Resources

Cyber Security Breaches

Continue Reading from previous page

TOP 10 MOST EXPENSIVE CYBER SECURITY BREACHES OF ALL TIME

  1. Target: ‘Hackers hit a bullseye

One of the biggest questions regarding the Target Thanksgiving mega breach in 2013, is whether it was sophisticated, or stoppable. Hackers broke into the retailer’s network, using login information stolen from an air conditioning company employed by Target, leveraging this access to remain undetected in the network and upload malware programs onto the company's Point of Sale (POS) systems.

The hacker group stole personal information for 110 million people, including 40 million credit/debit card numbers in the U.S, Brazil and Russia. Though Target execs defended the company’s cyber security before Congress, testifying that ‘the cyber security breach was hard to avoid, because of its sophisticated nature’, many others dispute Target’s claims of innocence. Founder and CTO at security vendor FireMon, Jody Brazil insists: "There's nothing fancy about the breach”, suggesting that Target simply failed to correctly segment its network to ensure third parties had no access to its payment system.

Regardless of where you want to ‘aim the blame’, the global superstore certainly felt it, as this cyber attack cost the mega-chain a whopping $162 million, together with another couple of parting shots - the resignation of its CIO and CEO within 2 years.

COST: $162million            

RECORDS COMPROMISED: 110 million / 40 million credit cards

  1. Sony Playstation: ‘Fine-craft’

Sony has suffered several notorious mega breaches in the 21st century, but this was the biggest of the bunch. It’s gone down in history as the ‘worst gaming community data breach of all time’. [2] In 2011 hackers gained access to Sony’s digital data sharing platform and 100 million customer records, across 77 million PSN accounts, including names, passwords, emails, addresses - and up to 12 million unencrypted credit card numbers.

First call of duty? Gamers worldwide were inconvenienced for a month, as the site was shut down for damage investigations and a rebuild. This caused the company to lose upwards of $171 million in revenue, plus the additional financial fall-out of $15 million, as Sony agreed to a preliminary settlement in a class action lawsuit, over the cyber security breach.

You could say this total cost is…Bioshocking! (Are any of these gamer puns landing?)

COST: $186 million                                

RECORDS COMPROMISED: 100 million

  1. British Airways: ‘Fine triggers financial acrophobia

In recent weeks, British Airways has made the news after landing a dizzying fine of £183 million from the UK’s Information Commisioner’s Office (1.5% of their annual turnover). Hackers stole the personal information of an estimated 500,000 customers, including ‘login, payment card, name, address and travel booking information…harvested after being diverted to a fraudulent website’. [3]

This was one of multiple fines to come from Information Commisioner, Elizabeth Denham, as companies with European customers and associates must now comply with General Data Protection Regulations. The necessary clamp down helps ensure the conscientious handling of confidential and personal information by organisations across the EU. The scale of these fines, previously capped at $500K, serve to make an example of companies with unsecure systems, or apathetic approaches to the handling of customer data. Across the memberships of Europe’s Executive Airport Lounges, $229 million is definitely an incentive to ensure your own organisation’s security arrangements are ‘First Class’.

COST: $229 million
RECORDS COMPROMISED: 500,000

  1. Hannaford Bros: ‘Bro, where’s my card data?’

‘Speedy’ Gonzales, back at it. Albert Gonzales was connected with this mega breach of 2007, where a Trojan Virus spread across all 271 Hannaford Bros stores servers, resulting in 4.2 million debit and credit card numbers being swiped. This parallels the story at Heartland. Once hackers gained access to the corporate network, ‘a malicious Trojan was programmed to pilfer data from the magnetic stripe of credit and debit cards’. [4] Jim Dempsey, Vice President for Public Policy at the Center for Democracy and Technology, considers that Hannaford Bros are not necessarily at fault, claiming: “There’s no such thing as perfect security…Everybody who handles this information has to have a program of layered security”.

Hannaford Bros, like TJ Maxx, Heartland and many other

breached companies, is required to be compliant with the Payment Card Industry Data Security Standards (PCI DSS), a stack of rules regarding how to receive and process card payments. However, this was clearly not enough to stop the hack attack, that has since cost Hannaford Bros $252 million, following fines, class action lawsuits and over 2000 cases of fraud, which have been traced back to the breach.

