This Issue Brief is a continuation of a series of papers on cyber attacks against U.S. companies since 2014[1] and 2015.[2] While the means of cyber attacks vary, the pattern of targets has been relatively consistent. Large databases, as well as point-of-sale systems, continue to be targeted for financial gain. Hackers with possible ties to nation-states continue to target infrastructure as well as systems for political insight.
Because reporting companies may not realize their systems have been compromised until long after the attack began, the list below is organized by date of when attacks or breaches were publicly announced, rather than when they might have occurred.
December 2015
- Bowman Dam (infrastructure). Iranian hackers reportedly gained control of this New York dam’s sluice system in 2013, although the controls were manually disconnected at the time of the cyber breach.[3] In March 2016, the Department of Justice (DOJ) indicted one of the hackers employed at an Iran-based computer company with possible ties to the Islamic Revolutionary Guard Corps.[4]
- Hyatt Hotels Corporation (hotel). The hotel chain owner announced that it had identified malware on payment processing systems used at a number of locations.[5] Weeks of investigation revealed that malware had affected the systems at 250 locations between August and December 2015.[6] The malware collected payment information specific to credit card information.[7]
- MacKeeper (technology). Security researcher Chris Vickery discovered in Shodan (a specialized search engine and online database) the usernames, passwords, and other information for 13 million users of MacKeeper, a performance optimizing software for Apple computers.[8]
- A Whole Lot of Nothing LLC (spam e-mail company). The DOJ arrested three men linked to a hacking and scamming scheme that originated as early as 2011. The group targeted the personal information of almost 60 million people—often contained in targeted corporate databases—to be used in spam campaigns. Their operations ultimately generated $2 million in illegal profits.[9]
- Voter records. Vickery found the information of 191 million registered U.S. voters in a public-facing database.[10] While there were only 142 million register voters in 2014, information in the database goes as far back as 2000—meaning it could still contain the information of deceased registered voters. There also may be instances of duplication from combining multiple databases. As of yet, no one has come forward as the owner of the database.
- Alliance Health (online health portal). The online portal that facilitates support and information communities across health providers may have exposed personal health information of its 1.5 million users. The exposure likely came from a misconfiguration with its MongoDB database installation.[11] Forty thousand individuals were eventually informed their information had been exposed for 30 months.[12]
January 2016
- Voter records. Vickery discovered another public-facing database, storing upwards of 56 million voters’ information.[13]
- The Wendy’s Company (restaurant). Wendy’s first reported it would be investigating a possible breach that compromised customer payment information at its franchise stores. By June, investigators determined that at least 1,025 Wendy’s locations had been affected, beginning as early as fall 2015.[14]
February 2016
- U.S. Department of Homeland Security, Federal Bureau of Investigation (government). A hacker with the Twitter handle @DotGovs released online the names and contact information of 29,000 Department of Homeland Security and FBI employees.[15]
March 2016
- Verizon Enterprise Solutions (network management). One-and-a-half million Verizon Enterprise customers’ contact information was possibly compromised by a security vulnerability. A prominent hacker offered access to the online database for $100,000.[16]
May 2016
- LinkedIn (online social networking). Updating the impact of a 2012 breach that saw the exposure of 6.5 million users’ passwords, the company confirmed that the true number is now likely closer to 167 million users, 117 million of whom had both their e-mails and passwords exposed.[17]
- Myspace (online social media). The same hacker who advertised the compromised LinkedIn database online claim to have a database of Myspace users’ credentials—427 million passwords and 360 million e-mail addresses.[18]
- Noodle & Company (restaurant chain). The food chain first began investigating its networks after unusual activity was noticed by its credit card processor. Malware led to customers’ credit and debit card information being compromised at a number of its locations between January and June.[19]
June 2016
- Democratic National Committee (political organization). The political organization’s networks were illegally accessed by two separate cyber groups with possible affiliation to the Russian government’s Russia Main Intelligence Directorate (GRU) and Federal Security Service (FSB).[20]
- Voter information. Chris Vickery found another online database holding 154 million U.S. voters’ information and discovered that an IP address based out of Serbia had been interacting with the database as early as April 2016.[21]
- CiCi’s Pizza (restaurant chain). News of this point-of-sale breach affecting customers’ payment information first broke on KrebsOnSecurity. CiCi’s Pizza eventually acknowledged the breach and that the compromise to its systems began as early as March 2016.[22] CiCi’s Pizza has 135 locations.
