Since the beginning of the year, there have been a considerable number of high-profile attacks on companies and organizations of all kinds. Be it in the retail sector, the health care industry or hospitality, it seems no group is safe from cybercriminals these days. As a result of this threat landscape, a number of experts are calling 2014 “the year of the breach.”
So what has made this year so prolific as far as targeted attacks and breaches are concerned? It all kicked off with Target, the big box retailer that saw the aftermath of one of the most significant breaches to date at the beginning of the year. However, the attacks didn’t end there.
The rising cost of a breach
According to a recent Ponemon Institute study, it isn’t just the number of attacks that has increased this year, but the price of these instances as well. According to The Heritage Foundation research assistant and contributor Riley Walters, the cost associated with breaches in the retail sector alone more than doubled since last year. The Ponemon Institute found that each breach cost the average retailer $8.6 million in related expenses.
And retail merchants weren’t alone. The price tag connected with a data breach increased across the board, reaching $20.8 million for financial service firms, $14.5 million for technology companies and $12.7 for communications providers.
This represents a new threat environment for enterprises, as nearly every organization these days is at risk.
“There are two kinds of big companies in the United States,” said FBI director James Comey. “There are those who’ve been hacked…and those who don’t know they’ve been hacked.”
This year, a range of different retailers and service providers fell victim to data breaches where the sensitive information of their clients or employees were snooped and stolen. However, some of these attacks were more impactful and far reaching than others. Let’s take a look at a few of the year’s highlights, including:
Toward mid-summer, eBay announced that it had been the victim of a data breach that compromised the information of approximately 150 million users, according to The New York Times. Although the online auctioneer noted that no financial information was affected – users payment card information appeared to be untouched – individuals were urged to change their passwords as soon as possible.
SC Magazine contributor Stephen Coty noted that the breach likely took place through phishing attacks on eBay employees. In this way, hackers tricked and encouraged staff members to give up authentication credentials via email that could be used to further infiltrate the platform.
The popular restaurant chain announced in June the initial discovery of a data breach. Upon investigation by the Secret Service, P.F Chang’s found that 33 locations were potentially affected by the attack, which put customers’ debit and credit card information, as well as card expiration dates and names at risk.
According to USA Today, the intrusion took place over an 8-month period, first beginning in October 2013 and continuing to June 11, 2014. However, the company noted that all payment information had been safely processed after the latter date.
Not all of this year’s breaches involved restaurant chains or retail locations. Another noteworthy, yet no less malicious hack involved a security consultant staying at a luxury hotel near Hong Kong. According to Venture Beat, the event took place in August and included the use of an iPad to control the in-room features and abilities in more than 200 separate guest suites.
The would-be hacker, Jesus Molina, who is also security consultant from Spain, was staying at the St. Regis Shenzhen when he realized that the iPad 2 he was given to control his own room could be harnessed to manage other rooms’ feature as well. Just to demonstrate what potential this capability could provide in the hands of a real cybercriminal, Molina limited his actions to turning off and on the hotel’s “Do Not Disturb” hallway lights. However, Molina said the automated room system used by the hotel could lend itself to an even larger attack where hacker take control of very appliance from a remote location.
Another company falling victim to a breach this year was popular sub shop Jimmy John’s. Security expert Brian Krebs reported that fraudulent customer card activity was spotted by several banks at the end of July. Further investigation found that 216 Jimmy John’s locations were affected. In a statement, the restaurant noted that compromised information included debit and credit card numbers swiped in-store, and possibly the cardholders’ names, PINs and expiration dates. This was just one of a number of point-of-sales attacks to take place in 2014.
Finally comes the story of Home Depot, a breach that took place at the beginning of September. According to The Wall Street Journal, the attack lasted five months and compromised 56 million individual payment cards, making it even bigger than that of Target.
The attack strategy used in the Home Depot breach was similar to point-of-sales attacks taking place at other retailers, where hackers deployed malware to seek out and skim the payment card information of customers. In the case of the do-it-yourself store, the program hackers utilized was “unique, custom-built malware.” The company has since wiped the malware from its systems and has installed a new encryption system to better protect customer payment card data.