Data Sharing

So, was there a way to avoid the loss of a quarter billion benjies? Ilan Barzila, an attorney with Wolf, Greenfield & Sacks, warns businesses: “You need to stay on your toes and do whatever any reasonable business needs to do, to prevent a security breach… You can take certain measures that you think are reasonable and let the system run for a couple of years. You may not update it or audit it…and a breach happens” So, it is reasonable to say that ‘compliance’ alone cannot defend against the swarm of malicious moles, tunneling their way into seemingly secure systems - without consistency.

It’s all very well to tick the boxes in January, but in the fast-evolving Digital realm, it is important to maintain the health of your cyber security measures. “Audits occur at a point in time, but your IT infrastructure changes constantly,” explains Steve Dauber, Vice President of marketing at security firm, RedSeal. “So even if you do pass your audit, you may fall out of compliance next week”. We hear you, Bro.

COST: $252 million

RECORDS COMPROMISED: 4.2 million credit/debit card numbers

  1. TJ MAXX: TJ Maxxed out

Albert Gonzales strikes again – the infamous hacker has been linked to several major hacks, and several years prior to Heartland Payment Systems ill-reputed 2008 breach, (which narrowly missed out on our Top 10 list), TJ Maxx experienced a taster of this busy hack attacker. In December 2006 Gonzales took advantage of the company’s poor data sharing encryption system and stole credit card data during a wireless transfer between two Marshall stores in Miami. Separately, he broke into in-store kiosks, which allow members of the public to apply for jobs electronically.

The cyber security breach resulted in 94 million cards being exposed, and 451,000 customers’ personal information (including social security numbers), being stolen. After months of investigations into the breach, the company recognized that the costs incurred by the breach were more than 10 times the original estimate. Big breaches cost more – much more. TJX reported second-quarter profits cut by more than half, as they received a $118 million charge, after the $17 million charge taken in the previous 2 quarters. Plus over $100 million was allowed ‘for a reserve to cover potential losses from items, including litigation and investigative expenses’. As costs stack up, several analysts have suggested costs could run as high as $1 billion, including legal settlements and lost sales. Forrester Research analyst Khalid Kark publicly estimated the final bill to fall between $500 million and $1 billion.

The consequential losses suffered by the retail giant were thus significant and not merely measured in immediate cash terms. $256 million shouldered by insurers and TJX themselves, who were subsequently sued by several banks, to recoup losses related to the breach. Then there are the 11 men who were charged in connection with the theft. One of them, Jonathan James, professed his innocence and later committed suicide, apparently in the belief that he was going to be indicted. The jobs of the CIO and CEO of TJ Maxx were also lost in the aftermath. The full impact of data sharing breaches are not just felt in the finances of the organisation, but in the lives of so many of those involved and their families - whether guilty or innocent.

COST: $256 million

RECORDS COMPROMISED: 94 million cards exposed

  1. Yahoo: ‘Ya-how many?!’

‘NO-NO-NOTORIUS’, is how this breach was described by Tony Pepper, CEO of Egress Software Technologies, conveying just how B.I.G this case was. In 2016, during company sale negotiations with Verizon, Yahoo, the American web service provider, came clean about possibly the vastest mega breach in history at that time, that took place an entire 2 years earlier, without report. Get ready for these figures: all 3 billion accounts were compromised, including names, emails, passwords, security questions and answers. In the same breath, Yahoo admitted to falling victim to a separate attack in 2014, which affected 500 million accounts. Apart from likely being the most awkward sales pitch in history, it was for sure one of the costliest, as the breach admissions knocked $350 million off Yahoo’s asking price.

After selling at $4.48 billion to Verizon in 2017, Yahoo received one final donkey-kick. Fast forward to 2018 and Yahoo receives their fair share of the ICO’s righteous wrath, with a fine of $335 million. The ICO explain that Yahoo failed to comply “with the appropriate data protection standards, as well failing to monitor ‘credentials of employees with access to customer data”, finally commenting on the disappointing 2 year wait, before the company revealed the severity of the breach. Tony Pepper notes that this is likely to be closure for the company, following their arguably underwhelming approach to cyber security procedures: "Although the fine has been a long time coming, I imagine there would be some sighs of relief that the investigation was carried out under the Data Protection Act, rather than GDPR, which has much tougher consequences for a breach," he concludes.

