There is a familiar theme in all security breaches, regardless of scale: careless oversight and failure to act proactively. Let these cautionary tales help ensure your organization does not fall victim to cyber criminals who will always exploit those who fail to protect themselves.
In October, banking giant JP Morgan Chase announced hackers managed to steal personal information of nearly 80 million customers, including telephone numbers and email addresses. Credit card numbers were not reported as part of the attack, but an outside report of a massive stolen credit card ring estimated that 7 million cards could have been compromised as part of the breach. Criminals gained access through an employee computer with special privileges that was used at work and at home, and then exploited bank applications with known security vulnerabilities.
While technically the Target data breach started in 2013, the full effects were not realized until 2014. Spanning over 1,800 stores, the telephone number, email and mailing address of more than 70 million customers were stolen along with 40 million debit and credit cards. Target admitted it was aware of IT vulnerabilities and detected intrusion the previous year, but no significant effort to stop the hackers was made. Criminals exploited the credentials of an HVAC company to access Target’s network and then installed malware on point-of-sale machines. In the aftermath, Target CEO Gregg Steinhafel was fired and company spent more than $150 million to address breach-related costs.
As many as 56 million credit cards and 53 million emails addresses were stolen from April to September at Home Depot stores. Criminals gained access to the retailer’s network by using the login credentials of a Home Depot vendor and exploiting a flaw in the Windows Operating System. Home Depot faces dozens of lawsuits and spent $43 million dealing with the fallout from the data breach in the third quarter alone.
Michaels & Staples
The arts and crafts retailer Michaels announce it uncovered a security breach that exposed approximately 2.6 million customer credit and debit cards. The attackers used highly-sophisticated malware installed on its point of sale systems that security firms had not previously encountered. A few months later, office supply chain Staples announced a similar breach to their systems impacting 115 stores in its chain and may have affected 1.16 million customer payment cards. Sources familiar with the investigation indicated the card-stealing malicious software installed at both retailers was controlled by the same criminal infrastructure.
As early as February of 2014, emails at the entertainment giant indicated significant vulnerabilities were not being patched on their network servers. Sometime during the year, attackers gained access to the network and took essentially everything desired, resulting in the most devastating loss suffered by any corporation. Late November, Sony employees received threats that information stolen from their networks would be distributed to the public including unreleased movies, personal memos, proprietary business strategies, and confidential employee information. It has not been determined whether the attack was the work of an insider or initiated from a hotel in Thailand, but it is clear the losses will be in the hundreds of millions of dollars.