We’re declaring 2014 the year of the hacker. There have been more high-profile data breaches in the last 12 months than ever before -- and security experts say 2015 could be a stormy year. Before we get to the predictions, let’s take a look at some of the biggest hacks in an unprecedented year of data breaches.
Controversial Sony Hack
The hack that’s still on everyone’s mind remains somewhat of a mystery. The Federal Bureau of Investigation is pointing the finger of blame for the Sony Pictures Entertainment cyberattack directly at North Korea, but security experts don't agree.
The hackers compromised Sony Pictures' computer systems, stole data and intellectual property, and initially caused the movie giant to can its new comic film, "The Interview." The Sony-produced comedy starring Seth Rogen and James Franco, was thought to be the likely cause of the cyberattack. The movie depicts a fictional plot to assassinate North Korean dictator Kim Jong-un. Ultimately, Sony released the film online on December 24 and in some U.S. theaters on Christmas day.
JP Morgan and Financial Services
First JP Morgan was hacked in September. Then, in October, 13 financial institutions, including Fidelity Investments, were hit by cybercriminals believed to be associated with the same crew. JP Morgan revealed the accounts of 76 million households were compromised in the attack. On top of that, another 7 million small businesses were compromised. In a Securities & Exchange Commission filing, the firm said that user contact information, including names, addresses, phone numbers and e-mail addresses were compromised.
The Home Depot Hit
In September, Home Depot warned customers about a potential data breach. By November, the home improvement retailing giant reported the breach was worse than it first thought. Beyond the payment-card data Home Depot initially said was leaked in the attack, separate files containing about 53 million e-mail addresses were also captured.
Target Breach Spillover
The now infamous Target data theft was the largest affecting a retailer since data on 45.7 million shoppers was taken in 2005 from retailing giant TJX, which operated several chains, including T.J. Maxx and Marshalls. Although it took place in December 2013, the fallout continued into 2014.
Both Target’s CEO and CIO resigned over the massive data breach, which led to the theft of information on what was believed to have been 40 million credit and debit card accounts in transactions that occurred from November 27 to December 15. The hack on Target was expected to cost more than $400 million.
Hackers, Hackers Everywhere
The list of breaches goes on and on and on. In December, fashion retailer Bebe said it detected suspicious activity on computers that operate the payment processing system for its stores. Staples revealed a hack in October. At least 100,000 photos, including nude images, were hacked from Snapchat in the same month.
Just days earlier, fast food chain Dairy Queen pushed out a security story and it's anything but sweet. The international firm said cybercriminals hit systems at some of its DQ locations and one Orange Julius location in the United States. AT&T suffered its second insider data breach in October.
In September, Jimmy John’s reported a possible security breach and a data breach plagued eBay in September. United Parcel Service (UPS) in August announced that about 105,000 customer transactions at 51 of its UPS Store locations in 24 states could have been compromised between January and August. And let’s not forget the Community Health Systems hack, also in August, that affected 4.5 million patients.
Back in May, Bitly, the URL shortening service, was breached and user accounts were compromised. But that hardly compared to the Michaels Stores breach in April that saw nearly 3 million credit and debit cards breached. The Neiman Marcus breach in January was the real wake-up call for retailers. The company reported 1.1 million debit and credit cards used at its retail stores were compromised in a 2013 security breach. That was the beginning of the long list of retail breaches in 2014.
In February, we learned that the hotel industry had also been targeted. White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin, suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, according to KrebsOnSecurity.
In May, a CNN Money report revealed that nearly half of all American adults have been hacked. But the situation may grow worse in 2015.
We caught up with Steve Hultquist, chief evangelist, RedSeal, a security analytics company, to get his predictions for 2015. He told us there will be a number of significant breaches effecting broad swaths of consumers and businesses around the world next year.
“We have already seen significant breaches, but so far, the impact to individuals has largely been limited to getting new credit cards. The subtlety and length of the breaches that are publicly disclosed indicate the underlying goals to be moving away from ‘smash and grab’ of credit card number thefts towards more systemic damage, possible by simply waiting for information and continuing to probe for more content,” he said.
“Similar to the miscreants who traded in secretly purloined celebrity photos long before the massive release, criminals are sitting inside networks gathering information to create a more significant payday or outcome,” Hultquist added.
Posted: 2014-12-31 @ 5:03pm PT
I agree that "the impact to individuals has largely been limited to getting new credit cards," and "The subtlety and length of the breaches that are publicly disclosed indicate the underlying goals to be moving away from ‘smash and grab’ of credit card number thefts.”
The hackers are advancing their game, attacking other types of data.
Our current monitoring systems are not effective and we know that less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report by Verizon.
Detection by external third party entities unfortunately increased from approximately 10% to 25% during the last three years.
Many of our current approaches with monitoring and intrusion detection products can't tell you what normal looks like in our own systems.
I think it is time to secure all sensitive data, not just credit cards, across the entire data flow.
I think it is time to re-think our security approaches and be more data-centric and secure the data itself with approaches like data tokenization.
Ulf Mattsson, CTO Protegrity