COST: $685 million

RECORDS COMPROMISED: 3 billion accounts

  1. Equifax: Equifix up

In 2017, consumer credit reporting agency Equifax fell victim to a cyber security breach, that would subsequently cost them dearly. Yes, and it did affect their credit rating. After a US website app vulnerability was exploited by hack attackers, confidential personal information of 147 million of its 800 million consumers was exposed, including names, date of birth, social security and credit/debit card numbers.  Equifax was fined $622,000 for the 15 million UK users impacted by the breach, by the UK’s ICO. The USA’s Federal Trade Commission argued that ‘the credit score agency failed to make appropriate moves, in order to protect its network from intruders’. And are they are still paying the cost, in more ways than one.

URiM

Equifax has spent millions on new technology and security upgrades, legal fees and identity theft services made free for those affected. By the end of 2017, the estimated breach costs totalled $439 million. Now the company has agreed to pay near $700 million, to settle Federal and State investigations, contributing between $300-$425 million towards consumer compensation. That’s right, if you were impacted by the Equifax breach you could be entitled to claim up to $20,000. In practice, it won’t work out that much per claimant.

Larry Ponemon, chairman of Ponemon Institute, estimated previously that ‘the expenses associated with ending government investigations into the data breach, as well as any civil lawsuits lodged against Equifax, would cost more than 600 million’. In fact, the actual figures are closer to $1 billion. In Larry’s own opinion: “It looks like this will be the most expensive data breach in history.”

But wait Larry….theRe’S mORe…

COST: $1 Billion
RECORDS COMPROMISED: 147 million

  1. Epsilon: ‘Sir EpsiLOTS OF MONEY’

Our own (albeit temporary) number one spot goes to Epsilon, for the current most mega-breach of all time, which rocked the world in 2011. The Global Marketing email provider fell victim to the hack attack of the century, affecting up to 75 prestige clients, including Disney, Capital One, Citigroup, JPMorgan Chase and Target, to name a few. Millions of customer details were hacked, as Epsilon warned users that its systems had been ‘exposed by an unauthorised entry’, although Epsilon insists that the only information obtained was customer names and emails, after further investigation. But why could this still be damaging?

Well, in the cyber world where villainous hack attackers and their nefarious toolkits seek to steal, exploit and destroy, a list of millions of email addresses and their source, comes in quite handy. Like a pot of gold to a pirate, is a list of emails to a hacker with malicious intent. Incredibly lucrative for so- called ‘phishing’ scams, where credible-looking emails are sent to people soliciting other sensitive information, such as bank account details. Some banks and other companies affected by the breach, warned their customers to practice caution when opening links and attachments from third parties, as hackers were likely to attempt to ‘solicit further login details’ and other confidential information, while posing as the familiar service "That, in turn, can make their fraudulent correspondence seem more believable," explains Paul Ducklin from Sophos Internet Security.

So the long-awaited question… what was the cost of the most expensive breach of all time? Epsilon itself paid an estimated $225 million, and its 75 clients affected paid approximately $410 million. However, when you total ‘forensic audits, monitoring, litigation and lost business’, plus $45 million in lost business as clients ‘walked away in droves’, further exacerbated when the Secret Service got involved, the estimated total damage was $3-$4 billion.

That’s $3,000,000,000- $4,000,000,000 just to put it into context. Or enough to buy everyone in the UK a Nando’s.

COST: $3-4 billion

RECORDS COMPROMISED: Millions (Number unknown)

So what are our own take-aways from this sorry Menu?

Its clear that even the biggest companies are hacked despite investments in their security systems and practices, through a variety of avenues exploited by hackers globally. Robert Mueller, Director of the Federal Bureau of Investigation, summarised: “There are only two types of companies: those that have been hacked and those that will be”. Even that is merging into a single category: those that have been hacked and will be again. So it’s apparently officially recognised that no company is ever truly really ‘safe’ from cyber-attacks. It’s a question of degree.

Two things thus remain important to grasp for those responsible for protecting the data of customers and employees alike. The first is that cyber security is a complex and fast-evolving realm, so data security strategies should match that dynamic and mend emerging vulnerabilities.

The second is that as any business CEO, security official, or data sharing handler, should recognise they have a duty of care to the individuals, who place trust in the company and become its stakeholders. We can get so lost in conversion rates and sales that we lose sight of the quality of care we should grant every individual that chooses to invest, utilise a product or investigate our offerings.  In a world where recorded cyber-attacks reached a record-breaking 758 million in 2016, according to KasperskylLab, [5] there is little doubt that 2019 will create its own tragic records. So, we at URiM will continue to do our part, to help ensure that your own organisation is not among them.