That’s right folks, it’s time. Time for a roundup of the year’s worst IT security breaches and how they’ve impacted the tech market at large. And away we go, with:
1) University of Maryland
Let’s start “small”. In February, the University of Maryland suffered a data breach that put personally identifiable information (PII) of nearly 310,000 people at risk. This information included names, dates of birth, Social Security numbers and University ID numbers. According to Brian Voss, U of M’s CIO, the hackers had a “very significant understanding” of the school’s network security and “picked through several locks to get the data.”
2) Oregon State Department
Looking for work at state offices in Oregon this year? Then your PII may have been stolen. In October, state officials discovered that hackers had breached the WorkSource Oregon Management Information System and rifled through more than 850,000 records. More worrisome? The state department only learned about the breach thanks to an anonymous tip.
3) US Postal Service
Through rain and snow and dark of night — and apparently personal data. As noted by Information Week, the US Postal Service was hacked “sometime” during 2014. USPS itself did not detect the breach, and it was only the intervention of US law enforcement officials that brought the problem to light in September. Even then, it took until mid-November to neutralize the threat.
All told, some 800,000 pieces of USPS employee information and details on 2.9 million customers were compromised. There’s some speculation this was an overseas attack, and the postal service is now undergoing a security overhaul.
Photo-sharing app Snapchat has been breached several times this year, but the first and most damaging attack came in January, when 4.6 million users had their usernames and phone numbers posted on a public website. The hack came after repeated warnings that Snapchat’s system wasn’t secure, and shortly after the hack a group of white hat security experts found the code that allowed this kind of breach. The problem? Too little, too late.
In March, online auction site eBay was the victim of a network security breach. The company initially believed user data was safe following the breach, according to BGR, but soon discovered that the emails addresses and passwords for all 145 million eBay members was breached. Unfortunately, the company was slow to notify users or require password resets, prompting backlash for their response. The lesson here? If you think there’s a problem, there’s absolutely a problem.
6) Dairy Queen
The first of three Backoff POS-related breaches on our list, Dairy Queen was the “smallest” with an disclosed number of customers at risk after 400 stores were compromised. According to eSecurity Planet, the breach was first uncovered back in August, but following the common trend DQ maintained that no information had been stolen. As it turned out, however, everything from customer names to payment card numbers and expiration dates were grabbed during the breach.
7) Home Depot
Backoff malware case #2: The Home Depot’s network was compromised in September 2014 by this point-of-sale problem. Fifty-six million customers had their credit and debit card numbers stolen during this attack. What’s notable here isn’t so much the breach itself but the fact that Backoff was old news — after Target, companies supposedly learned their lesson and found a better way to secure POS systems.
8) JP Morgan Chase
A big bank slips in here before Target with 76 million individuals and 7 million small businesses affected. How hackers got in and who they were isn’t known, and JP Morgan Chase says that financial information wasn’t taken, just addresses, names and phone numbers. That’s disturbing enough, but what’s more worrisome is the fact that JP Morgan Chase was well-known as having excellent security controls in place.
It happened in January 2014, but still comes in at number two on the list because 110 million people had their PII and payment card information (PCI) compromised in this attack. This was the first known appearance of Backoff and as such went undetected for an extended period of time, quietly collecting data from POS machines, many of which weren’t tied to the company’s network security backbone. The takeaway? Any device on a network is vulnerable.
Last but certainly not least, Sony. While the hack didn’t grab millions of Social Security numbers, it resulted in the premature release of five big-ticket movies and a deep dive into the company’s corporate information including employee salaries, dates of birth, and details about the company’s layoff process. What’s more, the hack used a technique able to override existing hard drive information and compromise network function unless drives are physically repaired. Scary stuff.
So there you have it: the 10 biggest, baddest breaches of 2014 — let’s hope 2015 is a year of lessons learned.