Whether it be iPhones with bigger screens, major video game releases to make next-gen systems finally worth it, or wearables that are actually appealing to consumers, it’s safe to say any technological ‘advancement’ of this year was overshadowed by the seemingly endless wave of breaches that plagued companies and consumers alike.
With the New Year only a couple weeks and change away, let’s look back at 2014, aka the ‘Year of the Breach’, and revisit 10 companies who want nothing more than to forget their breach nightmares and start fresh in 2015:
Going back almost a full year to January, and you have what was one of the first post-Target breach breaches to come to light. According to numerous sources (and reported by the ever-informed Brian Krebs), all signs were pointing to a potential Michaels breach. That same day (January 14), the US Secret Service said it was investigating further.
Fast-forward to April and we get the confirmation, with Michaels Stores Inc. announcing that 3 million customer credit and debit cards were stolen in Michaels and Aaron Brothers stores as a result of two eight-month long security breaches.
On July 21st, news of another breach started coming in. This time, the victim was Goodwill Industries. Or more specifically, the systems of a third-party vendor that processes payments for some Goodwill members (20 to be exact, which represents ~10% of all stores).
This breach, which was determined to be caused by a piece of malware called ‘Rawpos’, resulted in exposed information of 868,000 customer credit cards. Goodwill released details of the breach in September on their site.
The Home Depot
Speaking of September, that was a rough month for The Home Depot, which began when the company said it was “investigating some unusual activity with regards to its customer data.”
That ‘unusual activity’ ended up being a massive breach that involved pretty much every Home Depot location in the country.
Sure enough, six days after the initial reports started filing in, the company admitted that its payment systems were in fact breached, and that the attack was going on for months. What was not yet known was the scope of the attacks.
That announcement came 10 days later, with The Home Depot saying that the malware was contained, 56 impacted debit and credit cards later. The disclosure made the incident the largest retail card breach…ever recorded.
On October 1st, with The Home Depot breach still fresh on peoples’ minds, Japan Airlines said that it was the latest breach victim and that 750,000 frequent flyer club members’ information may have been stolen after hackers breached JAL’s Customer Information Management System and installed malware on computers that had access to the system.
The potentially stolen data included everything from customer names to membership numbers and home addresses.
And then, just one day later, JP Morgan confirmed an absolutely giant breach that affected 76 million households and 7 millions small businesses. Affected were customers who used Chase.com and JPMorganOnline websites, and the Chase and JP Morgan online apps.
Stolen information included names, email addresses, phone numbers, and home addresses, but more potentially-devastating information such as account numbers, passwords, and Social Security numbers were not believed to be impacted.
Fox Business also came out with a report saying that the nation’s largest bank was also bracing for a mass-scale spear-phishing campaign right after the breach was exposed, and that the stolen info was the ‘first wave’ that would help the cybercriminals steal the aforementioned ‘good stuff’, which they could do with legitimate-looking emails targeting those customers who’s data they already nabbed.
While no such campaign has yet happened, it has not yet been determined for sure who was responsible for the breach and the investigation is still ongoing.
You can find more detailed descriptions of The Home Depot, Japan Airlines, and JP Morgan breaches in a previous blog I wrote.
Later in October, Sears Holdings Corporation announced that it discovered a breach at its Kmart stores that was due to malware on their POS (Point-of-Sale) machines. At that time, Sears also announced that the malware was removed and that there was an ongoing investigation.
The investigation went on to reveal that the attack started in early September, which means that the breach was going on for a full month. Despite that, Kmart said that no personal customer information was stolen as a result of the breach.
Just over a week after the Kmart breach, Brian Krebs reported that he got information from multiple banks who said they were seeing a patter of credit card fraud linking back to a series of Staples stores in the Northeastern part of the country. At that time, Staples said it was investigating the issue.
According to a Bloomberg update from last month, Staples said that it believed the malware that caused was identified and eliminated, but that the investigation was still in its early stages and that they could not yet estimate the scope of the breach or how much data was stolen.
Last month, it was also reported that a link was found connecting the Staples and Michaels breaches.
On November 10th, numerous reports came out saying that the United States Postal Service was breached back in September, and that Chinese hackers were responsible.
This breach impacted both employees and customers, compromising data of 800,000 workers and 2.9 million customers.
Earlier this month, security researcher Brian Krebs got word from banks about fraudulent charges on credit cards that were recently used at Bebe women’s clothing stores across the nation.
Sure enough, just a day later, Bebe Stores Inc. confirmed the breach, saying that the hackers got hold of customer information that may include customer names, account numbers, card expiration dates, and verification codes.
(Source: IB Times UK)
The latest, and perhaps most devastating (for the company affected, at least) of all 2014 breaches, the attack on Sony continues to make headlines daily as new details emerge and new information is leaked.
This breach has all the ingredients for a Hollywood flick (a mysterious enemy, global threats, massive exposure, a potential inside job, etc), which is ironic, considering that The Interview, a Hollywood comedy about two accidental ‘agents’ assigned to assassinate North Korea’s leader Kim Jong-un, may be what started the breach to begin with.
So far, the attack has crippled Sony’s corporate network, exposed personal employee information such as executives’ salaries, social security numbers and medical records, and leaked email conversations that have landed some top execs in hot water. And new details are continuing to emerge.
This list highlights only 10 of some of the most prominent companies that experienced a breach this year. As you can see, no industry is safe and no two breaches are exactly the same. The one constant? All 10 of these companies will have ‘Don’t get breached!’ as one of their New Year’s Resolutions.