Back in the days before climate change stretched frigid winter months directly into the insta-sweat of summer, there was a saying about March: in like a lamb, out like a lion. The same might be said about the last decade in cybersecurity fails.
What kicked off with a handful of stories about niche hacks ballooned into daily splashy headlines about massive data breaches, dangerous outbreaks, and increasingly sophisticated attack campaigns. The game has truly changed, generating a multi-billion-dollar industrial complex, and inspiring millions to stock up on tinfoil hats while saving trendy rumpus room designs to their Pinterest boards.
To comment on the sweeping changes brought on by the last 10 years of hacks, breaches, privacy debates, and evolutions in malware, Malwarebytes researchers Wendy Zamora and Chris Boyd take a look at the most noteworthy, mind-blowing, and sometimes chuckle-inducing cybersecurity fails that defined the decade.
2011: Game over, PlayStation
WZ: It all started with the gamers. In my mind, gaming is nearly as genre-defining as porn when it comes to testing, adopting, and embracing early tech evolutions. The two go hand-in-hand, so to speak.
I’ll just give you a minute to wipe that last image out of your head before proceeding.
Great. So, in 2011 the world got its first glimpse at the power of a good hack to not only steal data, but also bring operations to a grinding halt. The 77 million members of the Sony PlayStation Network, including minors under the age of 18, had their personal data exposed to hackers. But worse for the gamers, they were locked out of their accounts for 23 days, unable to play online, purchase, or otherwise indulge in their favorite pastime.
For the sheer number of users alone, this hack is noteworthy, but more, it was a foreshadowing of the ways in which cybersecurity fails could do more than just steal information—they could disrupt lives.
2012: Mat Honan’s digital life torched
CB: PlayStation was significant for sheer cultural impact, if not actual affected numbers, given the size of recent breaches. I usually groan when looking at yearly lists of cybersecurity fails because I know 90 percent of it is going to be the same generic breach we’ve all seen a hundred times over. Yes, it’s bad that six million customer records were swiped from a web-facing database. No, it doesn’t make for interesting reading.
Instead, I’m much more interested in specific examples of personal ruination. One such example is from 2012, when technology writer Mat Honan found his entire digital world torn in half. I’d argue this is one of the most spectacular digital demolition jobs I’ve ever seen. The crooks had no interest in him, his data, or his devices. They just wanted that sweet, sweet three-character Twitter handle. If everything important to him was torched along the way? Too bad, so sad.
This guy pretty much lost everything of real, singular importance to him in the attack. All those photos of his kid as a baby? Bam, gone. Google account taken over and deleted. iPhone and iPad data erased. Anything still on his MacBook drive was locked away behind features designed to make his life more secure, like the four-digit PIN. The worst feeling in the world isn’t just the compromise; it’s knowing that those helpful systems are a gigantic pain in the backside once someone who isn’t you is in the driving seat.
Some basic actions—enabling 2FA on gmail and making backups—would have essentially made this a non-event. Did Honan miraculously manage to get his photographs back? Sure. It was a lucky escape, and we generally don’t get that lucky. This was one of those landmark, hot knife through buttery cybersecurity fails. I double dare you to top it.
2013: Snowed under
WZ: Sure, sure, Honan’s digital demise uncovered many holes in security processes we previously thought were failsafe, and maybe taught Apple customer service a valuable lesson in active listening. But as you yourself noted—I don’t think anyone learned anything from it. In contrast, Edward Snowden jolted the world out of its collective ostrich pose and demonstrated how very much 1984 got it right.
Depending on which side of democracy you stand on, Snowden, a former CIA contractor-turned-whistleblower, is either a hero or a war criminal for his 2013 revelations about the extent and reach of NSA-sponsored surveillance systems set up in the aftermath of 9/11. Global telecommunications systems, Internet watch lists, international cooperation, the works. In the list of cybersecurity fails, this may be the Holy Grail.
Regardless of political stance, Snowden’s reveal was a real eye-opener for the public, and it sparked a massive worldwide debate that rages on to this day. They call it “the Snowden effect.”
Just ask anyone what’s more important to them: national security or personal privacy? Do they have “nothing to hide” or is their right to stay off the grid of upmost importance? If you can easily answer this question and guarantee everyone in the room with you agrees, then you must be reading this from far in the future, when this list will look positively quaint in comparison to yours.
2013: Cryptolocker ransomware changes the game
CB: Okay, Snowden is a double-edged sword. On the one hand, he helped confirm that those conspiracy theorists were onto something. On the other hand, he helped confirm that those conspiracy theorists were onto something. I also wonder if the significance of his findings made that much of an impact outside the US, considering lots of folks just shrugged and carried on regardless.
If you want actual global impact on a scale you can feel, ransomware is where it’s at. Cryptolocker ransomware, specifically.
