Data Breaches of 2014: From Retail to Healthcare No Industry Is Spared

Posted by Emma Ban on 2015-01-23 15:00:00

2014 will most likely go down in history as the year of major data breaches. Notable companies across various industries had their systems hacked, causing a wake of incalculable damage to their brand and customer loyalty.  Some had their customers’ and employees’ personal data compromised, while others had assets exposed to theft and misuse.

According to press reports, the most targeted sector was retail –  Home Depot, Target, Neiman Marcus and Michael’s are just a few examples of hacked high-profile retailers. Despite major investments in security, the banking/financial sector was also highly affected by data breaches – the JPMorgan Chase and Korea Credit Bureau  hacks are just two cases that made headlines. In contrast, the healthcare sector lags behind in terms of security investments, wide-spread good practices and dedicated IT staff. And the Community Health Services hack showed once again how vulnerable the healthcare industry is to medical data theft. 

Another noteworthy sector hit by data breaches was the online services. Given the nature of the online business, they seem to be more exposed to hackers, and should be more vigilant. Yet, there were several online entities affected by hacks, including eBay, AOL and even Apple’s iCloud, to name just a few. But the industry that literally reached stardom was the entertainment one, featuring the wide-scope Sony Pictures hack – it closed the year with a bang and made headlines all over the world.

2014_security_hacks

 

So what could these sectors learn from last year’s data breaches?

For the sake of this article, we’ll recap only 5 major data breaches, each representative of one sector. We’ll look at what facilitated them, what could’ve helped minimize the damages, and what lessons we can learn from them.

 

  1. Home Depot data breach

  • Sector: retail

  • Damage: 56 million credit and debit cards exposed and 53 million email addresses stolen

  • What facilitated the data breach: hackers used credentials from a compromised third-party vendor to infiltrate Home Depot’s network, and planted malware on their POS system. Also, the retailer’s in-store payment system was not set up to encrypt customer’s credit and debit card data.

  • What could’ve helped minimize the damage: point-to-point encryption and EMV chip-and-PIN technology.

Reportedly, the company has since taken steps to strengthen its security. After clearing its systems of the malware piece, the company rolled out “enhanced encryption of payment data to all U.S. stores.”

 

  1. JPMorgan Chase data breach

  • Sector: banking

  • Damage: Information about 83 million households and small businesses information was stolen, including: names, addresses, phone numbers and email addresses (not passwords).

  • What facilitated the data breach: lack of two-factor authentication of one of the bank's network servers, and login credentials stolen from a JPMorgan employee.

  • What could’ve helped minimize the damage: better security controls on the company network.

Since then, the bank has reinforced their security team and has announced an increase in cybersecurity spending to $250 million annually.

 

  1. Community Health Services (CHS) data breach

  • Sector: healthcare

  • Damage: 4.5 million patient records stolen; details included names, addresses, social security numbers.

  • What facilitated the data breach: negligent security practices. Hackers were able to bypass the company’s security measures, insert sophisticated malware in the computer network to copy and transfer the patient data to hackers.

  • What could’ve helped minimize the damage: data encryption, enhanced network security and controls.

According to governmental sources, CHS has worked with federal law enforcement and computer security experts to take protective measures and to prevent future intrusions of this type. It also offered free identity theft protection and credit monitoring services to affected individuals.

 

  1. eBay data breach

  • Sector: online services (auctions)

  • Damage: About 145 million eBay users’ sensitive data (customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth) was compromised. 

  • What facilitated the breach: the attackers managed to acquire some of eBay’s employees’ credentials that gave them access to the companies’ network.

  • What could’ve helped minimize the damage: better awareness of security threats among employees, several protection layers at various points – end-user machine, server and network level.

  1. Sony Pictures data breach

  • Sector: entertainment (film industry)

  • Damage:  sophisticated malware infiltrated the company network, and leaked online high-quality screening copies of AnnieFuryMr. Turner, Still Alice, and The Interview, sales projections for a number of TV shows, company budgets, IT security plans and access credentials, personal information of employees and artists working with Sony, as well as payroll and compensation data. The number of affected individuals is still unknown.

  • What facilitated the breach: poor security practices like keeping log-in credentials in a folder named “passwords,” decentralized files, financial files with no password protection and company servers without encryption. 

  • What could’ve helped minimize the damage: better (at least basic ones!) security practices and tighter network controls.

The damages listed above for each case are only the immediate, measurable ones. What can also account as company damage are the law suits that may follow – such as the ones that followed the Home DepotSony Pictures and eBay breaches – and lowered customer trust that, in the long run, can turn into real threats to a company’s endeavors.

 

Final thoughts…

No industry or company is spared. Where there’s sensitive information to profit from, there’s the possibility of hacks. And where human factor is involved, there’s the possibility of human error. That’s the reality.

In light of these 2014 hacks, what companies can and should do for better chances of preventing such breaches is to address the issue from both the human and the technology perspectives. In other words, provide proper security education to employees and implement strict security policies that include encryption of data at entry point and in transit, and multiple network security layers. Where there are third-party systems tied to the company network, better communication and collaboration between the company and the providers is a must.

Subscrine to OEM Hub

Find me on:

Emma Ban

Emma Ban is a Content Writer at Bitdefender. Having worked in the industry for more than three years, in both B2C and B2B areas, she has a deep understanding of the online threats that put at risk the security of both consumers and corporations. Thus, her main focus is to provide insights into security technology trends that enable safe environments for companies and their employees. She thoroughly enjoys traveling and has a special interest in fashion technology.

Topics: Threats, Network Security, Endpoint Security