Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Worst security breaches of the year 2014: Sony tops the list

Tim Greene | Dec. 19, 2014
As 2014 winds down, the breach of Sony Pictures Entertainment is clearly the biggest data breach of the year and among the most devastating to any corporation ever.

As 2014 winds down, the breach of Sony Pictures Entertainment is clearly the biggest data breach of the year and among the most devastating to any corporation ever.

Attackers broke in and took whatever they wanted, exfiltrating gigabytes and gigabytes of documents, emails and even entire movies, apparently at will for months and months on end.

Posting the stolen data and the celebrity nature of much of it has resulted in a public relations nightmare for the company. It revealed snarky personal comments never meant to go public as well as personal information such as Social Security numbers and salaries and competitive information about projects in progress.

The scenario is any corporate IT security pro's worst fear being pwned and hung out to dry publicly. Add to that lawsuits being filed against Sony by former employees seeking damages they say they suffered because the company failed to adequately protect the data.

Whereas most breaches are carried out for profit such as theft of credit card information this attack was intended to hurt its victim as much as possible on multiple fronts and has been very successful.

Many of the big for-profit breaches involved compromises of the credit/debit card swiping machines at retail stores, among them Target, Home Depot, Neiman Marcus, Michael's and PF Chang.

A common way the crooks got in was by infiltrating trusted business partners and stealing legitimate credentials for accessing the victims' networks. Once inside, they moved from machine to machine until they reached the subnets containing point-of-sale machines, which they infected with scrapers to steal card numbers and expiration dates.

Sony's woes dominate headlines about hacks, there were some other significant break-ins this year. Here are a few of them briefly described.

Sony

Data compromised Seemingly everything stored in the network.

How they got in Unknown. Speculation ranges from an attack launched in a Thailand hotel to an inside job.

How long they went undetected Unknown.

How they were discovered On Nov. 22 employee computers received messages threatening public distribution of stolen data and displays of skulls on their screens.

Target

The Target breach happened last year but the important details came out this year so it's included here.

Data compromised 40 million credit and debit cards, 70 million phone numbers, mailing addresses and email addresses.

How they got in Hacking the credentials of a legitimate business associate, an HVAC company, to get on Target's network, then installing malware on point-of-sale machines.

How long they went undetected About two weeks.

How they were discovered The Department of Justice told them about it, but anti-malware software flagged the problem as well.

Home Depot

Data compromised As many as 56 million credit cards put at risk, 53 million email addresses

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.