Ransomware was all fun and games until Cryptolocker came onto the scene and dashed users’ hopes by being the first widespread malware to encrypt files and hold them hostage until ransom was paid. Ransomware prior to Cryptolocker mostly relied on cheap tricks instead of encryption, but its arrival in 2013 cemented this method’s popularity forever, spawning clones and higher encryption stakes by the bucketload.
2013 again: Target hack
WZ: Okay, I will totally give you Cryptolocker. Game changer, no question. But this next breach is the quintessential lesson in “it only takes one time,” the Occam’s razor of cybersecurity fails. It also happened to be the splashiest, loudest security news of the decade (so far). Why? Because everyone loves Target. Everyone.
In 2013, Target screwed up big time. Its HVAC vendor had been hit with malware via lowly phishing email, but the technician remained dubiously unaware of that infection, which went ahead and stole Target’s network credentials. Hey, kids! What happens when you give third parties access to your VPN without thoroughly vetting them or their equipment for threats? You get hacked.
Also, note to businesses of all sizes: Free scanners do not proactively block threats. (Yes, we know, the HVAC people were using the free version of Malwarebytes.) They detect and clean malware only when you run a scan. Had the vendor been using our real-time anti-malware technology (or any other antivirus platform with always-on protection), this attack would have been erased from history.
2014: sorry, celebs! The Sony Pictures hack
CB: Everyone may love Target in the US, but on the other side of the pond, we enjoy £1 stores where everything costs, uh, £1.50. No, I don’t understand it either. What I do understand is I’m about to up the stakes to DEFCON 1 (Is that the bad one?) with a hacking tale that truly went viral. Step forward for the second time today, Sony!
The long version of the Sony Pictures hack can be read here. The short version? A hacker group called Guardians of Peace pilfered massive amounts of data from Sony servers, and in the years that have followed, it’s now tricky to remember where conspiracy theories and documented facts cross paths. A shady North Korean conspiracy, FBI and NSA involvement, multiple unreleased movies dumped online, thinly-veiled references to terrorist acts unless The Interview was pulled from theatres, and more all happened in the space of a month.
This cybersecurity fail is the equivalent of a Fast and Furious movie where the smalltime family of car heisters somehow ends up stealing nuclear footballs and taking down Russian submarines in their spare time. Also, hurling insults at someone who starred in a film called Hackers seems like a great way to invoke the Gods of dramatic irony.
2015: not sorry, cheaters
WZ: Yikes, yeah, 2014 was not a great year to be a celebrity. Just ask the victims of The Fappening. But I’m going to pivot and mention one of the decade's cybersecurity fails that was actually a good thing: The Ashley Madison hack.
Bringing to public conscious the term “hacktivism,” these do-gooders breached the database of the website dedicated to helping married people find true love by cheating on their partners. Some 32 million adulterers’ credentials and credit card information were dumped online, after which they were likely dumped by their angry spouses. There’s not much else I can say here except you guys are assholes and deserved this one. The end.
CB: Yeah, I got nothing. Those cheaters were bad and should feel bad.
2016: But her emails?
WZ: Look, everyone and their mother is going to say the DNC hack was the biggest cyber event of 2016. The Russians most certainly pinned the tail on the Democratic donkey, interfered in our elections, and overall made a right mess of things. There’s no doubt Russia’s actions cast a shadow over American democracy. But as far as global, far-reaching impact is concerned, I’ve got my eye on a different blight.
In 2016, a shady hacking group known as the Shadow Brokers started leaking NSA secrets, vulnerabilities, and exploits onto the Internet, embarrassing the agency, but more importantly, putting sophisticated tools in the hands of cybercriminals that would be employed over the remainder of the decade.
Most notably, they disclosed a group of SMB vulnerabilities and their accompanying exploits, which were later used to propagate the WannaCry infection laterally through thousands of endpoints, and which are still in use today to spread deadly Emotet and TrickBot infections in worm-like fashion.
If it weren’t for the cybersecurity fails caused by the Shadow Brokers, who knows? Threat actors might still be messing around with small potato consumer scams and identity theft. But with grown-up utilities in hand, they realized they could do a lot more damage to a lot more devices, and soon turned their greedy gaze to loftier goals.
2017: the year of the outbreak
CB: Well, super sneaky government tool thefts are all well and good, but the impact of ransomware retooling and running wild can’t be denied. In 2017, ransomware authors decided that just going after home users was becoming a little old hat, so they started targeting large organisations in a wave of outbreaks (fueled by the very exploits stolen from the NSA in 2016). Sadly for us, those organisations included many of the services we make use of on a daily basis, whose files and operations were encrypted and held up for Bitcoin ransom.
WannaCry, NotPetya, and BadRabbit were the big three ransomware epidemics of the year, but the malware made headlines time and time again as ransomware authors inched themselves into every available corner. Threat actors may have become a little less inventive during this period, but they certainly weren’t resting on their laurels.
