2015 end-of-year round-up

December 22nd, 2015 by Mark Daly in Industry News No Comments »


2015 got off to a flying start when it was reported that personalised card company Moonpig’s Android app had a vulnerability that allowed attackers to access users’ accounts just by changing the customer ID number in an API request. Attackers could then place orders on other customer accounts, add or retrieve card information, view saved addresses and orders, and much more.

Shoe retailer Office was warned by the Information Commissioner’s Office following a hacking incident that exposed more than a million customers’ details. Office signed an undertaking to resolve the problems that led to the breach, and confirmed that no payment card or bank details were compromised.

And Adobe issued security updates to address 12 vulnerabilities in Flash Player.


In February, popular WordPress plugin FancyBox issued a patch to fix a vulnerability that allowed the delivery of a malicious iframe through persistent cross-site scripting. Many sites were apparently compromised. The plugin, which had over half a million downloads, was temporarily withdrawn from the WordPress plugin directory.

Celebrity chef Jamie Oliver’s website was compromised through a Flash vulnerability,  redirecting visitors to a WordPress site that forced malware to run on visitors’ computers.

In the US, health insurer Anthem suffered the first large-scale data breach of the year, which affected the personal information of some 80 million people – including 18.8 million who weren’t even Anthem customers. Worse, the information was apparently unencrypted.

And Adobe issued security updates to address 19 vulnerabilities in Flash Player.


March marks the first mention of the year for TalkTalk, which confirmed that leaked customer data was being used by criminals to defraud its customers of thousands of pounds. The personal information – including customers’ phone numbers, addresses and account details – was lost when a third party suffered a data breach in 2014.

A global phishing campaign targeting iPhone and iPad users was discovered. Thieves used iOS’s Find My iPhone feature to contact the owners of lost devices, then tricked them into handing over their credentials and accessed their iCloud accounts.

Apple devices’ passwords were cracked by a device that exploited a known iOS vulnerability. The IP-Box tool – yours online for about £170 – was shown to crack the four-digit passcode on any iPhone up to iOS 8 in under 17 hours.

Tech companies scrambled to address an encryption vulnerability affecting many Apple and Android devices, as well as Windows Secure Channel. Factoring RSA Export Keys – or FREAK, as it became known – exploited a decades-old US policy banning the export of strong cryptography. Many products that came into existence long after the restrictions were lifted were nonetheless found to have weakened encryption and to be susceptible to man-in-the-middle attacks as a result. Over five million websites were also found to be vulnerable, including well-known brands and government sites.

11 million customer records were exposed when US health insurer Premera Blue Cross was hacked. Customers’ names, dates of birth, email and postal addresses, telephone numbers, Social Security numbers, bank account information and more were affected.

Jamie Oliver’s website was once again found to be serving up malware.

And Adobe issued security updates to address 11 vulnerabilities in Flash Player.


In April, more information emerged about the Russian attack on the White House’s unclassified network in October 2014, including the revelation that some of President Obama’s emails were hacked. Sensitive information including the president’s schedule was accessed, but deputy national security advisor Ben Rhodes was quick to reassure the public that nothing classified had been exposed. It also transpired that the hackers gained access to the White House network via a phishing attack on the State Department.

IBM researchers identified a criminal campaign, which delivered the Dyre or Dyreza banking Trojan via phishing to bypass two-factor authentication and transfer money out of bank accounts. The campaign had a formidable success rate, netting the criminals behind it about $1 million.

A critical security flaw in eBay’s Magento e-commerce platform was made public. A patch to address the remote code execution vulnerability was issued in February, but some 200,000 e-commerce sites were still vulnerable in April because their owners had not applied it.

And Adobe issued security patches to address 22 vulnerabilities in Flash Player.


In May, criminals gained access to the tax returns of 320,000 US citizens via the Get Transcript application on the Internal Revenue Service’s website. They then managed to file numerous false tax returns, defrauding the IRS of nearly $50 million in refunds before it detected the criminal activity, shut down the Get Transcript app, and started investigating.

In Germany, the Bundestag (the lower house of Germany’s parliament) suffered a cyber attack on its Parlakom network, affecting an estimated 20,000 accounts. The Trojan used in the attack was said to resemble malware that was deployed in 2014 in a cyber attack on an unnamed German network, which was thought to be state-sponsored by Russia.

