TOP 10 MOST EXPENSIVE CYBER SECURITY BREACHES OF ALL TIME
- Target: ‘Hackers hit a bullseye’
One of the biggest questions regarding the Target Thanksgiving mega breach in 2013, is whether it was sophisticated, or stoppable. Hackers broke into the retailer’s network, using login information stolen from an air conditioning company employed by Target, leveraging this access to remain undetected in the network and upload malware programs onto the company’s Point of Sale (POS) systems.
The hacker group stole personal information for 110 million people, including 40 million credit/debit card numbers in the U.S, Brazil and Russia. Though Target execs defended the company’s cyber security before Congress, testifying that ‘the cyber security breaches were hard to avoid, because of its sophisticated nature’, many others dispute Target’s claims of innocence. Founder and CTO at security vendor FireMon, Jody Brazil insists: “There’s nothing fancy about the breach”, suggesting that Target simply failed to correctly segment its network to ensure third parties had no access to its payment system.
Regardless of where you want to ‘aim the blame’, the global superstore certainly felt it, as this cyber attack cost the mega-chain a whopping $162 million, together with another couple of parting shots – the resignation of its CIO and CEO within 2 years.
COST: $162million
RECORDS COMPROMISED: 110 million / 40 million credit cards
- Sony Playstation: ‘Fine-craft’
Sony has suffered several notorious mega breaches in the 21st century, but this was the biggest of the bunch. It’s gone down in history as the ‘worst gaming community data breach of all time’. [2] In 2011 hackers gained access to Sony’s digital data sharing platform and 100 million customer records, across 77 million PSN accounts, including names, passwords, emails, addresses – and up to 12 million unencrypted credit card numbers.
First call of duty? Gamers worldwide were inconvenienced for a month, as the site was shut down for damage investigations and a rebuild. This caused the company to lose upwards of $171 million in revenue, plus the additional financial fall-out of $15 million, as Sony agreed to a preliminary settlement in a class action lawsuit, over the cyber security breaches.
You could say this total cost is…Bioshocking! (Are any of these gamer puns landing?)
COST: $186 million
RECORDS COMPROMISED: 100 million
- British Airways: ‘Fine triggers financial acrophobia’
In recent weeks, British Airways has made the news after landing a dizzying fine of £183 million from the UK’s Information Commisioner’s Office (1.5% of their annual turnover). Hackers stole the personal information of an estimated 500,000 customers, including ‘login, payment card, name, address and travel booking information…harvested after being diverted to a fraudulent website’. [3]
This was one of multiple fines to come from Information Commisioner, Elizabeth Denham, as companies with European customers and associates must now comply with General Data Protection Regulations. The necessary clamp down helps ensure the conscientious handling of confidential and personal information by organisations across the EU. The scale of these fines, previously capped at $500K, serve to make an example of companies with unsecure systems, or apathetic approaches to the handling of customer data. Across the memberships of Europe’s Executive Airport Lounges, $229 million is definitely an incentive to ensure your own organisation’s security arrangements are ‘First Class’.
COST: $229 million
RECORDS COMPROMISED: 500,000
- Hannaford Bros: ‘Bro, where’s my card data?’
‘Speedy’ Gonzales, back at it. Albert Gonzales was connected with this mega breach of 2007, where a Trojan Virus spread across all 271 Hannaford Bros stores servers, resulting in 4.2 million debit and credit card numbers being swiped. This parallels the story at Heartland. Once hackers gained access to the corporate network, ‘a malicious Trojan was programmed to pilfer data from the magnetic stripe of credit and debit cards’. [4] Jim Dempsey, Vice President for Public Policy at the Center for Democracy and Technology, considers that Hannaford Bros are not necessarily at fault, claiming: “There’s no such thing as perfect security…Everybody who handles this information has to have a program of layered security”.
Hannaford Bros, like TJ Maxx, Heartland and many other
breached companies, is required to be compliant with the Payment Card Industry Data Security Standards (PCI DSS), a stack of rules regarding how to receive and process card payments. However, this was clearly not enough to stop the hack attack, that has since cost Hannaford Bros $252 million, following fines, class action lawsuits and over 2000 cases of fraud, which have been traced back to the breach.