Your next big break: 2016 data breach predictions


1. Health care companies will continue to be the top target for hackers.

According to various reports, including Gemalto’s 1H 2015 Breach Level Index Report, the health care industry holds the dubious distinction for having the most number of data breach incidents compared to other industries. Health care data still commands a 10x premium over financial and other personal information. At the same time, most health care companies lack the ability to find a network attacker that has circumvented preventative security and is in the process of exploring an unfamiliar network, gaining additional points of control, and getting closer to Protected Health Information (PHI) and Personal Identity Information (PII) records. Even data encryption, greater network segmentation and additional authentication controls are unlikely to impede a network attacker, as they can steal valid credentials that give them access to critical data to carry out their work. These network attacks will continue to occur in 2016 and will likely continue to represent the industry most victimized by data breaches.

2. Data breaches will increasingly be used to gain investment information.

Most data breaches have resulted in the loss of money and other financial instruments and personal identity details, such as account numbers, passwords and account balances. Few have involved the loss of material, confidential information that could give an investor an important edge in buying or selling stock or some other investment. While this was an element in the massive breach of J.P. Morgan Chase, where insiders allegedly made off with more than $100 million, it has been fairly uncommon.

Earlier in 2015, the two major newswire distribution services plus a third suffered a data breach. Typically, public companies upload press releases detailing their upcoming earnings announcement or merger and acquisition announcements to such a newswire service in advance of their public announcement. An attacker could potentially get access to these files to make a substantial amount of money by acting on the information before it is made public. This actually happened, giving financial windfall to 30 or more individuals, including a hedge fund manager. At least two of the newswire services suffered attacks dating back five years, giving criminals access to over 150,000 press releases during that period. Because the services lacked the ability to effectively detect active network attackers, the criminals could carry out their schemes without fear of being seen.

Eventually, the U.S. Department of Justice brought charges against five or more defendants that made a large amount of money by using the information they acquired from the wire services before that information was made public. Network attackers could also access information systems in the financial departments of publically traded companies and use the details for an insider investor advantage. They could potentially carry this out without the company’s knowledge, risking only a possible trading anomaly that might be caught by the SEC. We are likely to see more network attacks with the intent of misappropriating information to benefit insider trading in this next year.

3. More data breaches will leverage account leapfrogging.

Perhaps most famously chronicled in the case of the White House and Office of Personnel Management (OPM) network attacks, cybercriminals can penetrate the network or a personal computing device of one organization to gain valid credentialed access to another organization. In the case of OPM, it appears that attackers were able to penetrate the government agency’s network by first compromising at least one computer at KeyPoint Government Solutions, a provider of investigative services for the U.S. government. From the attack on the government contractor in December 2014, attackers were able to use valid credentials to gain access to the OPM and went undiscovered until April 2015. In the case of the White House, it is believed that attackers first penetrated the State Department to then get access to the White House.

Most data breaches occur as a result of a network attack lasting weeks, months and even years. Attackers generally compromise a user’s computer or network account through malware, spear phishing or social networking. Once a cybercriminal has access to just a single computing device or account, they can get network access and begin to systematically explore the unfamiliar network and gain additional points of control.

In 2016, we will see more data breach leapfrogging, as cybercriminals compromise an initial target to gain access to a primary one.

4. Increased volume of targeted attacks with damage as the objective.

Perhaps the most famous account of a network attack that resulted in actual damage to computers and other resources was the one at Sony. Here, besides the headline grabbing news of data and assets exfiltrated and released to the world, the company reeled from the carnage of attackers securely deleting everything on 3,262 of Sony’s 6,797 PCs and 837 of its 1,555 servers. This brought all business operations to a standstill, and the company had to resort to pen and paper, faxing and other “old school” means to try to get things done. For instance, payroll had to be accomplished completely manually. Each of those computers and servers that had data wiped also had key start up software removed or destroyed to render the computers useless without being completely rebuilt. This further ensured that the business would be impaired for weeks or months. The custom malware used also added a threatening screen to each employee computer.

Whether sponsored by a foreign state or a group of malcontents, network attacks with the primary purpose of inflicting damage will likely become more common in the coming year.

5. Email Shaming: Increased Targeted Attacks with Defamation as the Objective.

Common to the network attacks on Sony and, later, the infamous Hacking Team in Italy, company emails were released to the public to the shame and embarrassment of each business. In the case of Sony, the attackers released emails on public sites, revealing confidential and sensitive information that is still creating waves and ill will. The cybercriminals focused on emails from the top five execs from Sony studios. The postings were brought to the attention of press.

In the case of Hacking Team, over 400GB of company email, passwords, internal documents and source code were leaked through a torrent posted via the company’s own Twitter handle. In addition, the attackers used their access to the Hacking Team’s Twitter account for over 12 hours, posting screenshots of internal emails and other items.

In the coming year, there will likely be more such activities that are intended to shame or damage the organization that has suffered a network attack.