The Hard Rock Hotel & Casino in Las Vegas revealed that it had suffered a seven-month long data breach in which customers’ credit card numbers and CVV security codes, names, and addresses were stolen by criminals.

Jamie Oliver’s website was found to be dishing up malware for the third time in four months.

And Adobe issued security patches to address 18 vulnerabilities in Flash Player.


June’s biggest story was the OPM hack. The United States Office of Personnel Management confirmed this month that it had suffered two major data breaches that compromised the personal data of 22.1 million past and present federal employees – and their families. White House officials revealed that the attackers accessed a document called ‘Standard Form 86’, which is completed by people applying for national security positions. These forms hold a wealth of sensitive information, including drug and alcohol use, mental illness, bankruptcy and arrests, as well as a list of contacts and relatives. OPM Director Katherine Archuleta resigned when it emerged that the inspector general had warned about OPM security failings since 2007, and recommended that the OPM’s systems be shut down – not least because the data they held was unencrypted. She’d ignored these recommendations.

eBay’s Magento e-commerce platform was in the news again when it emerged that criminal hackers were stealing payment card data using a variety of code injection attacks.

And Adobe issued security patches to address 15 vulnerabilities in Flash Player.


In July, Hacking Team – the controversial Italian cyber security company that provides surveillance software to law enforcement agencies and governments around the world – was hacked. 400 GB of documents were posted online via the company’s Twitter account, which was renamed “Hacked Team” by the perpetrators. The documents include source code, employee passwords, and internal documents and email archives that apparently revealed the identity of some of the company’s clients – some of which are oppressive regimes.

Hookup site Ashely Madison (slogan: “Life is short. Have an affair”) was attacked by a group calling itself the Impact Team. A 9.7GB data dump was posted on the dark web, featuring the personal information of 32 million account holders – including their login details, transaction details, names, home addresses and email addresses, and the amount they paid.

95% of Android phones – some 950 million devices – were found to be vulnerable to attack thanks to flaws in Android’s Stagefright code, which controls media playback. It was reported that all an attacker needed to do to gain control of a device is send a multimedia message embedded with malware.

Security researchers Charlie Miller and Chris Valesek – both of whom are now employed by Uber – revealed that they could remotely hack a Jeep Cherokee via a vulnerability in its Uconnect on-board computer, forcing Fiat Chrysler to recall 1.4 million potentially affected vehicles.

And Adobe issued security patches to address 39 vulnerabilities in Flash Player. Mozilla began blocking all versions of Flash Player in Firefox and Facebook’s chief security officer Alex Stamos said on Twitter that it was time for Adobe to announce an end-of-life date for Flash.


In August, the personal data of 2.4 million Dixons Carphone customers was affected by a data breach. The data included customers’ names, addresses, dates of birth, email addresses and bank details, as well as the encrypted credit card details of 90,000 people.

The personal details of 458 customers of holiday company Thomson were compromised in a data breach when an email containing the information was mistakenly sent on 15 August. Holidaymakers’ details included names, addresses, email addresses, telephone numbers and flight details.

Popular parenting forum Mumsnet was hit by a spate of attacks. Servers were crashed by distributed denial-of-service attacks, some accounts were compromised – apparently by phishing attacks – and Mumsnet founder Justine Roberts was the victim of a so-called swatting attack, when armed police were called to her home by a hoaxer claiming criminal activity was taking place. All Mumsnet users were advised to change their passwords.

US officials admitted that a Russian cyber attack against the Pentagon’s Joint Staff unclassified email system caused the system to be shut down for more than a fortnight, affecting “some 4,000 military and civilian personnel who work for the Joint Chiefs of Staff.” The intrusion occurred around July 25, and “relied on some kind of automated system” to gather “massive amounts of data”. Officials commented that the attack “was clearly the work of a state actor”. No classified information was compromised.

And Adobe issued security patches to address 35 vulnerabilities in Flash Player.


In September, London’s 56 Dean Street clinic – one of Europe’s busiest sexual health clinics – apologised after mistakenly revealing the names and addresses of 780 patients with HIV in an email. Recipients of a newsletter were supposed to be blind-copied, but whoever sent it mistakenly copied email addresses into the “To:” field rather than “BCC:”, with the result that every recipient could see everyone else’s names and email addresses. The Guardian reported that the employee responsible was “distraught” at their error.

