Dear Cyber Criminals,
Congratulations on a banner year! As cybercrime goes, you’ve had incredible success in 2014. In the past 12 months you’ve demonstrated that no one is too big or small to be a target: the US Government, Home Depot, JPMorgan, Apple, eBay, and Community Health Systems, just for starters. And you keep picking on poor Sony.
This past year, you exploited financial institutions like JPMorgan, where you helped yourselves to contact information for 76 million households and 7 million small businesses. You sat on its network for more than two months before a (rare) sloppy mistake gave you up. You even deleted your tracks, hampering investigators. JP Morgan spent $250 million this year on cyber security measures, which, thankfully, did prevent you from accessing its really critical data.
Retail wasn’t safe either. You tapped Home Depot for 56 million payment cards, costing it $62 million to recover from your handiwork. We are getting pretty used to news like this, and consumer confidence isn’t as easily shaken anymore. Not like in 2007 and 2008 when you cracked TJX and Hannaford.
At the tail end of 2013, you snagged a whopping 110 million payment cards from Target, one of the largest hauls in history. Quite simply, you have dominated the retail space.
You very cunningly attacked the $3 trillion US healthcare industry, including swiping 4 million electronic health records from Community Health Systems, each EHR worth 50 times more on the black market than a credit card number. The FBI Cybercrime Division even issued a warning to the healthcare community that its security measures were inadequate and couldn’t defend against a basic attack, let alone an advanced threat.
EHRs sell for about $50 a pop and can generate profit in many ways. The medical identity may be sold, so someone can get an operation they otherwise couldn’t afford. Details, like a mother’s maiden name, are most likely included as well -- extremely useful for identity theft. And then there’s that other sensitive information. EHRs contain personal info ranging from drug rehab to STDs and details you wouldn’t want anyone knowing. This information can be posted on the Internet, adversely affecting a person’s life, ruining career potential, and even opening one up to blackmail. The FBI acknowledged the value of this opportunity, calling healthcare “a rich new environment for cyber criminals to exploit.” Kudos for your accomplishments in this area.
Then there was Apple. That breach created one of the bigger media storms in 2014 and drew the most attention. This one was clearly just for fun and to remind us that you enjoy some celebrity gossip just like the rest of us. A classic phishing scam duped celebrities out of their logins, and some clever third-party forensics software allowed you to gain data right from iCloud. Then, you were kind enough to share your bounty of photos with everyone, ensuring that gossip sites and forums had a field day.
In 2014 you also demonstrated increasingly impressive organizational skills. You began selling your hacking services and running your organization in a very notably corporate fashion. The Blackshades malware reflects this growing sophistication. After infecting more than a half-million machines across more than 100 countries, you were shown to be running your hacking operation like a very organized and professional business, replete with paid staff, customer service personnel -- even a marketing director to promote Blackshades. Now that is some well organized crime!
The list goes on, pointing to an outstanding year. The cyber security market is estimated to be worth about $76 billion annually, and demand for security solutions is at an all-time high. Yet you remain effective. As we have improved at stopping you, you have improved your methods, making them more sophisticated and advanced.
In 2015, you’ll keep showing us why the cyber security market is as immense as it is and why it will never stop growing. Despite what we’ll spend to protect and educate ourselves, you’ll keep on doing what you do best: exploiting vulnerabilities in operating systems and people. You’ll continue to show that we can never let our guard down and must remain vigilant at all times. To that end, we’ll keep exercising best-practices by making sure our systems are patched on Tuesdays, our antivirus is up-to-date, and to teach people -- our softest spot in the armor -- to stop being duped into clicking the links you send them.
We'll see you on the battlefield next year. Be prepared. We will be.