• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Current News   »   Data breach horror stories: Worst hacks in history

Data breach horror stories: Worst hacks in history

  • Posted on:October 21, 2015
  • Posted in:Current News, Industry News
  • Posted by:
    Noah Gamer
0
The last decade has brought some of U.S. history's most high-profile data breaches. Here, we'll examine some of these instances and what makes the attacks so notable.

Fall is the time of year when people revel in the spooky, the scary, the creepy. The horror film genre showcases all the different things that can scare a person – a stranger hiding in the house, a murderer on the loose, an infection turning normal individuals into blood sucking zombies. However, business leaders have their own fears, particularly when it comes to their online resources and technological assets.

In recent years, cybercrime attacks and hacker abilities have gone from the things of movie lore to real life – 2014 was dubbed "the year of the breach," and this year has brought a number of notable infiltration as well. Now seems like as good a time as ever to take a look back on some of the worst hacks seen in recent history, the attacks that fuel administrators' and IT leaders' nightmares.

Trend Micro noted that the last decade has brought "some of U.S. history's most high-profile data breaches." Here, we'll examine some of these instances and what makes the attacks so notable:

AOL's data leakage

A decade ago in 2005, an insider at AOL was able to make off with a staggering 92 million screen names and email addresses of customers, according to CloudTweaks. This information was reportedly distributed or sold on underground marketplaces, enabling spammers to send out a total of 7 billion malicious emails. A later investigation uncovered that AOL employee Jason Smathers was responsible for the theft.

"I know I've done something very wrong," Smathers told U.S. District Judge Alvin Hellerstein at his sentencing hearing, according to NBC News.

He received 15 months in prison for his actions.

Unfortunately, AOL's troubles didn't end there – the next year in 2006, the company posted the search data of 650,000 users by error. Included in these details was the users' Web searches, whether or not they clicked on a search result, and where the query was located. Overall, this led to an estimated 20 million Web searches becoming public.

T.J. Maxx users in the age of retail breaches

A year after AOL's mistaken leakage, discount retailer T.J. Maxx became the first victim of credit card theft in the commerce industry, CloudTweaks reported. During the attack, hackers made off with more than 45.7 million credit and debit card numbers. Investigators later discovered the hacker responsible – Albert Gonzales, who was sentenced to 20 years in prison, and is scheduled for release in 2025.

Gonzales's sentence also reflected his role in another notable attack – the 2009 hack of Heartland Payment Systems, still considered the largest breach in Internet security history. In this event, Gonzales's actions impacted a staggering 130 million customers.

The T.J. Maxx hack is incredibly notable because, unlike the threat environment seen in the retail and e-commerce industry of today, a hacker breaching a store for payment card information was unheard of at that time. Now, however, it seems not a month goes by without a large-scale retail hack.

Illegal activities at Shanghai Roadway D&B Marketing Services

One of the most interesting hacks in the last decade certainly goes to the event involving Shanghai Roadway D&B Marketing Services. Business Insider reported that the compromise was first discovered during a 2012 investigation by Chinese police. Law enforcement officials were raiding the company's headquarters after concerns emerged that staff members might have been illegally buying and selling client information to outside marketing and phone sales firms.

Through the investigation, officials discovered that a total of 150 million records had been compromised. And while the details surrounding the compromised information and breach are still unclear to this day, the organization did shut down its Shanghai office.

Target: The face of retail data breaches

In late 2013, one of the most high-profile breaches to date in the retail industry took place. The attack involved the theft of 110 million records connected with Target customers' payment card numbers, expiration dates and PIN numbers, according to Business Insider. Target suspects that the breach initially took place between Nov. 27 and Dec 15 2013 – the prime holiday shopping season – however, the breach wasn't reported until Dec. 18.

In the wake of the event and subsequent investigation, it was discovered that a third-party vendor was first hacked, paving the way for cybercriminals to break into Target's POS system. Following the attack, Target CIO Beth Jacob resigned and CEO Gregg Steinhafel also stepped down in 2014.

New York City Taxi and Limousine Commission: Anonymous data error

The year 2014 brought a number of large-scale hacks involving several big name companies. One of these events involved the New York Taxi and Limousine Commission, which suffered a breach in June, 2014. At that time, the company was looking to anonymize information being prepared in connection with a Freedom of Information Act request.

