Now that we’re firmly into 2015 and have had the month of January to reflect on “the year of the data breach,” it’s a good time to look back at the very worst data breaches of 2014. While there were 783 reported data breaches in 2014 (an increase of 27.5% from the number of reported breaches in 2013) and a recent study has found that more than 40% of companies experienced a breach of some kind in 2014, I want to highlight some of the biggest breach headliners of last year.
Disclaimer: This list highlights the most publicized data breaches, not only the biggest in terms of records breached, since not all records breached incur a financial loss, and there are hard to measure losses incurred by brand damage. See iDigitalTimes for a ranked list of breaches by records lost.
Ebay tops the list of worst data breaches according to number of records lost at a whopping 145 million. Ebay was hacked in late February-early March of 2014, using employee login credentials, which were then used to copy customer information – including passwords and addresses. While the massive number of records breached definitely cost the company in revenue and customer confidence, the fact that there was no financial information compromised (the PayPal system was not affected) kept this from being potentially the largest breach of all time.
Home Depot’s data breach, which occurred between April and September, saw 56 million payment card records compromised via malware installed on cash register systems. It’s reported that community banks spent upwards of $90 million to replace the compromised credit and debit cards, and credit unions calculated the total at about $60 million to replace cards they issued. Compare this to the $40 million spent by banks to reissue cards after the Target and Neiman Marcus breaches.
While the breach occurred at the end of 2013 (in the prime of holiday shopping), Target’s data breach became big news as the details of this massive, record-breaking breach emerged. It’s reported that a shocking 70 million payment cards were compromised. The New York Times reports that the cost of the breach was calculated at $148 million and profits were expected to drop significantly over time.
Details are still being investigated about this breach that started in June and was disclosed in August, but JPMorgan announced that as many as 76 million households and 7 small businesses were affected. While there is currently no evidence that hackers stole financial information (this is still being debated), they might have stolen personal identifying information like addresses and phone numbers. As one of the largest and most trustworthy financial institutions in the country, a data breach of this massive scale – the largest attack on an American bank to date, in fact – certainly had a negative effect on public trust. And some say that it could have been avoided by a simple security fix.
While the cyberattack on Sony Pictures in November 2014 is one of the smaller data breaches of 2014 in terms of records compromised (with only 47,000 records breached), the scorched earth tactics of the hackers has led to it being called potentially the worst cyberattack of a company on American soil. One of the first major breaches blamed on a foreign government, the Sony Pictures data breach laid bare emails, HR records, salary information, Social Security numbers, and much more sensitive data. The hack is estimated to cost Sony upwards of $100 million, which is surprisingly less than the $171 million cost of the data breach on its Playstation Network, since that involved customer information. However, there are already lawsuits hitting the courts that could bring that price tag way up – not to mention the less measurable costs of lost business.
What have we learned?
Security experts consistently blame data breaches on poor systems in place at retailers – systems that were not even remotely prepared to identify, let alone prevent, a data breach. Hackers are getting smarter, identifying weak points in security systems and flaws in policy in order to get access to data they can exploit. 2014 also saw the discovery of multiple devastating bugs and vulnerabilities in websites and payment systems, including Heartbleed and Shellshock, which allowed hackers to obtain access to sensitive information. In short, 2014 was the year of acknowledging that we are all much more vulnerable to cyberattacks than we thought, and that we are largely unprepared to address those vulnerabilities.
While the new cybersecurity and data breach notification regulations being pushed for by Obama and Congress are certainly going to help – after all, any standard is better than the patchwork of regulations currently in place across the country – businesses are still on their own when it comes to protecting their data. This year will certainly see some interesting battles take place both in and out of the courtrooms, as retailers and credit unions vie over who should bear the financial responsibility for breaches, the best and only way to prevent a massively expensive breach is to cover your bases. Implement a secure file-sharing and collaboration system to protect network data, educate your employees on security policies (like BYOD, good passwords, etc.), stay vigilant, and act immediately when you suspect malicious activity.