With advances in technology, cyber attacks are becoming more sophisticated and more frequent than ever before. In fact, industry experts now agree that there are two types of organizations in today’s world, those that have been breached and those that just don’t know it yet.
Over the past few years there have been a series of successful cyber attacks, compromising the personal information of millions upon millions of people. It’s no wonder why companies pour so many resources into their IT management software. Here’s a look at seven of the most high-profile cyber security breaches that have affected the most people, along with some insights as to what went wrong.
Target Corp.
While the 2008-09 breach of Heartland Payment Systems resulted in the biggest breach to date—information from some 130 million credit and debit cards was made available to cybercriminals—the 2013 breach of Target, Inc. is more well-known to the general public.
The data theft affecting Target stores nationwide was unique in that it happened in the stores themselves, not online. As for how the breach occurred, it appears that the theft of credit card and personal data began with a malware-laced phishing attack directed at employees at an HVAC firm contracted with the retailing giant. From there, the malware eventually ended up on approximately 40,000 card devices at Target store registers. Designed to steal information from the magnetic strips found on the backs of credit and debit cards as the cards are “swiped” at the point-of-sale, the breach is estimated to have affected 110 million Target shoppers. According to industry analysts, the breach could eventually cost Target Inc. as much as $1 billion. In a recent Wall Street Journal article, it stated, Target’s security woes could have been avoided had the company employed a Chief Information Security Officer (CISO).
Sony Online Entertainment Services
The Nov. 24, 2014 hijacking of Sony Pictures Entertainment’s private network is not the first of Sony’s run-ins with Cybercriminals. In April 2011, hackers who remain unknown to this day carried out a duel assault on the PlayStation Network, which links all of Sony’s home gaming consoles, and Sony Online Entertainment, which hosts online multiplayer PC games involving massive numbers of players along with Qriocity, Sony’s music and video streaming service. According to testimony given by a Purdue University professor before a Congressional committee investigating the incident, the breach was the result of Sony’s failure to use firewalls to protect its networks as well as failure to keep its Web applications fully updated.
As a result of the breach, personal data found in 102 million user accounts was comprised, including login credentials, names, addresses, phone numbers and email addresses. Despite Sony’s claims that credit card information remained safe thanks to encryption, approximately 24,000 users of SOE and Qriocity in Europe had their credit card data stolen. Thus far the clean-up costs for Sony are said to be $171 million.
JPMorgan Chase
The summer 2014 breach of JPMorgan Chase drove home the fact that financial institutions are just as vulnerable to cyberattacks as big box retailers and multi-media giants. Using a purloined list of applications and programs that run on JPMorgan’s computers, the hackers were able to verify known vulnerabilities in each program and application and then exploit those weaknesses to gain entry into the bank’s systems. All tolled, the JPMorgan breach compromised the accounts of 76 million households and 7 million small businesses. Although there were initial concerns that the breach of financial information could have meant that cybercriminals had gained access to ultra-sensitive information such as social security numbers, JPMorgan has since stated that there was no evidence that passwords and social security numbers had been compromised.
TJX Companies, Inc.
Dating back to its discovery in 2007, the TJX data breach constituted the biggest theft of customer data ever in the United States. The parent company of such popular retail brands as T.J. Maxx, Marshalls and Homegoods, TJX estimated that at least 46 million credit and debit card numbers were stolen over an 18-month period. In addition, driver’s license numbers and other “personally identifiable information” was reportedly stolen from about 450,000 TJX customers as a result of the breach.
One of the TJX hackers was Albert Gonzalez, a notorious cyber criminal who, just two years later, took part in the aforementioned Heartland Payment Systems attack. The breach is attributed to weaknesses of the Wired Equivalent Privacy security model, allowing hackers on laptops to access customer credit card numbers kept on unprotected networks. Updated estimates put the total of credit and debit card numbers stolen at 94 million, with a cost to TJX approaching $1billion dollars.
The Home Depot
In Sept. 2014, Home Depot, the hardware and building-supplies retailer, revealed that more than 56 million customer credit and debit card numbers were stolen as the result of a data breach during the summer. According to the retail giant, cyber-thieves infected point-of-sale systems in stores throughout the U.S. and Canada using malware disguised as antivirus software. In a recent Reuters report, Home Depot said that the “criminals used unique, custom-built software that had not been seen in previous attacks and was designed to evade detection.” The company further stated that the malware has since been removed from all U.S. and Canadian stores, and that U.S. stores have since implemented a new “enhanced payment protection” system for encrypting customer credit and debit card data.
Although it received less media attention than the Target breach, which happened during the Holidays of 2013, the Home Depot attack affected more people and has since cost the company $62 million and counting. The breach is also said by security experts to be the largest theft ever of credit card information from a single company.
In a recent survey of IT professionals, more than 50 per cent of them admitted that they use improper or even personal cloud storage for work use. That’s a stunning amount of un-secure network parameters! Virtually every organization has some bit of un-secure cyber property. The above breaches serve as a cautionary tale for all organizations, suggesting the need to be constantly on the lookout for new and better ways to protect sensitive corporate and customer data.