Its malware, designed to target only Siemens SCADA systems, damaged Iran’s nuclear program by destroying an estimated 984 uranium enrichment centrifuges. The attack has been attributed to a joint effort by the US and Israel, although never officially acknowledged as such.
Date: Throughout 2010
Impact: Undisclosed information stolen
Details: Security experts are unanimous in saying that the most troubling thing about the VeriSign breach, or breaches, in which hackers gained access to privileged systems and information, is the way the company handled it – poorly. VeriSign never announced the attacks. The incidents did not become public until 2011, and then only through a new SEC-mandated filing.
As PCWorld put it, “VeriSign buried the information in a quarterly Securities and Exchange Commission (SEC) filing as if it was just another mundane tidbit.”
VeriSign said no critical systems such as the DNS servers or the certificate servers were compromised, but did say that, "access was gained to information on a small portion of our computers and servers." It has yet to report what the information stolen was and what impact it could have on the company or its customers.
14. Home Depot
Date: September 2014
Impact: Theft of credit/debit card information of 56 million customers.
Details: The hardware and building supply retailer announced in September what had been suspected for some weeks – that beginning in April or May, its POS systems had been infected with malware. The company later said an investigation concluded that a “unique, custom-built” malware had been used, which posed as anti-virus software.
In March 2016, the company agreed to pay at least $19.5 million to compensate US consumers through a $13 million fund to reimburse shoppers for out-of-pocket losses, and to spend at least $6.5 million to fund 1 1/2 years of cardholder identity protection services.
The settlement covers about 40 million people who had payment card data stolen, and more than 52 million people who had email addresses stolen. There was some overlap between the groups. The company estimated $161 million of pre-tax expenses for the breach, including the consumer settlement and expected insurance proceeds.
Date: October 2013
Impact: 38 million user records
Details: Originally reported in early October by security blogger Brian Krebs, it took weeks to figure out the scale of the breach and what it included. The company originally reported that hackers had stolen nearly 3 million encrypted customer credit card records, plus login data for an undetermined number of user accounts.
Later in the month, Adobe said the attackers had accessed IDs and encrypted passwords for 38 million “active users.” But Krebs reported that a file posted just days earlier, “appears to include more than 150 million username and hashed password pairs taken from Adobe.” After weeks of research, it eventually turned out, as well as the source code of several Adobe products, the hack had also exposed customer names, IDs, passwords and debit and credit card information.
Sign up for CIO Asia eNewsletters.