A simple workaround that should narrow the scope of this attack down to requiring the mirror to be hacked is to use Tor Onion Service or HTTPS. Using a HTTPS CDN mirror makes attacking the mirror even harder.
The official onion address for security.debian.org is: deb http://dju2peblv7upfz3q.onion/debian-security jessie/updates main
