By: Lauren Sporck, associate, OPSWAT
According to the ITRC (Identity Theft Resource Center), there have been 5,754 data breaches between November 2005 and November 2015 that have exposed 856,548,312 records. According to their data, there were 783 breaches in 2014, the largest number of data breaches in a single year to date. ITRC data also indicated that 29% of breaches involved hacking incidents in 2014, compared to just 14.1% in 2007. This shows an upward trend in the number of data breaches resulting from an outside cyber-attack. Although this data includes a comprehensive list of data breaches, whether large-scale or small, there are a few that stand out from the rest as some of the worst data breaches in history in terms of resulting costs and the number of records compromised. Below is a list of 8 of the worst breaches in history that highlights the cause of the breach and the effects on the public and business sectors.
1. TJX – 2003
A hacker managed to infiltrate TJX chains, including Marshalls and TJ Maxx, and stole 45.7 million customer credit card and debit card numbers. Although not thought to be responsible for the hack itself, a group of people in Florida were charged for buying customer credit card data from the hackers and then used that data to purchase $1 million dollars’ worth of electronic goods and jewelry from Walmart. This breach is still considered one of the biggest retail data breaches of all time.
2. Hannaford Brothers – 2013
Hackers managed to steal 4.2 million credit and debit card numbers within 3 months from 300 Hannaford stores, a large supermarket retailer. Hackers collected customer data via malware uploaded to Hannaford servers. The malware could intercept customer data during transactions, which was then used in over 2,000 cases of international customer fraud.
3. Target – 2013
In order to gain access to customer credit and debit card numbers, hackers installed malicious software on POS systems in Target stores in self-checkout lanes. The card-skimming malware compromised the identities of 70 million customers and 40 million credit and debit cards. The same malware was later found in the Home Depot breach referenced below.
4. Home Depot – 2014
A security breach that attacked Home Depot’s payment terminals affected 56 million credit and debit card numbers. The Ponemon institute estimated a loss of $194 per customer record compromised due to re-issuance costs and any resulting credit card fraud. For example, protection from identity theft through Experian is $14.95 per month. For this specific breach, that would amount in $837.2 million in costs related to fraud monitoring, which is often offered in the wake of a breach in order to protect victims from identity theft. Hackers first gained access to Home Depot’s systems through stolen vendor login credentials. Once the credentials were compromised, they installed malware on Home Depot’s payment systems that allowed them to collect consumer credit and debit card data.
5. Ebay – 2014
Between February and March of 2014, Ebay requested that 145 million users change their account passwords due to a breach that compromised encrypted passwords along with other personal information. Like many of the other breaches included in this post, hackers gained access to Ebay accounts through stolen login credentials. The credentials did not come from customers themselves but instead from Ebay employees. In this particular breach, user payment information via PayPal was safe since it was encrypted; users were only asked to change their passwords as a precautionary measure.
6. JP Morgan Chase – 2014
In 2014, a cyber-attack aimed at JP Morgan Chase compromised 83 million household and business accounts that included personal information such as names, email addresses, and phone numbers. The attack was said to impact two-thirds of all American households, making this breach one of the largest in history. A little less than a year later, four men were indicted for the attack on JP Morgan Chase as well as several other financial institutions with charges including securities and wire fraud, money laundering, and identity theft. The men made over $100 million through the scheme. In some instances, login credentials were obtained through tricking users and then used to access customer information. Hackers also exploited the Heartbleed bug in this breach, a vulnerability in OpenSSL that allowed hackers to steal information that is normally encrypted.
7. Sony Pictures – 2014
Analysts believe that the Sony breach began with a series of phishing attacks targeted at Sony employees. These phishing attacks worked by convincing employees to download malicious email attachments or visit websites that would introduce malware to their systems. This type of attack used social engineering, where phishing emails appeared to be from someone the employees knew, thus tricking them into trusting its source. Hackers then used Sony employee login credentials to breach Sony’s network. Over 100 terabytes of data was stolen and monetary damages are estimated to be over $100 million.
8. Anthem – 2015
In February of 2015, hackers broke into Anthem’s servers and stole up to 80 million records. The healthcare giant is the parent company of several well-known healthcare providers including Blue Cross and Blue Shield. The attack began with phishing emails sent to five employees who were tricked into downloading a Trojan with keylogger software that enabled the attackers to obtain passwords for accessing the unencrypted data. This breach was particularly devastating because it included the theft of millions of medical records thought to be worth 10 times the amount of credit card data. It is suspected that the stolen health records will be sold on the black market in the future.
1. NBC News Reference
2. Network World Reference
3. Tripwire Reference
4. Krebs on Security Resource
5. Forbes Reference
6. USA Today Reference
7. Washington Post Reference
8. Wired Reference