In honor of their 10-year anniversary, Dark Reading wrote an article discussing the biggest failed security trends, technologies and tactics from the past 10 years. Secure360 is using their post as inspiration for our own quick post on some of the most talked about security breaches and hacks from the past few years and our key takeaways. While we hate to see major businesses in the news for failing at security or missing the mark, we can learn a lot from their errors on what our own businesses should be doing.
Without further ado, here is our list of the most talked about security fails of all time:
TJXX Breach | 2006
In 2003, a hacker managed to infiltrate TJX chains, including Marshalls and TJ Maxx, and stole 94 million customer credit card and debit card numbers. The breach was not discovered until the next year, and Visa reported fraudulent transactions on those accounts in 13 different countries. A cybercriminal named Albert Gonzalez, called “Soupnazi,” is now serving 20 years for the crime. Although not believed to be responsible for the attack, a group of people in Florida were charged for buying customer credit card data from the hackers and then used that data to purchase $1 million dollars’ worth of electronic goods and jewelry from Walmart. This breach is still considered one of the biggest retail data breaches of all time.
What was learned: The payment-card industry needed to update and release standard guidelines for securing wireless networks.
Heartland Payment Systems | 2008
134 million credit cards were exposed through SQL injection to install spyware on Heartland’s data systems. A federal grand jury indicted Albert Gonzalez (you guessed it, the same criminal mentioned in the TJXX breach) and two unnamed Russian accomplices in 2009. Gonzalez, a Cuban-American, was believed to have masterminded the international operation that stole the credit and debit cards.
What was learned: The vulnerability to SQL injection was well understood and security analysts had warned retailers about it for several years. Yet, the continuing vulnerability of many Web-facing applications made SQL injection the most common form of attack against Web sites at the time.
Target | 2013
The retail giant initially announced that hackers had gained access through a third party to its point-of-sale (POS) payment card readers, and had collected about 40 million credit and debit card numbers. But by January 2014, the company was changing their story and upped that estimate, announcing 70 million customers had been compromised. That included full names, addresses, email addresses and telephone numbers. The final estimate is that the breach affected as many as 110 million customers. Target’s CIO resigned in March 2014, and its CEO resigned in May. The company recently estimated the cost of the breach at $162 million.
What was learned: Still fresh in many of our minds, there are a lot of key takeaways for retailers from this attack. Ultimately, it was felt that Target ignored certain red flags, and then failed to get to the bottom of the hack timely and plan a successful recovery.
Anthem | 2015
In February of 2015, hackers broke into healthcare giant Anthem’s servers and stole up to 80 million records. Anthem is the parent company of several well-known healthcare providers, including Blue Cross and Blue Shield. The attack began with phishing emails sent to five employees who were tricked into downloading a Trojan with keylogger software that enabled the attackers to obtain passwords for accessing the unencrypted data. This breach included the theft of millions of medical records thought to be worth 10 times the amount of credit card data. It is suspected that the stolen health records will be sold on the black market in the future.
What was learned: Anthem announced the breach much quicker than the Target breach was announced, in the best interest of both the organization that suffered the data breach, and the individuals whose data has been compromised. The Anthem attack targeted network administrators, encouraging businesses to watch admin activity.
This is only a small list of the some of the most talked about breaches since 2000. Which other breaches would you include on the list and why?