If you thought hacking and security are a relatively new phenomenon, think again. In 1903, magician and inventor John Nevil Maskelyne disrupted Ambrose Fleming’s public demonstration of a purportedly secure wireless telegraphy technology by sending insulting Morse code messages in what is now known as the first hack. Since then, the severity and number of hacking scandals, data breaches, and cyber warfare campaigns has risen dramatically.
In this article, we examine the top hacks and data breaches of all time including: eBay, Heartland Payment Systems, Target, Sony, NARA, Home Depot, and JP Morgan Chase. We look at the vulnerabilities, how they occurred, and how they can be prevented through technology solutions and information security best practices.
Largest Data Breaches in History
eBay – 150 Million Records (2014) As of writing this article, the largest data breach in history belongs to eBay. In 2014, the company suffered a massive breach that exposed information on more than 150 million users. eBay asked all of its customers to reset their passwords but insisted that no financial data such as credit card numbers had been compromised.
Hartland Payment Systems – 130 Million Records (2009) Heartland Payment System. In 2009, Princeton, NJ payment processor acknowledged that credit and debit card information from 130 million records had been exposed to cybercriminals. How was the hack orchestrated? Malware was planted on Heartland’s network and it recorded card data as it arrived from retailers. In 2010, Albert Gonzalezwas convicted and sentenced to 20 years in prison for the crime. It is the longest prison term on record for computer crimes in the United States.
Target Stores – 110 Million Records (2013) Target was the “target” of a vicious hacking scandal in 2013 that resulted in hackers stealing credit card and personal information from 110 million customers. Are data breaches costly? Ask Target. The company paid more than $150 million in a single quarter and is projected to pay more than a billion dollars over time as a result of the hack. In addition, Gregg Steinhafel, the former chief executive, resigned in May 2014.
Sony Online Entertainment Services – 102 Million Records (2011) Sony has had more than its fair share of hacking related trouble. In 2011, hackers targeted the PlayStation Network and 102 million records were exposed. Sony had initially reported that personal information such as login information, names, addresses, phone numbers, and email addresses of some 78 million users was exposed. It was later discovered that hackers had penetrated credit card data of approximately 23,400 users.
National Archive and Records Administration – 76 Million Records (2008) It is not just large corporation that get hacked. In 2008, more than 76 million Social Security Numbers of U.S. military veterans were stolen as a result of security protocol missteps taken by the National Archive and Records Administration (NARA).How could such a thing happen? It just so happened that a hard drive at the NARA stopped working and was sent to a government contractor for repair. The contractor determined that it could not be repaired and the drive was scrapped. However, it is unclear whether or not the drive was ever destroyed. I think it is safe to assume it was not.
Epsilon – 60 Million to 250 Million Records (2011) In 2011, Epsilon was entangled in a hacking scandal which has been labeled by many as the “hack of the century.” Epsilon, a leading marketing company, managed email campaigns for more than 2,200 global brands and sent out more than 40 billion emails annually.It could have been worse or could it? According to Epsilon, the information obtained by hackers was limited to email addresses or customers names. However, outside sources speculated that information including reward points had been exposed.
Home Depot – 56 Million Records (2014) In 2014, hackers stole 56 million payment card details and collected more than 53 million email addresses of people that shopped at Home Depot between April and September 2014 in the U.S. and Canada. Home Depot found that its network which handles payment card data was compliant with data security standards in the fall of 2013 but was undergoing certification for 2014 when the data breach occurred. It was later found that it was not in compliance with those standards.
Cost of Not Spending on Data Security
What makes a corporation, organization, or government agency vulnerable to hacking and data breaches? Is it an unwillingness to spend on information security or are hackers that good? I would venture to say both.
Company officials are often quick to point out that they missed certain warning signs – that they could have done more to prevent such attacks. Unfortunately, doing nothing can lead to severe consequences such as fines, lawsuits, and customer distrust. Not to mention lowered sales revenues and profitability.
The most expensive data breaches in history include Heartland Payment Systems who shelled out $140 million in fines and settlements. TJ Maxx estimated that their breach would cost $25 million. However, the total costs are thought to be more than ten times as high with a price tag of $256 million or more. The Target breach far exceeds anything seen before with costs estimated to be in the $1 billion range.
Don’t forget the consequences for employees, management, and executive leadership. There are major shakeups in management after a breach such as the CEO of Target stepping down. Third party vendors are also impacted as their reputation is often dragged through the mud.
How Hackers Hack: Common Hacking Tools
Each year, thousands of companies both large and small are hacked. The most common hacking techniques include: malware, spyware, Trojan horse programs, SQL injections, denial of service (DoS), and packet sniffers.
According to Norton, malware is a category of malicious code that includes viruses, worms, and Trojan horses. Malware can be loaded on to a computer or sent through email and instant messages. Trojan horses can also be acquired from websites and virus infected files downloaded from peer-to-peer connections. One of the goals of malware is to go unnoticed by the user or the system.
Spyware is a type of malicious software that is spread around the Internet with the intent of serving advertisements, collecting personal information, or changing the configuration of your computer.
A type of malware, Trojan horse viruses masquerade as a benign application. Trojan horses are broken down into different subcategories based on how they breach systems and the damage they cause. There are seven major types of Trojans: remote access, data sending, destructive, proxy, FTP, security software disabler, denial of services attacks (DoS).
A SQL injection is a code injection technique used to attack data-driven applications. SQL stands for Structured Query Language and is used to communicate with a database. It is the standard language for relational database management.
The goal of a SQL injection is to embed malicious SQL statements into an entry field for execution such as to dump the database contents to the hacker. In this case, think Excel Spreadsheet and the formulas you can insert to perform a task.
Distributed Denial of Service (DoS) Attack
The goal of a denial-of-service (DoS) attack is to shut down a machine or network resources and render it unavailable for its intended users. Typically, data breaches are preceded by a denial of service attack. The largest recorded DDoS attack was 400 Gbps against an unnamed company and their servers in Europe.
Network administrators have been using packet sniffers for many years to monitor their networks and perform diagnostic tests. Regardless of where the hackers are located on the network, they can use packet capturing or packet sniffer software for breaching data during transmission.
Password Cracks & Social Engineering
A list of the most commonly used passwords can be easily found online. There are password cracking tools and software. This is how Guccifer, a world famous hacker, was able to hack numerous high-ranking government officials including former President George W. Bush.
Social Engineering on the other hand is the practice of using spoofed emails and websites to get users to disclose username, account, and password information.
Cyber Warfare Unleashed
You cannot write an article about hacking without at least mentioning cyber warfare. Wars are no longer fought on the battlefield. They are fought with armies of state sponsored hackers known as cyber forces. The largest cyber armies in the world include: North Korea, China, United States, United Kingdom, Russia, and Iran.
For years, cyber warfare has been used to conduct sabotage and espionage against governments, officials, and public and private corporations. Cyber warfare has targeted missile guidance systems, power grids, nuclear reactors and more.
Want to see cyber attacks in real-time? The website NORSE allows visitors to watch live attacks as
they happen across the globe. The map displays attack origins, targets, and types.
Netari Global Communications Group