July 2016
- Citibank (banking). Ninety percent of Citibank’s networks across North America were taken offline after an employee in charge of the bank’s IT systems, following a poor performance review, sent malicious code to 10 core Citibank Global Control Center routers, shutting down nine of them. He has since been sentenced to 21 months in federal prison and fined $77,200.[23]
August 2016
- Dropbox (online). The number of account credentials exposed in a 2012 breach was increased to 68 million users.[24] Hackers were reportedly able to access accounts utilizing a Dropbox employee’s password and credentials, possibly taken from the 2012 LinkedIn breach.[25] Yevgeniy Nikulin was indicted on October 20, 2016, for his involvement with both the Dropbox and LinkedIn breaches.[26]
- Banner Health (health care). Almost four million patients, physicians, and customers were affected. The breach was first noticed on July 7, 2016, affecting payment card information. A subsequent breach led to the unauthorized access of patients’ personal identifiable information, such as birthdates, claims information, and possibly social security numbers.[27]
- Oracle MICROS (payment). Operator of 330,000 cash registers globally, this point-of-sale service was reportedly infected by malware.[28] The exploit has a possible connection to the Carbanak gang, an Eastern European hacker group linked to stealing $1 billion from up to 100 banks worldwide,[29] and may also have ties to a Russian security firm.[30]
September 2016
- Yahoo Inc. (online). The online company reported that more than 500 million of its users’ names, e-mail addresses, birthdates, phone numbers, and passwords were compromised in a 2014—possibly state-sponsored—breach. Yahoo began investigating the breach after 280 million users’ information was being offered for sale on the dark web.[31]
- SS&C Technology (technology). Tillage Commodities Fund, one of SS&C’s clients, was scammed for $5.9 million by reported Chinese hackers. The hackers sent SS&C staff scam e-mails ordering wire transfers of Tillage’s money.[32]
October 2016
- Dyn (online). The domain name service server was taken offline a number of times, attributed to widespread denial of service attacks. Internet-facing devices were used in this attack after being formed into a botnet through malware. The outage affected how users could access popular sites such as Twitter, Netflix, and The New York Times.[33]
- U.S. Department of the Treasury, Office of the Comptroller of the Currency (OCC) (government). In November 2015, a former employee at the OCC downloaded swaths of information onto two portable storage devices before his retirement, leading to the unauthorized removal of more than 10,000 unclassified records.[34]
November 2016
- Friend Finder Networks (online). The company behind adult online websites such as Adultfriendfinder.com reported that the accounts of 412 million users were exposed online.[35] The online servers were reportedly breached by hackers in October.[36] No credit card information was exposed, but usernames, e-mails, passwords, and date-of-last-visit became available.
Conclusion
This list of successful and notable cyber incidents hardly scratches the surface of the number of smaller attacks or breaches that occur on a daily basis. With this in mind, Congress and the Administration should continue to encourage the sharing of threat information. Either through formal methods with the government and information-sharing centers or through informal communication, threat information sharing can help mitigate the spread of malicious software. The U.S. should continue to improve and encourage the use of existing avenues of information sharing such as those created by the Cybersecurity Act of 2015.[37]
Serious discussions need to take place on how to empower the private sector to engage in more active defense of its networks. The U.S. should create a defined system of active cyber defense that enables private companies to do more to defend their networks. This system should not allow unrestricted “hack back,” but should permit firms to use more assertive cyber tools that improve investigatory and attribution capabilities. Despite the potential threats that malicious actors may pose to U.S. online databases and network systems, the Internet and electronic devices continue to drive the economies of the world. The U.S. needs to take cybersecurity seriously while at the same time allowing innovation to continue to thrive.
—Riley Walters is a Research Associate in the Douglas and Sarah Allison Center for Foreign Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.
Appendix: Additional Resources on Cybersecurity and Cyber Incidents
Steven Bucci, Paul Rosenzweig, and David Inserra, “A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace,” Heritage Foundation Backgrounder No. 2785, April 1, 2013, http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace.
David Inserra and Paul Rosenzweig, “Continuing Federal Cyber Breaches Warn Against Cybersecurity Regulation,” Heritage Foundation Issue Brief No. 4288, October 27, 2014, http://www.heritage.org/research/reports/2014/10/continuing-federal-cyber-breaches-warn-against-cybersecurity-regulation.
Riley Walters, “Continued Federal Cyber Breaches in 2015,” Heritage Foundation Issue Brief No. 4488, November 19, 2015, http://www.heritage.org/research/reports/2015/11/continued-federal-cyber-breaches-in-2015.
Riley Walters, “Cyber Attacks on U.S. Companies in 2014,” Heritage Foundation Issue Brief No. 4289, October 27, 2014, http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014.
Riley Walters, “Cyber Attacks on U.S. Companies Since November 2014,” Heritage Foundation Issue Brief No. 4487, November 18, 2015, http://www.heritage.org/research/reports/2015/11/cyber-attacks-on-us-companies-since-november-2014.