"Thanks to the failed attempt to anonymize the data the NYC commission inadvertently released 20 GB of data [that] detailed over 173 million taxi customers' comings and goings around the city," Business Insider reported.

Included in the leak was customers' pickup and dropoff locations, times of rides as well as other metadata associated with clients – both individuals and famous celebrities.

This hack illustrates the importance of exercising caution with the sensitive information a company stores on behalf of its clients. While the commission's intentions were good – it hoped to keep its clients anonymous while still providing information for the FOIA request – but ended up making an egregious error.

Apple iCloud: Celebrities' personal photos hacked

Last year also saw the large-scale hack of Apple iCloud, where the personal photos and videos of celebrities were specifically targeted, CloudTweaks reported. The hack took place in August, and victims included a long line of celebrities – Jennifer Lawrence, Kate Upton, Mary Elizabeth Winstead and a number of other well-known names – had their personal images stolen. Many of these pictures and videos were splashed across underground forums.

Although regular users were not targeted here, this hack shows that nearly any platform is hackable in the current environment – even the personal files of celebrities weren't off the table for cybercriminals.

Sony: Two hacks in three years

In 2014, entertainment company Sony grabbed headlines with news of several cyber hacks that resulted in the shutdown of the company's computer system and the theft of employees' personal information, according to Business Insider. These events were the work of hacking group Guardians of Peace, who threatened the company after its film "The Interview" was set to be released.

GOP was able to take over the company's internal computing system, displaying messages and skeleton images on company computers and Sony's Twitter account. The group is also credited for publishing several unreleased Sony films to file-sharing sites, including "Still Alice," "To Write Love On Her Arms," and "Fury."

The hack also saw the salary information of Sony executives, as well as the names, job titles, home addresses and other financial information of employees published.

This wasn't the first time the company was hacked – back in 2011, 77 million Sony records were compromised after hackers infiltrated the PlayStation Network.

Ashley Madison: 32 million users exposed

Several notable breaches took place this year as well, including the hack of so-called "cheating network" Ashley Madison, according to Trend Micro. The hack took place in the fall of 2015, when cybercriminals infiltrated the network and threatened to release the information they had stolen. Nearly a month later, the group behind the hack made good on their threat, publishing nearly 10 GB of data on the deep Web, making it accessible to anyone with a Tor browser.

The user information, names and addresses of about 32 million individuals was published, as well as payment card transactions from over the past seven years. These details also made their way into more public forums.

"At least a couple of sites have popped up that allow the public to search for email addresses of people who may have had an Ashley Madison account, and there have already been a number of stories made public regarding high-profile users," Trend Micro reported.

This hack demonstrates the power today's cybercriminals wield over the corporate world. With a successful infiltration on their side, hackers are able to blackmail organizations, threatening, just as these attackers did, to release information unless a payment or certain action is taken.

These instances show the malicious threats today's enterprises have to deal with on a daily basis. As these attacks become even more common, it's imperative that companies have the proper security in place, as well as responsive plans for when and if an attack occurs.

Protect your business with security solutions from Trend Micro.

Related posts:

  1. Looking back on 2014’s worst data breaches
  2. Year-end Review: 2014’s worst cyber attacks and data breaches
  3. Severity of Sony breach serves as data security warning
  4. The horror, the horror! When ransomware takes cues from Hollywood

Security Intelligence Blog

  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Answering IoT Security Questions for CISOs
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • How To Be An Informed Skeptic About Security Predictions
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Trend Micro Selected as Launch Partner for AWS Ingress Routing Service and Stalkerware on the Rise
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • The Shared Responsibility Model
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • What Worries CISOs Most In 2019

Follow Us

Trend Micro In The News

  • Trend Micro Takes On Palo Alto Networks With Cloud Conformity Buy
  • Trend Micro Partners with Snyk to Fix Vulnerabilities for DevOps
  • Trend Micro Partners With Snyk To Advance DevSecOps
  • Hackers to stress-test Facebook Portal at hacking contest
  • NEW TECH: Trend Micro inserts 'X' factor into 'EDR' - endpoint detection response
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.