2014 in Data Breaches

2014 has been called “The Year of the Data Breach,” and for good reason. This year saw not only some of the most wide-reaching breaches yet, like the August attack on JPMorgan Chase affecting 76 million households and seven million small businesses, but also breaches that incited consumer and media interest like never before, particularly the year-end attack on Sony. Consumer credit card data were compromised at numerous restaurants and retailers. This year also witnessed a multitude of targeted attacks aimed at U.S. businesses, the attackers’ objectives ranging from stealing financial data to impeding companies’ day-to-day operations. U.S. organizations suffered more data breaches this year than last, and the frequency of breaches will likely continue to increase in 2015. Here is a month-by-month wrap-up of 2014’s biggest cybersecurity stories:

January: Neiman Marcus and Michaels
2014 has been known for its slew of credit card breaches at major retailers, and January set that tone right away. Neiman Marcus fell victim to a data breach that exposed 1.1 million payment card numbers after malware was installed on its point-of-sale (POS) systems. Similarly, Michaels was forced to replace POS devices after criminals physically altered or replaced the machines in order to steal about 2.6 million card numbers over the course of nearly nine months. Even as POS malware becomes increasingly sophisticated, the physical security threat of payment card skimmers remains a problem.

February: Variable Annuity Life Insurance Company
774,723 clients of the insurance company were affected after a former employee stole a thumb drive containing their personal information, including names and full or partial Social Security numbers.

March: Spec’s
Spec’s, a Texas liquor store chain, fell victim to a data breach that exposed the credit card data of 550,000 customers at 34 locations.

April: Aaron Brothers
A subsidiary of Michaels, Aaron Brothers also experienced a data breach this year. Its POS devices were infected with malware that went undetected for eight months, resulting in the theft of 400,000 customers’ credit card data.

May: Paytime
The personal and financial information of over 200,000 individuals was breached in the attack on payroll company Paytime, which is facing a class-action lawsuit as a result.

June: P.F. Chang’s and Montana Department of Public Health and Human Services (DPHHS)
Consumer credit card data was stolen from 33 P.F. Chang’s locations for about eight months leading up to June, the restaurant chain confirmed in August. The freshly stolen card numbers went up for sale on the Dark Web black market, putting customers at high risk of fraud. June also saw the disclosure of a database breach at the Montana DPHHS, which exposed 1,062,509 patient records. 

July: Goodwill
868,000 customer credit card numbers were exposed in this attack, caused by malware installed on the third-party payment system used by certain Goodwill franchises. This breach reveals the importance of vetting any third parties you hire, researching their security history and requesting to see documents detailing their security measures.

August: JPMorgan Chase and Community Health Systems
Attackers ferreted their way into JPMorgan’s network through an overlooked server that the company had intended to upgrade to two-factor authentication. Customer data including names, addresses, emails, and phone numbers were compromised. This puts impacted JPMorgan customers at heightened risk of phishing attacks for years to come. Phishing is favored by cybercriminals due to its low cost, low effort, and high effectiveness. Also in August, attackers from the Chinese professional hacking group APT 18 exploited the Heartbleed vulnerability to access Community Health Systems’ network, exposing the personal information of 4.5 million patients.

September: Home Depot
The Home Depot breach, caused by malware installed on the company’s payment system, compromised the account data and email addresses of around 56 million cardholders. The attack began in April 2014 but remained undiscovered until September, highlighting the silent and furtive nature of malware attacks.

October: Oregon Employment Department (OED)
Due to a vulnerability in their web applications, attackers were able to access personal information, including Social Security numbers and other data found on job applications, of 851,322 Oregon jobseekers.

November: Staples
In November, Staples conducted an investigation (on which they recently provided an update) into a data breach impacting around 1.2 million cardholders.

November/December: Sony Pictures Entertainment
The hacker group Guardians of Peace took credit for this attack that leaked 100 terabytes of Sony’s data including employee information, unencrypted internal communications, and unreleased films. The financial fallout of the attack is estimated at $100 million, not to mention the cost of the damage to Sony’s reputation.

2014 saw some of the most extensive (and expensive) data breaches to date. Credit card information, in particular, was siphoned off by criminals in unprecedented quantities. These retail breaches of 2014 constitute a cautionary tale in favor of improved payment card security. Several breaches, like those at Michaels and P.F. Chang’s, continued undetected for several months, reflecting the importance of regular security assessments. The longer a breach persists, the more expensive and damaging it becomes.