On the occasion of October’s Cyber Security Awareness Month, we revisit three of the largest data breaches ever to make the headlines.
Data breaches happen. The more the data under your management, the greater the price you’ll pay in lost business, litigation, and ill will. But all businesses — from mom-and-pop shops to Fortune 100s — can stand to learn from these epic disasters.
Heartland Payment Systems
The Haul: 130 million credit/debit card accounts compromised
The Attack: On January 20, 2009, Heartland Payment Systems announced that it had been “the victim of a security breach within its processing system in 2008.” Within days, Heartland’s stock price dropped 50 percent, sinking nearly 80 percent by early March.
The Exploit: Cybercriminals attacked Heartland using SQL injection. A web form on the company’s site unwittingly allowed access to Heartland’s corporate network, where more extensive damage was done. Cyber-intruders spent almost six months attempting to access the processing network, bypassing multiple anti-virus defenses to install sniffer software that was able to capture payment card data in transit.
The Response: Heartland adopted a set of aggressive data security policies and measures, including end-to-end card data encryption and more stringent PCI compliance. Heartland also helped establish the Payments Processing Information Sharing Council (PPISC), a forum for banks and payment processors to share information about breaches.
The Aftermath: Cybercriminals struck Heartland again in May of 2015, this time by breaking into a payroll office in California (part of a company Heartland recently acquired) and physically stealing 11 computers. This theft compromised the personally identifiable information of 2,200 people. While that’s only a tiny fraction of the records breached in 2008, the break-in showed the need to encrypt data ASAP after an acquisition.
The Haul: 110 million credit/debit card accounts stolen
The Attack: While the world learned about the massive data breach at retail giant Target in mid-December 2013, the attack actually started three weeks earlier, on November 27, 2013. Target employees discovered the breach, notified the U.S. Justice Department on December 13, and hired a third-party forensic team to successfully mitigate the attack, though not before cybercriminals stole more than a hundred million customers’ personally identifiable information. The timing of this exploit — starting on or around Black Friday — made for especially bad publicity.
The Exploit: Attackers apparently sent phishing emails to several Target vendors to hijack their access to Target’s corporate networks. These emails unleashed Trojans that intercepted vendor login credentials, which the cybercriminals used to access Target’s servers and ultimately its Point of Sale (POS) systems. Once there, perpetrators installed specialized malware to grab credit/debit card information with each swipe of a magnetic strip.
The Response: Target’s response was far-reaching. Changes implemented include beefed-up monitoring and logging of system activity, management tools and application whitelisting for its POS systems, tightened firewall rules and policies, and new restrictions on vendor access to its network.
The Aftermath: Still, for all their effectiveness, these measures came too late to prevent the damage inflicted on the company and its customers. Target announced last March a proposed $10 million settlement for a class-action lawsuit which, if approved, would allow each impacted customer to receive up to $10,000 in damages.
Sony Online Entertainment Services
The Haul: 102 million user records compromised
The Attack: Sony reported a cyberattack on its home gaming PlayStation Network in April of 2011, estimating that the personally identifiable information of 78 million PlayStation users was compromised, including login credentials, names, addresses, phone numbers, and email addresses. Remarkably, the same attackers — who later identified themselves as the hacker group LulzSec — went on to break into the media titan’s multiplayer PC game service Sony Online Entertainment and music streaming service Qriocity Video. This raised the number of compromised personally identifiable information beyond 102 million.
The Exploit: LulzSec used the same type of SQL injection exploit as used to break into Heartland’s network, and stole credit card data from 23,400 users in Europe, all together making this campaign the third-largest data breach in history.
The Response: As with Target, Sony’s response evolved rapidly as the situation unfolded. At the attack’s onset, the company took its PlayStation Network offline for more than three weeks and offered its subscribers free identity theft protection services and 30 days of premium-level Playstation Plus to try to staunch cancellations. Sony later outlined new measures the company had taken, including encryption, new internal threat detection systems, and other strengthened security measures, in a letter to the House Committee on Energy and Commerce.
The Aftermath: Sony made the news again in November 2014, when a new attacker brazenly commandeered its Sony Pictures Entertainment network. A different group, calling itself the Guardians of Peace (GOP), claimed responsibility for this attack. Not only did the heist cost Sony Pictures as much as 100 TB of sensitive data, but the GOP went on to release selected batches of this data — most notably unreleased movie content and embarrassing emails from executives — online. The true identity of this group remains unresolved, though speculation is rampant, with suspects ranging from North Korean agents and cyber-anarchists to disgruntled Sony employees.
Okay, we all know that big companies are cybercrime targets. How does this relate to small businesses? Well, according to a Data Breach Investigations Report released by Verizon in 2013, small businesses are the victims of 81 percent of data breaches. So while all three of the companies featured here have survived, smaller companies — with their constrained budgets and resources — might not be so lucky.
At the very least, businesses of all sizes need to fortify their digital assets in three ways:
- Formulate an official company security policy and make sure all employees — from executives to temps — agree to understand and uphold them. Had Heartland, Target, or Sony set standards for web site and email security, they may well have thwarted their attackers.
- Closely monitor accounts and account activities for unusual behavior, whether manually or with the help of software. Systematic internal threat monitoring was implemented at all three of these companies after they were breached. Other companies can head off pain and suffering by deploying such systems in anticipation of future attacks.
- Actively share information about intrusions and suspicious activities with others to stem the spread of rampant cybercriminal campaigns. PPISC provides SMBs that aren’t in the payment processing business a model for exchanging this kind of information.
Managed service providers can play a vital role in preventing malicious attacks by offering their SMB clients security audits, policymaking services, and employee workshops, either in combination with other services or as standalone services. There may also be value in creating a PPISC-type of service for sharing information about suspicious activities among small businesses.
Let’s face it: these kinds of attacks will only grow more rampant and more brazen over time. Helping small businesses ward off cybercrime today could make the difference between long-term success and a tragic early exit for your customers.