The WhatsApp Web app – the web-based extension of the popular instant messaging phone app – was found to contain several vulnerabilities that could trick victims into executing malware on their machines. More than 200 million people were potentially affected.

In the US, Comcast agreed to pay a fine of $33 million after a data breach in which 75,000 customers had their personal details published online despite having paid to keep it private.

More than 4,000 iOS apps in Apple’s App Store were found to be affected by the XcodeGhost malware after developers, frustrated at slow download speeds behind the so-called Great Firewall of China, downloaded an unofficial and, alas, trojanised copy of Apple’s Xcode app development tool. XcodeGhost was estimated to potentially affect more than 500 million iOS users, mostly in the Asia-Pacific region.

The personal information of thousands of Lloyds Bank Premier account holders was lost when a Royal Sun Alliance data storage device went missing. RSA provided emergency cover to Lloyds Premier customers as standard.

And Adobe issued security patches to address 23 vulnerabilities in Flash Player.


In October, the UK’s biggest NHS-approved online pharmacy, Pharmacy2U, was fined £130,000 by the Information Commissioner’s Office for breaching the Data Protection Act by selling the details of more than 20,000 customers via an online marketing company. Information offered for sale by Phramacy2U included records of “people suffering from ailments such as asthma, Parkinson’s disease and erectile dysfunction. Breakdowns of customers, such as men over 70 years old, were available, and records were advertised for sale for £130 per 1000”.

TalkTalk’s website was subjected to a sustained cyber attack in which criminals potentially accessed up to four million customers’ names, addresses, dates of birth, email addresses, telephone numbers, TalkTalk account information, and credit card and bank details. TalkTalk chief exec Dido Harding received a ransom demand from someone claiming to be the hacker responsible. The incident was later estimated to have cost the company £35 million.

Safe Harbor, the 15-year-old data transfer pact between the US and the EU allowing the personal information of EU citizens to be transferred to the US without abiding by the strictures of European data protection legislation, was declared invalid by the European Court of Justice in a landmark ruling. The court’s decision was the result of a legal challenge brought against Facebook by Max Schrems, an Austrian privacy campaigner who, in the wake of the Snowden disclosures, was concerned about the social network’s potential sharing of Europeans’ personal data with the NSA.

And Adobe issued security patches to address 23 vulnerabilities in Flash Player.


Swiss encrypted email provider ProtonMail was hit by a powerful series of distributed denial-of-service attacks in November, which knocked it and a number of other services offline. ProtonMail points out that the attacks continue, but it has strengthened its defences and is now protected against DDoS attacks.

Hotel chain Hilton Worldwide confirmed that its point-of-sale systems were hit by malware that collected customer payment card data over a 17-week period in November and December last year, and from April to July this year.

Personalised postcard-making app Touchnote was also hacked. The app, which allows users to send their digital photos to friends as physical cards told registered users that their names, emails addresses and order histories – including recipients’ details – had been accessed. Credit card details were not.

In the largest incident of the year – at least in terms of the number of potential victims – children’s toy manufacturer VTech suffered a data breach when criminal hackers attacked its servers. The personal data of 4,833,678 parents – including their “names, email addresses, passwords, and home addresses” – was exposed, as were “the first names, genders and birthdays of 6,368,509 children.

And Adobe issued security patches to address 17 vulnerabilities in Flash Player.


In early December it emerged that the personal details of 656,723 customers of high-street pub chain JD Wetherspoon – including their names, dates of birth, email addresses and telephone numbers – were stolen by criminals in June when a customer database related to an old website was hacked. For 100 customers who purchased vouchers online before August 2014, limited credit and/or debit card information was also stolen.

MacKeeper – the controversial utility software supposedly designed to improve Macs’ performance, but widely condemned for doing exactly the opposite, was found to have exposed the personal data of 13 million customers by storing them unencrypted on easily accessible servers. Kromtech, MacKeeper’s parent company, advised that the vulnerability had been addressed.

And Adobe issued security patches to address 79 vulnerabilities in Flash Player. By my estimation, that number brings the total of unique Flash vulnerabilities addressed by Adobe in 2015 to… 311. Father Christmas will send you the CVE numbers if you’ve been naughty.


Leave a Reply

You must be logged in to post a comment.

NEED MORE INFORMATION?Contact us to see how we can help your business

Call our Sales Team on:

+44 (0)121 289 3434

or email us at: