scope of its DDoS extortion attempts, shifting from targeting Bitcoin exchanges to online casinos and betting shops and, most recently, prominent financial institutions in the US, Europe, Asia, Australia and New Zealand.
In February 2015, Kaspersky Lab said a cyber espionage group was targeting thousands of high-profile organisations and individuals in the Middle East and around the globe. In April, FireEye accused the Chinese government of running a decade-long cyber espionage campaign aimed at stealing sensitive information belonging to organisations in south-east Asia and India, and in July, Symantec uncovered a corporate espionage group, dubbed Morpho, that has compromised a string of major corporations in recent years.
In August 2015, US authorities arrested nine suspected insider traders who relied on hackers to steal commercially sensitive corporate information from newswire services, and according to the Systemic Risk Barometer Study, most financial institutions cite cyber threats as a top five risk.
8. National Crime Agency leads partnership to guard UK against cyber crime
UK law enforcement officers are working with public and private sector partners to help businesses and UK consumers guard against cyber crime.
After a number of high-profile malware threats to the UK, the National Crime Agency (NCA) is leading the initiative to help network administrators who manage key parts of the UK internet infrastructure.
UK law enforcement has taken part in several international operations to tackle cyber crime.
In December 2015, an international operation involving law enforcement organisations, government cyber security teams and private organisations targeted the Dorkbot botnet. In February, the National Crime Agency (NCA) and other European crime agencies shut down servers used by a botnet targeting personal banking information, while in June, police arrested 130 suspects in connection with cyber fraud at 140 airports around the world in an international law enforcement operation, and in December, EU police agency Europol announced it is to get new powers to step up efforts to fight terrorism, cyber crime and other crime.
9. Ransomware costs business at least $18m, says FBI
In June 2015, the FBI issued an alert to businesses about cryptographic ransomware – a type of malware that encrypts company data and demands payment for the decryption key.
In the first quarter of 2015, McAfee Labs saw a 165% increase from the previous quarter in new ransomware, driven largely by the hard-to-detect CTB-Locker ransomware family, a new ransomware family called Teslacrypt and the emergence of new versions of CryptoWall, TorrentLocker and BandarChor.
10. Risk reduction key to tackling cyber crime, says Stroz Friedberg
Businesses should tackle cyber crime by seeking to reduce risk, according to global digital risk and investigations firm Stroz Friedberg.
“While companies will never be able to make cyber crime go away, there is a lot they can do to reduce the risk to the business,” said Seth Berman, executive managing director at Stroz Friedberg.