Are hackers getting smarter or we need to rethink security? Why, I ask is because it’s only the first quarter of the year and it brought along numerous data theft from industries that are being targeted, what seems like, in a planned fashion.
Data Breaches are not just a loss prevention problem, it is the biggest consumer-protection issue in the industry.
Who didn’t hear about the recent HeartBleed bug in the OpenSSL servers? It led to a breach in Canada’s Tax collecting agency and the parenting site MumsNet. The flaw left a major part of the internet exposed to hackers for over two years and that’s not enough. Hackers seem to have developed a taste for targeting different industries at different times.
Who is safe on the internet? The answer is: if you’re a consumer, a medical patient, a student, a banker, a traveler or in government, You’re definitely not.
Here, we have compiled a list of most sensitive security breaches in various industries that has been trending as targets for cybercriminals in 2014.
‘Retails’ are the hardest-hit target this year
It’s said Target could eclipse biggest known data theft at a retailer. The scale of this attack sparked new scrutiny of the laws governing how companies protect customer information as well as ‘when’ they should notify consumers about these thefts.
Target Security Breach came into limelight only later in January, 2014 but the breach took place earlier in November 2013. Target (A PCI Compliant Company), did not know it was breached for 2 months.
Hackers got into Target’s system by stealing the credentials of a refrigeration contractor. They then inserted software that made its way to the giant discounter’s registers, where it silently siphoned off data for as many as 40 million credit and debit cards before being caught three weeks later.
Attackers began ‘skimming’ data from credit and debit card transactions at Target’s cash registers beginning Nov. 27 and continued to do so deep into the bustling holiday shopping season. The software also found its way to another system where it stole personal data like email addresses and phone numbers for 70 million people. The company shut down the breach on Dec. 15.
On January 10th,2014, Another consumer breach at Neiman Marcus was reported by security journalist Brian Krebs.
Neiman Marcus posted on their website updating their customer about the breach. 350,000 cards were breached in the incident. According to the company, the breach took effect between July-October 2013 but they only found out about the breach in December (around Thanksgiving) and reported in January.
How did the cyber criminals get hold of Neiman Marcus customer credentials? POS (Point of Sale) malware wielding (again).
MICHAELS STORES INC
In the fall of January, when people were still reading into Target and Neiman Marcus cases, another breach came into the news. This time it was Michaels Stores Inc. Hackers, this time again, wielded a POS malware into the system to steal customer info.
An unknown number of credit- and debit-card numbers was supposed to have been stolen but the estimate was 3 million.
Cyber-criminals want your Health Records as well
Number of patient health records compromised in a HIPAA data breach since 2009: 29.3 billion
Rise in the number of health records breached: 138 Percent.
And these breaches happened when the healthcare industry is HIPAA compliant.
NHS (National Health Service, ENGLAND)
In March, 2014, the news flashed all over the media about England’s entire healthcare data made available on the Google servers.
This was relatively the biggest breach that took place in the healthcare sector. Almost entire of the England’s healthcare dataset were uploaded on google servers.
The the Health and Social Care Information Centre gave the encrypted hospital records of millions of patients to the insurance industry. Management consultants uploaded the data on google and used google maps tool to produce interactive maps. This alarmed campaigners and privacy experts.
The above incident clearly shows the importance of secure data sharing and use of advanced encryption technologies.
While the actual damage remains speculative, St. Joseph Health System disclosed a data breach of approximately 405,000 records of past and current patients.
The attack is believed to have happened between 16-18th December, 2013 by hacking into the hospital system. On identifying a possible hack, the hospital server was shut down on the 18th but the damage was done, the hacker got away with most of the patient records.
These data breaches cost more than you think, but this is how the healthcare made up for this breach: “Offering a free year of identity protection services to those affected. “
Educational Institutions and University Data Breaches
Universities are oftenly soft target for the hackers probably because of their long information retention periods or open structure. Also, hacking into universities gives a hacker more information than any other industry since they get hold of not just credentials but healthcare information, payment information and more.
UNIVERSITY OF MARYLAND
University of Maryland was allegedly hacked into in January this year where the number of compromised records was initially 288,000. The University faced yet another data breach in March.
The letter published by them earlier this March confirmed the result of their investigation, saying the intensity of the second breach was not as high as initially calculated.
