2014 was a memorable year for large-scale cybersecurity breaches. Target started the year on the wrong foot, exposing 110 million peopleâ€™s personal information. Then, Sony Pictures proved to be one of the worst corporate breaches ever. It left us wondering â€¦ Will we make the same mistakes in 2015 or will we learn to secure our data better?
Letâ€™s start by reviewing the yearâ€™s largest security breaches.
In May, Ebay announced a data leak that exposed email addresses and passwords of 145 million users after employee log-in credentials were compromised and attackers got access to the company network.
P. Morgan Chase
The J.P. Morgan Chase hack also made quite an impression when it left 76 million bank customers wondering if their data was compromised. It seems hackers infiltrated the bankâ€™s networks through a zero-day vulnerability in the website and stole credit card data without disrupting banking services.
Home Depot made headlines after 56 million email addresses were stolen from its database. Hackers used a third-party vendorâ€™s credentials to infiltrate Home Depotâ€™s network. With high-level permissions, they navigated portions of the network, found a vulnerability and planted custom-built malware on self-checkout systems in the US and Canada.
The popular image-sharing appâ€™s security issues were laid bare after more than 4.6 million Snapchat usernames and phone numbers were leaked at the beginning of the year when anonymous hackers abused the applicationâ€™s Find Friends service.
Community Health Systems
Records of 4.5 million patients were stolen when hospital giant Community Health Systems was hacked in June 2014. Fortunately, no Social Security numbers were disclosed. The company operates 206 hospitals in the United States.
The US-based arts and crafts store acknowledged investigating a data breach affecting 1,250 stores after crooks tampered with point-of-sale devices at store registers to steal credit and debit card numbers and associated PINs from its customers.
Some 2% of all AOL Mail clients (roughly 120 million registered accounts) were used to send spam emails after an April breach leaked user information including encrypted passwords, encrypted answers to security questions, postal addresses and address book contacts.
In January, another retailer was hit. Luxury department store Neiman Marcus said hackers breached the storeâ€™s network and planted backdoor software to steal customer e-mail addresses, user names and credit card data as well as their encrypted PINs. More than 1.1 million customers were affected.
US Postal Services
The data of 800,000 employees of the US Postal Services was compromised after an intrusion in mid-September. Allegedly, China was behind it, data mining on US citizens.
The recent Sony cyberattack and scandal showed, once again, that no organization is safe. The breach disclosed huge amounts of internal data – from employee passwords and medical information stored in plain text to movie scripts and salaries of famous Hollywood actors. But it also raised the issue of IT security practices in an organization and advanced persistent threats (APTs), which target a specific organization with different hacking techniques seeking a way in. But large corporations arenâ€™t the only ones hackers are after -Â small and medium businesses should also bolster their defenses in 2015.
Weâ€™ve also seen that a businessâ€™ biggest vulnerability is the human factor represented by its employees. A human error or a disgruntled employee can produce an equal amount of damage.
As for retailers, itâ€™s no surprise most breaches occurred in the US, where the magnetic strip or â€œswipe-and-signâ€ system is still widely used. The current system requires only the buyerâ€™s signature to authenticate a purchase, while chip-and-PIN cards come with an embedded microchip and require the buyerâ€™s PIN, making it harder for cyber-criminals to cash in on credit card fraud. Plus, itâ€™s very expensive and almost impossible to clone these cards. So, let’s hope the US will speed up the adoption of EMV technology in 2015.
To increase their chances of remaining immune to breaches in 2015, retailers need to examine their detection capabilities regularly plus a few other essential things:
- Regularly assess risks and vulnerabilities of the system.
- Keep the operating system and any endpoint security programs up to date.
- Secure PoS devices against software and hardware manipulation.
- Use intrusion detection software to detect abnormal behavior on the network.
Â Do you think the above retailers have learned their lesson? What have you learned from their mistakes?