In late June, the Little Red Hen Restaurant suffered a commercial attack that diverted visitors away from its website. The Red Hen website was subjected neither to graffiti nor to political criticism. Instead, the breach altered the website so that it sent visitors to a reproductive health products site. It appears the Red Hen’s recent notoriety attracted a high internet visitor count and that fountain became a target for marketers to divert attention for their own benefit. Some observers will be convinced this was a political attack, but then some see everything through a partisan lens.
The website of the National Action Party (PAN), a mainstream political party in Mexico was attacked during the final debate of candidates in early June. The attack was a distributed denial of service (DDoS) involving 185,000 visits within 15 minutes coming from China and Russia. Expert cyber observers concluded the attack was intended to prevent the Mexican populace from logging onto PAN’s website to view documents that could influence the results of elections to be held on July 1st. That is plausible since Russia is a chronic user of cyberattack. Russia is behind attacks on US 2016 elections, the US energy sector, the UK’s National Health Service, the Ukraine, and now Mexico’s election.
In March 2018, Under Armour suffered a cyberattack that resulted in 150 million stolen customer usernames, email addresses and encrypted passwords. In late June, Adidas said its U.S. e-commerce website was breached, and emails, encrypted passwords and usernames were stolen. These attacks on websites of apparel vendors are very similar, but it is unclear how much mayhem hackers could perpetrate with just the stolen credentials.
Since the stolen passwords were encrypted, customer accounts at Under Armour and Adidas are not in jeopardy. However, the stolen emails and usernames might help hackers craft social engineering appeals directly with the customers. These attacks look flawed because they obtained so little of commercial value. To make the information truly useful, a second stage theft (e.g. a mapping of userid to name and phone number) is needed to improve the value of what was first stolen.
In contrast to attacks on apparel vendors, Ticketmaster UK suffered a deeply disturbing, long running breach that leaked “names, addresses, email addresses, telephone numbers, payment details and Ticketmaster login details of all those who purchased or attempted to purchase music concert tickets between February and June 23rd of this year.”
The Ticketmaster UK breach started with hackers placing “malicious software on its customer support product.” Some international customers trading in tickets as early as September 2017 may also have been affected. USA Ticketmaster was not attacked. This attack may be lethal to customers’ trust in Ticketmaster because so much personal and financial information was given up to hackers over such a long period of time. One must question who was tending to security over that nine-month period.
At this stage, the attack on apparel websites probably harvested too little for hackers to convert it into a big payoff. On the other hand, the Ticketmaster haul should be worth a small fortune. The Ponemon Institute estimates that $141 is the average cost per lost or stolen record. Over the six months of leaked Ticketmaster UK transactions, one could assume a million lost records. If this were in the US, we would expect the tort/class action bar to commit collateral mayhem.
The volume of cyberattacks grows each year. The state sponsored attacks are of highest concern because they appear to be practice runs that could be weaponized into high volume attacks against rival nations. Due to appropriate secrecy, we are unlikely to hear how well our nation can divert those cyberattacks. On the other hand, political hi-jinx with military funding suggests some politicians either don’t understand the danger from attacks on critical infrastructure, or they don’t care.