In anticipation of the New Year, Tripwire recently published an article that surveyed some of the better-known data breaches that occurred in 2014. We now present Part 2 of our two-part series, “2014: The Year of the Breach.”
- Home Depot (September) – On September 18th, Home Depot acknowledged that it had suffered a data breach. The attackers gained entry to the perimeter of the retailer’s networks after using a third-party vendor’s login credentials. According to Brian Krebs, only then were the hackers able to exploit a vulnerability in Microsoft Windows, which allowed them access to Home Depot’s point-of-sale (PoS) machines. In all, the hackers stole 56 million credit card numbers as well as 53 email addresses. Those figures notwithstanding, Home Depot was optimistic about its third quarter sales back in November of 2014 after noticing transaction growth in each month of Q3.
- Gmail (September) – Around the same time as the Home Depot breach, a Reddit user posted a link to a database that featured nearly five million leaked Gmail emails and passwords. The login credentials were posted in plaintext on Russian hacker forums, prompting cybercriminals to exploit the stolen email addresses in a variety of phishing schemes. A few days after the hack was announced, Google issued a statement in which it revealed the following: “The leaked usernames and passwords were not the result of a breach of Google systems.” All of the compromised accounts were likely lifted off of websites other than Google. Even so, all Gmail users were asked to change their passwords as well as consider implementing two-factor authentication for an additional layer of security.
- JPMorgan Chase (October) – In October, JPMorgan Chase & Co. announced that a cyber attack, which it had first disclosed in July, had succeeded in compromising the accounts of 76 million individuals and 7 million small businesses. According to an ongoing investigation into the incident, the attackers succeeded in breaching the bank’s networks due to the absence of two-factor authentication on one of its servers. The hackers then were able to gain root access to more than 90 of the bank’s servers, meaning that they could transfer funds, close accounts, and essentially do whatever they wanted with tens of millions of customers’ money. JPMorgan has since announced that it will enhance its security measures for this year at a cost of $250 million.
- Staples (October) – A few weeks after JPMorgan’s announcement, Staples confirmed that it was investigating a possible data breach. Brian Krebs was one of the first journalists to report on the incident. In an article he published on his blog, Krebs reveals how a string of fraudulent credit card charges led the retailer to believe that a small number of Staples locations in the Northeast had been compromised. That fraudulent charges were also reported at other stores led Krebs to believe that at least some of the cards had been compromised by PoS malware. Staples has been investigating the breach since then. Last month, the company announced that the information of approximately 16 million payment cards had been exposed in the incident.
- Sony Pictures Entertainment (November) – In November, a hacker collective known as the Guardians of Peace (#GOP) targeted and shut down Sony Picture Entertainment’s computer systems. The hackers then compromised Sony’s intellectual property by releasing a large quantity of materials online. This has included executives’ personal information as well as five movies that the entertainment company planned to release. The hackers then threatened 9/11 type attacks against U.S. movie theaters if Sony released the film “The Interview,” a move which prompted drove Sony to cancel the movie’s release altogether. Contrary to the views of some security experts, the FBI has determined that the North Korean government is directly responsible for the initial hack against Sony.
2014 is now officially behind us, yet we will undoubtedly continue to discuss these and other security incidents for months if not years to come. Hopefully they will provide us with lessons that we can subsequently internalize to make 2015 a better, more secure year.
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image header courtesy of ShutterStock.com.