It was a strange year in cyberspace, as US president Donald Trump and his administration launched foreign policy initiatives and massive changes to the federal government that have had significant geopolitical ramifications. Through it all, the steady drumbeat kept pounding of data breaches, leaks, ransomware attacks, digital extortion cases, and state-sponsored attacks that have unfortunately become a backdrop of daily life.
Here’s WIRED’s look back on this year’s most significant breaches, hacking sprees, and digital attacks. Stay alert, and stay safe out there.
Salesforce Integrations
Attackers grabbed data from the sales management giant Salesforce in at least two breaches this year—but they didn’t compromise Salesforce directly. Instead, the group breached third-party Salesforce contractor integrations, including those of Gainsight and Salesloft.
Google’s Threat Intelligence Group published about the spree in August, saying that some Google Workspace data had been compromised as part of the breach of the sales and marketing platform Salesloft Drift. Though the incident was not a direct hack of Google Workspace, it represented a rare instance in recent years of Alphabet customer data being exposed.
Other impacted companies include Cloudflare, Docusign, Verizon, Workday, Cisco, LinkedIn, Bugcrowd, Proofpoint, GitLab, SonicWall, Adidas, Louis Vuitton, and Chanel. The credit bureau TransUnion also had a breach apparently tied to the situation that exposed the information of 4.4 million people, including names and Social Security numbers.
The spree was perpetrated by a group known as Scattered Lapsus$ Hunters—a potential amalgam of actors and tooling from the hacking and data theft groups Scattered Spider, Lapsus$, and ShinyHunters. Researchers note, though, that the group isn’t actually a one-to-one evolution of the three namesakes. Regardless, Scattered Lapsus$ Hunters have a data leak site where they’ve been previewing troves of stolen data from the campaign and conducting digital extortion attacks on victims.
Clop’s Oracle E-Business Hacking Spree
The ransomware group Clop is known for carrying out mass exploitation of vulnerabilities for data breaches and extortion attacks. Past rampages in recent years had huge numbers of victims at both private companies and government agencies. This year, the group did it again, exploiting a vulnerability in Oracle’s E-Business internal management platform to steal data from numerous companies and organizations.
As part of the spree, Clop was able to steal employee data from multiple companies, including the personal information of executives, and used it to send emails and other threatening communications to senior employees as part of demands for millions of dollars in ransom to delete the data instead of publishing it.
Oracle scrambled to patch the vulnerability at the beginning of October, but Clop had already been exploiting it to steal data from hospitals and health care groups, media companies like The Washington Post, and universities like the University of Pennsylvania (see below).
University Breaches
The University of Pennsylvania publicly disclosed a data breach at the beginning of November that took place at the end of October, impacting personal data—some of it years or decades old—of students, alumni, and donors. The data also included internal university documents and some financial information. The incident was the result of a phishing attack; the hacker sent email blasts to students and alumni describing Penn as “woke” and saying that the school prioritizes “legacies, donors and unqualified affirmative action admits.” The Verge reported, though, that ultimately the hacker may have been financially motivated.
Harvard said in a November statement that the systems of its Alumni Affairs and Development office had been breached via a “phone-based phishing attack.” The incident involved personal information of alumni, their partners, Harvard donors, parents of current and former students, some current students, and some faculty and staff. The data included email addresses, phone numbers, physical addresses, event attendance records, information about donations to the university and other fundraising details. Princeton University was hit with a similar attack that same month, although the scope of affected data seems more limited.
