By Indusface Research Team

The Top 10 Breach Stories

Torture the data, and it will confess to anything.

                                                                        – Ronald Coase, Economics, Nobel Prize Laureate

And if this data in question, falls into the wrong hands, then unfortunately the victims will suffer more than just financial loss. The year 2014 might just turn out to be the Year of Data Breaches…there’s more than a fortnight left for the year to bid us goodbye, so we want to stick to ‘might’. But it cannot be denied that 2014 has kept businesses on their toes, with news of data breaches surfacing almost every other day. 345 days of the year (remember, a fortnight is left!) witnessed 708 counts of breaches, resulting in more than 81.5 million records being exposed*. While initially everyone would think that the financial industry is the most targeted, this perception changed quickly this year. It did not matter what industry you were part of, how much money you made or how many customers you had, if you had a website, you were a target.

So in this edition, we bring to you the top 10 Data breaches of 2014, which wrecked the most havoc on businesses and people:

Top 11 breaches of 2014:

    1. January
      Snapchat: A security breach affecting Snapchat, exposed 4.6 million user’s phone numbers and usernames. The hacker went on to post the database on Reddit and on a website called SnapchatDB.info.It was disclosed that Snapchat had been warned in 2013, August, about their data being vulnerable by a computer security research firm. The presence of this exploitable vulnerability made stealing data from Snapchat possible, a breach that could have been easily avoided.

 

    1. January
      Neiman Marcus: The year started on a bad note for the American luxury specialty department store. Up until 6 weeks after the malware attack that left their card data exposes, Neiman Marcus was unaware of the compromised data. 1.1 mn payment cards were thought to be exposed, with atleast 2400 cards fraudulently used. Malware similar to the one used for Target attack by installing it on point-of-sales terminals, was cited to be behind this attack. The malware stole unencrypted card data while the data was still in the cash register’s memory.

 

    1. April
      Michael: Michael stores, an art and craft retail chain operating 1040 stores, admitted to its 3 million customers being hit by data breach, in April. As per Michael, hackers broke into their payment systems in 2014, using a highly advanced malware. They targeted their point-of-sales machines, similar to the attacks on Target and Neiman Marcus.As per the company in question, the malware affected customers who used their credit or debit cards in their stores in between May 8, 2013, and January 27, 2014, which was a total of 2.6 million cards. Its subsidiary, Aaron brothers, was further affected and an additional 400,000 cards were stolen from those who shopped between June 26, 2013, and February 27, 2014.

 

    1. April
      AOL: AOL announced the breach of AOL e-mail, in which a “significant number” of accounts, were compromised. The company announced in a blog post that the information compromised comprised of AOL users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that are asked for resetting user passwords, as well as certain employee information. As for the reason behind the breach, AOL said that they believed that a person gained unauthorized access to the AOL network where some user information where stored.It should be noted that they confirmed the breach only after a massive surge in spam emails was reported by AOL users.

 

    1. May
      eBay: The American multinational internet giant, reported massive security breach in May. This historic breach was said to affect 145 mn active users of eBay. It was found that the breach happened somewhere in between February and April, but was not discovered till May. It was disclosed that the hackers managed to access and copy a massive user database which was devoid of financial data but contained customer names, user account passwords ( encrypted ), email addresses, birth dates, mailing addresses, phone numbers and other personal information.The foundation of the breach was believed to have laid after hackers compromised a small number of employee log-in credentials, resulting in them gaining access to eBay’s corporate network. eBay breach is cited to be the second largest breach in the history of United States.

 

    1. June
      AmEx: AmEx or American Express Company, the famous financial services company known for its credit cards, was informed by the Secret Service that several files containing personal details of 76,000 American express account holders had been published online by the hacking group, Anonymous.AmEx card users were suggested to check their credit card transactions carefully for any fraudulent activity. It was also mentioned that this hack was part of Ukrainian March hack, in which Anonymous Ukraine had hacked and released more than 7 mn records as part of a protest against financial firms for “enslaving” people.

 

    1. September
      Gmail: Almost five million accounts were hacked and their data was leaked in an attack affecting all Gmail users. Google had denied the hack claim. They said that if in case such an event happens, they inform the affected users. Reason for Google denying the hack was attributed to the fact that in past, there have been more than few hacking incidents in which Google’s name was dragged in. This time, Google came out with a statement and insisted that since no internal systems were breached and illegally accessed, they concluded that the accounts whose login data was stolen, was due to an individual obtaining usernames and passwords from a malware infected computer.This claim was supported by the fact that the information leaked seems to be pulled from much older lists. A large number of leaked passwords were as old as three years. Due to this the leak was being accredited to a combination of breaches that had happened in the past.

 

    1. September
      iCloud hack– Early September, all hell broke loose when some private photos of a few Hollywood stars was exposed on internet. As per the statement issued by Apple, “certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions a practice that has become all too common on the Internet”. Apple rarely issues a statement, and this itself shows the severity of this attack.According to some security researchers, Apple might have left iCloud vulnerable to a brute force password hacking attempt, which was used by hackers to use a software to keep trying random passwords till the time targeted accounts with comparatively weaker passwords gave away.

 

    1. October
      JPMorgan Chase: In a cyberattack on JPMorgan Chase, accounts of 76 million homes and seven million small businesses was compromised. The initial estimate of accounts compromised, was put at one million by the bank, but the final number came out to be much higher.The attack had appeared to be a highly focussed one, with the hackers seem to be making use of a blueprint of sorts, comprising of a list of all apps and programs run on the bank’s computers.These could then be tallied against the known vulnerabilities in the applications, which if found unpatched, could be used as an entry point into the bank’s systems.

 

  1. December
    Sony data breach– Around 100 TB of data was thought to have been exposed in a data breach affecting Sony. The wide ranging hack is believed to have affected every data which was possessed by Sony. It consisted of unreleased film scripts, employee healthcare and salary data, employee social security numbers, important business data like executive salaries, salary restructure data, lay-offs and more.The breach has been quoted to be “the most embarrassing and all-encompassing hack of internal corporate data ever made public”. It is being speculated that the attack was sponsored by N.Korea, as a retaliation against Seth Godin’s upcoming Sony Pictures comedy film, “The Interview” based on an assassination attempt on North Korean leader, Kim Jong Un.The scary part is that the hackers have said that they will be releasing more ‘interesting’ data very soon.

When you are thinking about keeping your data secure, you not only have to fear hackers or technical glitches, but also human error and lack of proper organizational controls. With one after another major data breaches hitting us in 2014, tightening up our security for 2015 should be on our top priority list.

*Identity theft resource center

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.