2014 was the year of the security breach. In fact, it was just at the tail end of 2013 when retail giant Target was hacked. Forty million payment card numbers were stolen during that holiday season, affecting an estimated one in three Americans. That was a harbinger of things to come, as data breaches dominated the IT security news throughout 2014. If there was any kind of silver lining to the Target affair, it was that it heightened a lot of folks’ awareness of data security. People whose eyes normally glaze over at the mention of advanced persistent threats (APTs) and remote access Trojans (RATs) were suddenly talking about disparate security appliances, and software agents and management systems.
So, aside from the Target hack, which security breaches had the most impact on businesses and consumers? Read on for the top five security breaches of 2014, and what we can learn from each.
This is just a small sampling of the largest data breaches that compromised an estimated 384 million U.S. records last year – more than the entire nation’s population. Have we learned anything from these and the numerous other IT security events of 2014? One unfortunate fact is that a pattern is developing. Previously, 2013 was a record year for IT breaches, and before that 2012 set a record, so if nothing changes 2015 is on track to do the same. A recent study sponsored by IBM, the 2014 Cost of Breach Study: Global Analysis, found the average cost of a security breach to the companies studied was $3.5 million – a 15 percent increase over last year.
Hopefully, these breaches can teach us some lessons about IT security in general, and specifically how consumers and small-to-midsized businesses (SMBs) can better secure their data. Let’s take a look at some big IT security breaches of 2014. Breaches that collectively impacted hundreds of millions of Americans – i.e. the majority of consumers and many SMBs.
Shortly after the Target breach, news broke in January 2014 that high-end department store chain Neiman Marcus had been hacked. The hacking occurred between July and October 2013, and originally the company thought that as many as 1.1 million debit and credit cards were hacked, but further investigation reduced that figure to a maximum of 350,000. Malicious software installed onto the Neiman Marcus system was the route the hackers used.
In September, 2014 nonprofit organization Goodwill Industries announced that a data breach in 330 of its stores may have compromised about 860,000 debit and credit cards. According to their investigation, a third-party vendor’s systems were attacked by malware. All the affected stores used the same vendor to process card payments.
This one was huge. In September, the giant home improvement chain confirmed that 56 million credit and debit cards had been breached. Once again, hackers used a third-party vendor to gain access to a larger network. In this case, after using the vendor’s user name and password to enter the perimeter of the network, hackers then acquired elevated rights to navigate privileged portions of the system. They then installed malware on the company’s self-checkout systems.
This is the nation’s largest bank in terms of assets. In a Securities and Exchange filing in October, JPMorgan Chase disclosed a data breach between June and July, 2014 that affected 76 million households and 7 million SMBs. Hackers stole customer names, addresses, phone numbers, and email addresses, but no account numbers, passwords, social security numbers, or birthdates. The bank said that no unusual customer fraud had resulted from this breach.
Last year ended with Target’s breach, which so far has cost the company an estimated $148 million, and this year it was Sony who closed the calendar with a data breach story. In December, hackers pirated five unreleased movies and released them online. They crooks also exposed about 47,000 Social Security numbers, which appeared more than 1.1 million times on 601 publicly-posted files. Many of those files also revealed other personal information, such as full names, birthdates, and home addresses.
2015 And Beyond
Hopefully, the costs associated with hacking will motivate enterprises to take more preventive measures this year, including having an incident response and crisis management plan in place. Large enterprises are increasing their IT budgets, hiring more IT experts, and adding new positions at the C-level such as the chief security officer (CSO). More SMBs are consulting with managed services providers and utilizing virtual chief information officers (VCIO).
This year, let’s strive for a new awareness of the importance of information security. An assessment of your current situation may help figure out what preventive measures you can take in oder to avoid a breach. If you do not have an IT department, contact a Managed Serivces Provider (MSP) that is trusted and underestands your business' goals.