The OPM data breach the U.S. government announced on June 4th qualifies as a 15 on a scale from one to 10, by the loss of credit card numbers and names. Initial estimate approximated 4.2 million affected people, a number later changed to 18 million. Recently the number of affected people increased to 21.5 million (June 9th). But what would the 5 biggest data breaches of the last decade be, or in fact the 5 biggest ones of the 21st century so far?
Sources list various breaches when trying to establish a top ten. Such attacks rank by the amount of data stolen, by the financial losses caused, or by the importance of the precedent created. Whether we mean “biggest” in numbers, size of affected target or security field impact, here’s a suggested top 5:
5. JP Morgan Chase data breach
The breach occurred in 2014 and was the biggest event of this kind to have affected an American bank. It triggered an estimate of 83 million accounts compromised out of 76 million households. The same Russian hacker group targeted nine other major financial institutions. Amongst them were Citigroup and HSBC Holdings, but the only other company with stolen data was Fidelity Investments.
It was later considered that the computer security systems of the bank were a basic type. Also a simple security fix installed to a minor server from its network might have prevented the #attack. The #hackers used the login credentials of an employee and entered the system which lacked a double authentication scheme. Thus the breach comprised an attack of a simple nature, based on a minor flaw.
The attackers accessed more than 90 bank servers and it took a while to halt the attack in progress. Following the breach, JP Morgan replaced the network protection executive in charge by a former cyber-security executive at Lockheed Martin Corp.
4. Anthem security breach
Anthem, a health insurance company, the second largest in the U.S., suffered a data breach that exposed 78.8 million #records. The breach was announced on February 4, 2015, and at the time it was estimated that the attackers potentially stole over 37.5 million records.
China was presumed responsible by the Bloomberg News. The New York Times was the one that estimated around 80 million compromised records. The attackers supposedly used infrastructure linked to a suspected China-based state-sponsored group – Deep Panda.
Recent data tie together the OPM breach and the Anthem breach, as the same group might have carried out both attacks.
The attack was a very sophisticated external cyber-attack and it compromised the credentials of five different tech employees. Two-factor authentication might have prevented the attack, which was also characterized by persistence. Forensic analysts later appreciated it might have been a #phishing attack that started the hack.
Over 100 class actions were filed over Anthem. Inc.’s data breach in 22 states. The persons whose data were stolen could have future problems linked to the #identity theft.
3. EBay phishing
In 2014 a huge cyber-attack compromised eBay’s main database holding user passwords. The passwords obtained were in encrypted form, but nevertheless 145 million accounts were compromised.
The attackers used phishing in an attempt to trick eBay employees into giving up important security credentials. They took over through #malware that installed itself on the employee’s computer once clicking an email link. This allowed the hackers to reach the targeted usernames, email addresses, physical addresses, phone numbers and dates of birth.
EBay advised users to reset their passwords and it later faced investigations over the breach that lead to the identity thefts. Comments ensued that the eBay customer details that appeared for sale in Pastebin could potentially be from another company’s leak.
2. Massive American Business Hack
In 2012, 11 entities were targeted in an attack that lead to the leakage of 160 million records. A hacking ring active for more than 8 years compromised over 800 thousand full bank account details.
The attack had 11 financial targets: 7-Eleven, JC Penney, Hannaford, Heartland, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard. Other victims were Nasdaq, Carrefour S.A. and Dexia Bank Belgium. The method used was a sophisticated hacking technique that installed malicious software allowing the deletion, changing and stealing of the data.
In 2013, U.S. Attorney Paul J. Fishman called the case the largest hacking and data breach scheme ever prosecuted in the U.S., when indicting the five hackers. Details of the case included the selling price of the U.S. credit card numbers: U.S. credit card numbers sold for about $10 each; Canadian numbers were $15 and European ones $50.
1. Court Ventures data loss
Court Ventures, a public records aggregator, was an Experian subsidiary, acquired in March 2012. It came along with the proprietor of an identity theft service, since Experian failed to conduct proper due diligence before.
The acquisition provided access to records for Court Ventures customers. This eventually led to the theft of 200 million records. The criminal’s access to the US Info Search data was shut down in December 2012.
In March 2014, Hieu Minh Ngo pleaded guilty to running an identity theft business called Superget. His conduct comprised filing fraudulent tax returns on his victims and opening new lines of credit. Potentially 30 million records were affected.
All five breaches seem to have in common the human error/neglect factor. Whether it was the lack of due diligence or the improper control of big data or technology, a vital system modification or an extra amount of attention seem to be the key. Proper training of all employees, however their position in an organization could minimize the human error risks.
The more sophisticated attacks are active for a longer period due to better cloaking techniques. But even in this case an up to date security system doubled by vigilance could reduce the probability of such attacks being in progress.
Resources:
Forbes
CNN
informationisbeautiful
Krebsonsecurity
Privacyrights
Dallasnews
Forbes: EBay
SCMagazine: EBay
Mashable
BBC
Wikipedia: Anthem
Computerworld
Nationallawjournal
SCMagazine
NYTimes
Wikipedia: JPMorgan Chase