The Earlier breach was a more sophisticated attack which compromised staff and student information since 1998.The breach had exposed social security numbers, medical information, payment information and other personal information about the staff, students and their parents.
In February 2014, personal information of about 146,000 Indiana University students was accessed by three web-crawlers used to improve web search capabilities. The data accessed dated between 2011 to 2014 and was stored in an insecure location for past 11 months.
NORTH DAKOTA STATE
The system server used to store personal information about the students, staff and faculty members of NDSU, was hacked in early March. This exposed more than 290,780 records containing social security numbers. The University said there was no evidence that the intruder accessed any of this information but nothing was assured. The server was immediately locked down after they discovered about the possible breach.
Hotels are the new Get-aways for Hackers
Hoteliers, given the volume of credit and debit card information they process, interests more hackers into theft.
As reported in February, White Lodging, a hotel management company which manages 168 hotels under Hilton, Marriott, and Sheraton brand names suspected point-of-sale systems at restaurants and lounges on 14 of its properties, were compromised between March 20, 2013 and Dec. 16, 2013.
Those staying at holiday inns, Mariott hotels and Sheraton hotels might have compromised their payment card details in the suspected breach. The Affected list of hotels:
- Marriott Midway, Chicago, Ill.
- Holiday Inn Midway, Chicago, Ill.
- Holiday Inn Austin Northwest, Austin, Texas
- Sheraton Erie Bayfront, Erie, Pa.
- Westin Austin at the Domain, Austin, Texas
- Marriott Boulder, Boulder, Colo.
- Marriott Denver South, Denver, Colo.
- Marriott Austin South, Austin, Texas
- Marriott Indianapolis Downtown, Indianapolis, IND.
- Marriott Richmond Downtown, Richmond, VA.
- Marriott Louisville Downtown, Louisville, Ky.
- Renaissance Plantation, Plantation, Fla.
- Renaissance Broomfield Flatiron, Broomfield, Colo.
- Radisson Star Plaza, Merrillville, IND.
In such attacks, attackers plant a RAM Scrap
er on POS (Point of Sale) devices to steal payment details of consumers and these breaches are more sophisticated and cause more harm as its money at risk.
Attacks on Banking Sector
Banks are like Magnets to cyber-criminals. The damage that a security breach can cause on a bank has a massive and long lasting effect. Security is of utmost importance when it comes to Banks.
In Feb, 2014, Barclays began investigating a case of Client Data sold to Rogue City Traders brought to notice by the Mail that received a memory stick containing 2000 Barclays customer’s personal detail from a whistleblower who claimed it was sold to rogue city traders. It served as a target list for boiler-room style investment sales operations.
This dataset of 2000 customer details was a subset of 27,000 Customer records which was doubted to have been compromised.
FlexCoin: Bitcoin Bank
Flexcoin was shut down in March, 2014 after an alleged hack which cost them a theft of $600,000. The thieves stole millions of worth bitcoins (digital money) from Flexcoin.
This happened after the Japanese bitcoin bank Mt. Gox was shut down due to a similar theft from their bitcoin reserves previous month. Mt. Gox filed for liquidation recently.
Data breaches in other sectors of the industry
This one’s the latest in the industry and LaCie (French company that makes hard drives and owned by Seagate, ironically marketing as secure data storage) confessed this week to a year long credit card breach at their online store.
LaCie admitted to the breach after FBI alarmed them on noticing someone swiping data from LaCie’s site using a malware. LaCie hired an investigation firm, disabled their online store and started notifying their customers after 11th April.
The reason for the breach is found to be a flaw in ColdFusion Software by Adobe. The number of compromised credit card details is unknown but considering the breach started in March 2013, numbers should be huge. The breach has exposed very personal details about the customers, including their credit card numbers, date of expiry, usernames, adresses for transaction and emails.
The majority of the companies suffering a breach are compliant. This clearly shows how PCI Compliance is not enough to prevent a security breach in the system.
Who should we hold accountable for all these security breaches? We can’t blame anyone in particular, but we can do our best to take certain precautions to prevent a security mishap. You can also read our ebook called “15 Ways To Enhance Your Online Security & Privacy” by filling the form in the right navigation menu on this blog.