Top 10 Data Breaches of 2014; Lessons Learned for a Safer 2015

2014 was a memorable year for large-scale cybersecurity breaches. Target started the year on the wrong foot, exposing 110 million people`s personal information. Then, Sony Pictures proved to be one of the worst corporate breaches ever. It left us wondering “¦ Will we make the same mistakes in 2015 or will we learn to secure our data better?

Let`s start by reviewing the year`s largest security breaches.

Ebay

In May, Ebay announced a data leak that exposed email addresses and passwords of 145 million users after employee log-in credentials were compromised and attackers got access to the company network.

P. Morgan Chase

The J.P. Morgan Chase hack also made quite an impression when it left 76 million bank customers wondering if their data was compromised. It seems hackers infiltrated the bank`s networks through a zero-day vulnerability in the website and stole credit card data without disrupting banking services.

Home Depot

Home Depot made headlines after 56 million email addresses were stolen from its database. Hackers used a third-party vendor`s credentials to infiltrate Home Depot`s network. With high-level permissions, they navigated portions of the network, found a vulnerability and planted custom-built malware on self-checkout systems in the US and Canada.

Snapchat

The popular image-sharing app`s security issues were laid bare after more than 4.6 million Snapchat usernames and phone numbers were leaked at the beginning of the year when anonymous hackers abused the application`s Find Friends service.

Community Health Systems

Records of 4.5 million patients were stolen when hospital giant Community Health Systems was hacked in June 2014. Fortunately, no Social Security numbers were disclosed. The company operates 206 hospitals in the United States.

Michael`s

The US-based arts and crafts store acknowledged investigating a data breach affecting 1,250 stores after crooks tampered with point-of-sale devices at store registers to steal credit and debit card numbers and associated PINs from its customers.

AOL

Some 2% of all AOL Mail clients (roughly 120 million registered accounts) were used to send spam emails after an April breach leaked user information including encrypted passwords, encrypted answers to security questions, postal addresses and address book contacts.

Neiman Marcus

In January, another retailer was hit. Luxury department store Neiman Marcus said hackers breached the store`s network and planted backdoor software to steal customer e-mail addresses, user names and credit card data as well as their encrypted PINs. More than 1.1 million customers were affected.

US Postal Services

The data of 800,000 employees of the US Postal Services was compromised after an intrusion in mid-September. Allegedly, China was behind it, data mining on US citizens.

Sony Pictures

The recent Sony cyberattack and scandal showed, once again, that no organization is safe. The breach disclosed huge amounts of internal data – from employee passwords and medical information stored in plain text to movie scripts and salaries of famous Hollywood actors. But it also raised the issue of IT security practices in an organization and advanced persistent threats (APTs), which target a specific organization with different hacking techniques seeking a way in. But large corporations aren`t the only ones hackers are after – small and medium businesses should also bolster their defenses in 2015.

We`ve also seen that a business` biggest vulnerability is the human factor represented by its employees. A human error or a disgruntled employee can produce an equal amount of damage.

As for retailers, it`s no surprise most breaches occurred in the US, where the magnetic strip or “swipe-and-sign” system is still widely used. The current system requires only the buyer`s signature to authenticate a purchase, while chip-and-PIN cards come with an embedded microchip and require the buyer`s PIN, making it harder for cyber-criminals to cash in on credit card fraud. Plus, it`s very expensive and almost impossible to clone these cards. So, let’s hope the US will speed up the adoption of EMV technology in 2015.

To increase their chances of remaining immune to breaches in 2015, retailers need to examine their detection capabilities regularly plus a few other essential things:

• Regularly assess risks and vulnerabilities of the system.
• Keep the operating system and any endpoint security programs up to date.
• Secure PoS devices against software and hardware manipulation.
• Use intrusion detection software to detect abnormal behavior on the network.

Do you think the above retailers have learned their lesson? What have you learned from their mistakes?