top 10 information security breaches of the history
DESCRIPTION
Top 10 security breachesTRANSCRIPT
Top 10 Information Security breaches of the history
Heartland Payment Systems, 2008-2009: 130 million records compromised
In early 2009, this Princeton, New Jersey-based payment processor announced the largest data
breach ever to affect an American company. Heartland's breach exposed information from
approximately 130 million credit and debit cards to cybercriminals.
Malware planted on Heartland's network recorded card data as it arrived from retailers. Because the
company processed payments for more than 250,000 businesses across the country, the impact
was huge.
In 2010, Albert Gonzalez, the convicted mastermind behind the Heartland breach (as well as another
huge breach), was sentenced to 20 years in prison — the longest sentence ever handed down for
computer crime in a U.S. court.
Target Stores, 2013: 110 million records compromised
In December 2013, retail giant Target confirmed that hackers had infected the company's payment-
card readers, making off with approximately 40 million credit and debit card numbers that had been
used at Target stores in the United States during the 2013 post-Thanksgiving shopping surge.
In January 2014, Target announced that the contact information — full names, addresses, email
addresses and telephone numbers — of 70 million customers had also been compromised. Some of
those customers probably also had credit-card data compromised in the earlier breach, but it's
possible that as many as 110 million people were affected by the Target breaches.
Sony online entertainment services, 2011: 102 million records compromised
In April 2011, attackers whose identities are still unknown targeted the PlayStation Network that links
Sony's home gaming consoles, as well as Sony Online Entertainment, which hosts massively
multiplayer online PC games, and the Qriocity video- and music-streaming service.
Initially, Sony said that only the personal information of 78 million PlayStation Network users — login
credentials, names, addresses, phone numbers and email addresses — had been exposed. But the
tally of compromised accounts rose by 24.6 million when investigators discovered the attackers had
also penetrated SOE and Qriocity. The credit-card data of approximately 23,400 SOE users in
Europe was also stolen.
Following the initial breach disclosure, the PlayStation Network went dark worldwide for more than
three weeks. In May 2011, Sony estimated its cleanup costs — which included fighting 65 class-
action lawsuits brought against the company — at $171 million.
National Archive and Records Administration, 2008: 76 million records compromised
Not all data breaches are the result of criminal activity. In late 2008, a hard drive at the National
Archive and Records Administration (NARA) stopped working. It held the names, contact information
and Social Security numbers of 76 million U.S. military veterans.
Instead of being destroyed on-site, the drive was sent for repair to a government contractor, which
determined the drive could not be fixed — so it was sent it out to be scrapped. It is not clear whether
the drive was actually destroyed.
Following complaints by an IT manager at NARA, an investigation was launched, and NARA
changed its policies to destroy all malfunctioning storage media containing sensitive personal
information.
"NARA does not believe that a breach of PII [personally identifiable information] occurred, and
therefore does not believe that notification [of the affected veterans] is necessary or appropriate at
this time," the agency told Wired News in 2009.
Anthem, 2015: 69 million to 80 million records compromised
In February 2015, Anthem, formerly known as WellPoint and the second-largest health insurer in the
U.S., revealed its customer database had been breached. Stolen data included names, addresses,
dates of birth, Social Security numbers and employment histories — everything an identity thief
might need. As many as 80 million current and former customers were thought to be affected.
Epsilon, 2011: 60 million to 250 million records compromised
In March 2011, the Texas-based marketing firm Epsilon, which handled email communications for
more than 2,500 clients worldwide — including seven Fortune 10 companies — announced
thatdatabases pertaining to about 50 Epsilon clients had been stolen.
Email addresses of at least 60 million customers ended up in the hands of cybercriminals, and more
than a dozen major retailers, banks, hotels and other companies were affected, including Best Buy,
JPMorgan Chase, Capital One Bank and Verizon.
Epsilon could not confirm exactly how many individuals were affected. Conservative estimates put
the number of email addresses stolen at 60 million, but according to the Privacy Rights
Clearinghouse, a San Diego-based nonprofit advocacy group, the number may have been as high
as 250 million.
Home Depot, 2014: 56 million payment cards compromised
In September 2014, hardware and building-supplies warehouse retailer Home Depot admitted what
had been suspected for weeks. Beginning in April or May of the same year, "carders" had infected
its point-of-sale systems at stores in the U.S. and Canada with malware that pretended to be
antivirus software, but instead stole customer credit and debit cards.
The theft may have been the largest haul of payment cards resulting from a direct attack on a
retailer, if the lower estimate from the TJX breach (see below) is accepted. But unlike the Target
theft less than a year earlier, the Home Depot theft didn't result in customers staying away, nor did it
generate quite the same media outcry.
Evernote, 2013: More than 50 million records compromised
In March 2013, users of the note-taking and archiving service Evernote learned that their email
addresses, usernames and encrypted passwords had been exposed by a security breach. No
financial data was stolen, and the company confirmed that none of the user-generated content on its
servers had been compromised.
However, as had been the case for those affected by Epsilon's 2011 breach, Evernote users who
had their usernames and email addresses stolen were vulnerable to spam emails and phishing
campaigns — some of which pretended to be password-reset emails coming from Evernote itself.
Living Social, 2013: More than 50 million records compromised
In April 2013, Living Social, a daily-deals site partly owned by Amazon, announced that the names,
email addresses, birth dates and encrypted passwords of more than 50 million customers worldwide
had been stolen by hackers. Twenty million Living Social customers whose information was stored
on servers in Asia were not affected.
TJX Companies Inc., 2006-2007: At least 46 million records compromised
When it was discovered in 2007, the TJX data breach was the biggest theft of consumer data ever in
the United States, affecting the parent company of several major retail brands, including Marshalls,
T.J. Maxx and HomeGoods. At least 45.6 million credit and debit card numbers were stolen over an
18-month period, but some estimates put the number at closer to 90 million.
About 450,000 TJX customers also had their personally identifiable information stolen, including
driver's license numbers. The breach ultimately cost the Framingham, Massachusetts-based
company $256 million.
The TJX hackers included Albert Gonzalez, who was cooperating with law-enforcement
investigations into earlier data thefts when he took part in both the TJX breach and the even larger
Heartland Payment Systems attack two years later.
Honorable mention: Sony Pictures Entertainment, 2014: Company's inner workings completely
exposed
On Nov. 24, 2014, staffers at Sony Pictures Entertainment, the movie and television production
division of Sony, had their computer screens hijacked by a grinning skull. A group calling itself
Guardians of Peace said it had taken over the corporate network and would release detailed
company information online if unspecified demands weren't met.
Within days, gigabytes of internal Sony Pictures data appeared on file-sharing sites, including Social
Security numbers and scanned passports belonging to actors and executives, internal passwords,
unpublished scripts, marketing plans, financial and legal information and even four entire unreleased
Sony movies.
The company's 6,800 employees, plus an estimated 40,000 other individuals the company had paid
over previous years, were placed at dire risk of identity theft, and rival Hollywood studios got a
detailed blueprint of Sony Pictures' accounts, future plans and internal workings.
Some rumors blamed North Korea, others disgruntled insiders. Whatever the cause, the incident
threatened the very survival of Sony Pictures Entertainment as a company and may be the most
damaging corporate data breach ever.