Worst security breaches of the year 2014: Sony tops the list

18.12.2014
As 2014 winds down, the breach of Sony Pictures Entertainment is clearly the biggest data breach of the year and among the most devastating to any corporation ever.

Attackers broke in and took whatever they wanted, exfiltrating gigabytes and gigabytes of documents, emails and even entire movies, apparently at will for months and months on end.

+ Also on Network World: The weirdest, wackiest and coolest sci/tech stories of 2014 | Peeping into 73,000 unsecured security cameras thanks to default passwords +

Posting the stolen data and the celebrity nature of much of it has resulted in a public relations nightmare for the company. It revealed snarky personal comments never meant to go public as well as personal information such as Social Security numbers and salaries and competitive information about projects in progress.

The scenario is any corporate IT security pro's worst fear being pwned and hung out to dry publicly. Add to that lawsuits being filed against Sony by former employees seeking damages they say they suffered because the company failed to adequately protect the data.

Whereas most breaches are carried out for profit such as theft of credit card information this attack was intended to hurt its victim as much as possible on multiple fronts and has been very successful.

Many of the big for-profit breaches involved compromises of the credit/debit card swiping machines at retail stores, among them Target, Home Depot, Neiman Marcus, Michael's and PF Chang.

[ Read all of Network World's year in review stories ]

A common way the crooks got in was by infiltrating trusted business partners and stealing legitimate credentials for accessing the victims' networks. Once inside, they moved from machine to machine until they reached the subnets containing point-of-sale machines, which they infected with scrapers to steal card numbers and expiration dates.

Sony's woes dominate headlines about hacks, there were some other significant break-ins this year. Here are a few of them briefly described.

Sony

Data compromised Seemingly everything stored in the network.

How they got in Unknown. Speculation ranges from an attack launched in a Thailand hotel to an inside job.

How long they went undetected Unknown.

How they were discovered On Nov. 22 employee computers received messages threatening public distribution of stolen data and displays of skulls on their screens.

Target

The Target breach happened last year but the important details came out this year so it's included here.

Data compromised 40 million credit and debit cards, 70 million phone numbers, mailing addresses and email addresses.

How they got in Hacking the credentials of a legitimate business associate, an HVAC company, to get on Target's network, then installing malware on point-of-sale machines.

How long they went undetected About two weeks.

How they were discovered The Department of Justice told them about it, but anti-malware software flagged the problem as well.

Home Depot

Data compromised As many as 56 million credit cards put at risk, 53 million email addresses

How they got in Via a third-party vendor's credentials followed up by exploiting an unpatched Windows flaw.

How long they went undetected From April to September.

How they were discovered The stores' executives were told by bank and law-enforcement officials.

Goodwill Industries (C&K Systems)

Data compromised 868,000 credit/debit card numbers.

How they got in By infecting point of sales card-swipe machines after compromising the network of the operator of the machines. Two other unnamed clients of C&K Systems were also compromised.

How long they went undetected 18 months.

How they were discovered Federal officials and payment card investigators told them.

JP Morgan

Data compromised Phone numbers and email addresses for 76 million households plus 7 million small businesses.

How long they went undetected Three months

How they were discovered Internal investigation as well as outside data about a massive stolen credit card ring.

Data compromised An unconfirmed number of credit card numbers, but possibly as many as an estimated 7 million

How they got in Undisclosed but point-of-sales systems were compromised

How long they went undetected Nine months.

How they were discovered The Secret Service told them about the breach

Neiman Marcus

Data compromised 350,000 payment cards

How they got in Uncertain but point of sales systems were compromised

How long they went undetected Three months.

How they were discovered Credit card processors warned about a possible breach and a consultant confirmed it.

Michaels

Data compromised 2.6 million credit/debit cards

How they got in Undisclosed but point-of-sale machines were infected

How long they went undetected Eight months

How they were discovered Undisclosed

(www.networkworld.com)

Tim Greene

Zur Startseite