Arguably the heaviest-hitting ransomware story of 2017 was the WannaCry attack on NHS, as £92m vanished down the plughole. This was a seismic attack, the aftershocks of which are still felt today, spinning off into unexpected places that have taken on a life of their own.
2017: crypto fever
WZ: I could go with Equifax here, but come on, son. Another day, another breach. In 2017, it was safe to say that basically anyone who had ever been online had their information compromised. Which is why I will instead turn to the birth of a brand-new form of cybercrime: cryptomining.
Bitcoin and other cryptocurrency had always been the favored tender of the black market, as it’s anonymous and nearly impossible to trace. However, in 2017, crypto became more mainstream as a sudden, acute increase in value had even the beariest of bears opening cryptowallets and investing in super-niche altcoins. So naturally, cybercriminals being the vultures of the Internet, they found a way to capitalize on all this carrion by jacking the CPU/GPU of other users’ systems to generate coin.
Starting in late 2017, we started noticing hundreds of millions of detections of coinhive.com, a CPU-mining platform that—while itself was a legitimate service—was being abused by cybercriminals to mine users without their permission. This kicked off a landslide of cryptomining activity that spawned the creation of multi-platform cryptomining malware, drive-by mining attacks, crypto-bundlers, crypto-themed scams, cryptowallet drainers, crypto crypto cryptors, and crypto.
While cryptomining has since died down from its 2017-2018 heyday, it remains forever part of the threat landscape, and I’m sure we’ll be seeing much more of it as cryptocurrency and blockchain technology take hold in the next decade.
2018: shine’s off social media
CB: 2018 was all about the covert use of data pulling the strings in every direction you can imagine. Data mining and digital assets plus social media makes for a cracking combination in the wrong hands, and it turns out Facebook was the place most of this war was fought and won (or lost, if you were on the receiving end).
Cambridge Analytica, a political consulting firm based in the UK, probably knew they’d walked into “oh, whoops” territory when their offices were raided in 2018. They’d been mucking around on multiple elections worldwide, but drew attention to themselves and Facebook after it was discovered that they’d been harvesting the personal information from 50 million Facebook user profiles without their permission. The repercussions from this story continue to be felt today, as lawmakers now scrutinize Big Tech for their data privacy policies.
2018: data privacy becomes a thing
WZ: Actually, I have to semi-agree on Cambridge Analytica. But I see your social media problems and I raise you an entire Internet of data privacy issues. In 2018, users got a rude awakening into the inner workings of the tech giants they’d come to love, rely on, and otherwise be addicted to. Wait, you’re selling my information to pharmaceutical companies? You can actually record my conversations through my digital home assistant? Suddenly, users had to be just as wary of legitimate tech companies as they were of cybercriminals.
The awareness of 2018 led to global action, as GDPR was put into effect, launching a million cookie notices and EULA rewrites. Digital data privacy had always been an issue, reaching far back to pre-Y2K years, and it will continue for many decades as we contend with biometrics and genetic data. But 2018 represented a period of public “wokeness” that forever changed the way we build, buy, regulate, and use technology.
2019: the year of the triple threat
CB: We’re too close to 2019 to be able to say conclusively what stuck and what stank, but the triple threat of Emotet, TrickBot, and Ryuk ransomware caused such massive problems across a range of critical infrastructure and business services that any 2019 listicle that doesn’t feature this attack is missing the mark. If your mailbox hasn’t detected the familiar twang of an Emotet malspam landing on the network yet, you’re doing very well indeed.
The triple threat officially saw light in 2018, but it was the attack of 2019. If there was news of a city declaring a state of emergency, a school shutting down for weeks, or a hospital shelling out thousands in ransom payment, you bet it was on account of these three devils. It’s an assault from every angle, and in an alien invasion, this would be the part where the hero escaped through a conveniently placed air vent.
Cybersecurity fail of the decade
All this arguing on which cybersecurity fails were most awe-inspiring, death-defying, or just plain stupid would be pointless if we didn't wrap it up in a nice year-end bow. So, without further ado, we'll now take our pick of the top cybersecurity fail of the decade. Drumroll please...
WZ: My vote is for Shadow Brokers because it set off a chain of events that allowed for cybercriminals to evolve into more sophisticated, industrialized players, essentially radically changing the threat landscape from a bunch of kids messing around in their basements to organized criminals aimed at taking down organizations, swiping millions of users' personal data and making significant profit in the process.
CB: My pick is the Mat Honan hack. It's not as big, or as flashy, or as sophisticated as most of the attacks on display. But what happened to him pretty much still happens to people now as their first introduction to the world of "All my data is gone forever." How they torched his digital existence and salted the earth is beyond brutal—and, most chillingly, it was nothing personal.
Which of these cybersecurity fails would you vote for? Sound off in the comments!