Data breaches in large companies are the new normal, and customers have grown accustomed to hearing about data leaks, information thefts, and loss of their personal information. But for enterprises, data breaches can be disastrous. IBM estimates the cost of an average breach at $3.8 billion. And damage to a company's reputation and level of customer trust can be immeasurable.
According to the ITRC (Identity Theft Resource Center), there have been 5,754 data breaches between November 2005 and November 2015, exposing 856,548,312 records. According to their findings, 783 of those breaches occurred in 2014, the most in a single year to date. ITRC data also indicated that 29% of breaches involved hacking incidents in 2014, compared to just 14.1% in 2007. This shows an upward trend in the number of data breaches resulting from an outside cyber-attack.
Although the data includes a comprehensive list of data breaches, whether large-scale or small, there are a few that stand out from the rest as the worst in history -- in terms of the resulting costs and number of records compromised. Here we list the eight most disastrous breaches, highlighting the cause of each breach and the effects on the public and business sectors.
Take a crash course in cyber threats and how protect your data at the Cyber Security Summit at Interop Las Vegas this spring. Don't miss out! Register now for Interop, May 2-6, and receive $200 off.
(Image: weerapatkiatdumrong/iStockphoto)
1. TJX - 2003
A hacker managed to infiltrate TJX chains, including Marshalls and TJ Maxx, and stole 45.7 million customer credit card and debit card numbers. Although not responsible for the hack itself, a group of people in Florida was charged for buying customer credit card data from the hackers and using that data to purchase $1 million dollars worth of electronic goods and jewelry from Walmart. This breach is still considered one of the biggest retail data breaches of all time.
(Image: Wikipedia)
2. Hannaford Brothers - 2013
Hackers managed to steal 4.2 million credit and debit card numbers within 3 months from 300 stores in Hannaford's supermarket chain. Hackers collected customer data via malware uploaded to Hannaford servers. The malware could intercept customer data during transactions, which was then used in over 2,000 cases of international customer fraud.
(Image: NNECAPA Photo Library/Flickr)
3. Target - 2013
In order to gain access to customer credit and debit card numbers, hackers installed malicious software on POS systems in Target stores in self-checkout lanes. The card-skimming malware compromised the identities of 70 million customers and 40 million credit and debit cards. The attack was carefully planned and timed to take advantage of Black Friday and a heavy volume of holiday shoppers. The same malware was later found in a breach at Home Depot.
(Image: Patrick Hoesly/Flickr)
4. Home Depot - 2014
A security breach that attacked Home Depot's payment terminals affected 56 million credit and debit card numbers. The Ponemon institute estimated a loss of $194 per customer record compromised due to re-issuance costs and any resulting credit card fraud. For example, protection from identity theft through Experian is $14.95 per month. For this specific breach, that would amount in $837.2 million in costs related to fraud monitoring, which is often offered in the wake of a breach to protect victims from identity theft. Hackers first gained access to Home Depot's systems through stolen vendor login credentials. Once the credentials were compromised, they installed malware on Home Depot's payment systems that allowed them to collect consumer credit and debit card data.
(Image: Mike Mozart/Flickr)
5. eBay - 2014
Between February and March of 2014, eBay requested that 145 million users change their account passwords due to a breach that compromised encrypted passwords along with other personal information. Like many of the other breaches included here, hackers gained access to eBay accounts through stolen login credentials. The credentials did not come from customers themselves but instead from eBay employees. In this particular breach, user payment information via PayPal was safe since it was encrypted; users were only asked to change their passwords as a precautionary measure.
(Image: YouTube)
6. JP Morgan Chase - 2014
In 2014, a cyber-attack aimed at JP Morgan Chase compromised 83 million household and business accounts that included personal information such as names, email addresses, and phone numbers. The attack reportedly affected two-thirds of all American households, making this breach one of the largest in history. A little less than a year later, four men were indicted for the attack on JP Morgan Chase as well as several other financial institutions on charges including securities and wire fraud, money laundering, and identity theft. The men made over $100 million through the scheme. In some instances, login credentials were obtained through tricking users and then used to access customer information. Hackers also exploited the Heartbleed bug in this breach, a vulnerability in OpenSSL that allowed hackers to steal information that is normally encrypted.
(Image: Ben Sutherland/Flickr)
7. Sony Pictures - 2014
Security analysts believe that the Sony Pictures breach in 2014 began with a series of phishing attacks targeted at Sony employees. These phishing attacks worked by convincing employees to download malicious email attachments or visit websites that would introduce malware to their systems. This type of attack used social engineering, where phishing emails appeared to be from someone the employees knew, thus tricking them into trusting its source. Hackers then used Sony employee login credentials to breach Sony's network. Over 100 terabytes of data was stolen and monetary damages were estimated to be more than $100 million.
(Image: Wikipedia)
8. Anthem - 2015
In February of 2015, Anthem reported that hackers had accessed its servers and stole up to 80 million records. The healthcare giant is the parent company of several well-known healthcare providers including Blue Cross and Blue Shield. The attack began with phishing emails sent to five employees who were tricked into downloading a Trojan with keylogger software that enabled the attackers to obtain passwords for accessing the unencrypted data. This breach was particularly devastating because it included the theft of millions of medical records thought to be worth 10 times the amount of credit card data. It is suspected that the stolen health records will be sold on the black market.
(Image: YouTube)
NetOps teams, like Spider Man, have great powers and great responsibilities. Increasingly, they are adopting a Zero Trust approach to network operations to help fight their battles.
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
