The 12 biggest hacks, breaches, and security threats of 2017


Security issues took a turn for the serious in 2017. This time around we still suffered the password breaches, malware annoyances, and stolen credit card numbers that have become commonplace in recent years. But the headlines were dominated by more sobering issues.

We saw foreign adversaries trying to infiltrate critical infrastructure; major U.S. government hacking tools exposed; a major breach that called into question the use of social security numbers as identification; the U.S. government turning negative towards online user privacy; and popular consumer software dragged into the world of corporate and state espionage. 

Whew. It was a big year for computer security, and some of 2017’s events will no doubt reach well into 2018 and beyond. Let’s take a look.

Shadow Brokers and Vault7 leaks


A CIA logo released by Wikileaks as part of Vault7.

Two of the defining computer security events of 2017 were leaks that exposed closely held hacking secrets of the U.S. government. Wikileaks got the ball rolling in March with the release of its so-called ”Vault7” leaks revealing what appeared to be a cache of computer vulnerabilities and operating methods used by the Central Intelligence Agency to infiltrate target devices.

Then in April the Shadow Brokers—an anonymous group of hackers that first came to notoriety in 2016—released a trove of attack tools linked to the National Security Agency.

Both releases would have significant impacts on computer device security.

Equifax Breach

“Jaw-dropping” does not begin to describe the Equifax breach, which came to light in September. Equifax is one of the three major consumer credit reporting agencies in the United States. The hackers struck in the spring, seizing 143 million Social Security numbers—that’s more than half of the U.S. population. A failure to install current security patches on its network opened the door to the attack, the company said. Despite the devastating hack Equifax still won an anti-fraud contract from the Internal Revenue Service, though it was later suspended.

ISP tracking rules

US Capitol Bill Koplitz/FEMA

In late March, Congress decided to remove the privacy rules passed by the Federal Communications Commission in 2016. The rules had not yet come into effect when they were dumped, but they would have required opt-in permission from broadband customers before ISPs could use their personal information and browsing habits for marketing or analytics purposes.

Republicans said the rules unfairly hamstrung Internet Service Providers, while major Internet companies could collect and use all the personal data they wanted. What that argument ignores, however, is that ISP data collection is much harder to mitigate since it controls the very wires and cables you need to get online. Plus, few people are particularly pleased that Facebook and Google have free reign, either.

CCleaner gets a backdoor

In September, security researches at Cisco Talos discovered malicious code buried inside CCleaner, a popular Windows PC utility. The malware was designed to steal personal data from infected machines. Avast added to the intrigue when it discovered that there was a second stage to the malware for infected machines in specific companies such as Cisco, Sony, and HTC. Presumably, the malware was looking to steal company secrets in those organizations. All in all around two million people were believed to be affected by the corrupted versions of CCleaner. The malware has since been removed from the latest versions of the software.

[ Further reading: The best antivirus for Windows PCs ]

Kaspersky controversy

kaspersky logo flag resized David Orban via Flickr

If there’s a headline-grabbing computer security controversy of 2017, it has to be the allegation that Kasperksy Anti-virus products are a spying tool for Russian intelligence. In October, The Wall Street Journal said hackers working for the Russian government used Kaspersky Anti-Virus to identify and target a National Security Agency contractor in order to steal American hacking secrets.

Kaspersky vigorously denied the claims and said the contractor caused the leak by running Kasperksy on a home machine that contained weaponized malware. To help allay fears, Kaspersky announced it would allow third-parties to audit its code—a measure that some experts argue doesn’t go far enough. As a result of the reports, and bans of Kaspersky products by the government, Kaspersky’s Washington DC office shut down in December, the contractor who brought U.S. hacking secrets home in the first place plead guilty to taking classified documents, and Kaspersky sued the Department of Homeland Security over blacklisting its products.

Game of Leaks

It’s not easy being a fount of popular TV shows—especially when everyone wants to know what you have planned. HBO found that out the hard way in July when hackers claimed to have purloined 1.5 terabytes of data from the pay TV channel. Among the stolen cache were management emails, upcoming episodes for popular HBO shows, and draft scripts of one Game of Thrones episode that had not yet been aired. In November, U.S. law enforcement charged an Iranian hacker with the data theft. As for HBO, now it understands that when it comes to computer security you win or you leak.

Yahoo’s 2016 hacks gets worse

24135457061 28a2dda83b o Yahoo

Yahoo’s headquarters in Sunnyvale, California.

Author: administrator