The Six Largest IT Security Breaches of 2014

IT Security Disasters Happen

Though no organization likes to think about it (and as you’ll see below, Home Depot apparently really didn’t like to think about it), hackers do exist and IT security breaches do happen and you do need to have both proper and up-to-date security measures in place as well as disaster recovery plans.

The latest news that brings this to mind today is that according to USA Today, the Chipotle twitter account was hacked on Sunday morning and offensive tweets were sent out.  Chipotle quickly regained control of the account and apologized to its 630,000 followers and so the damage would seem to be pretty limited.  Mostly just a reputational hiccup (though the Chipotle brand people might not be as sanguine).  But in the past year there were a number of major security breaches that did have serious ramifications. Here’s a quick list of the six most prominent–you probably heard each of the names over the past year.  But even though most of these stories fade from the news quickly, the impact can be long-lasting for the organizations and customers involved.

6.  Heartbleed

This wasn’t a hack, but a security vulnerability disclosed in April 2014 in the OpenSSL cryptography library. Cybersecurity writer Joseph Steinberg claimed that, “Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.”  The bug affected many of the most trafficked sites on the internet (including Wikipedia) and affected services from Cisco and Amazon Web Services.  The Canada Revenue Agency actually shut down its online services temporarily because of Heartbleed.

5. CurrentC

In October, the CurrentC payment platform (backed by major retailers as an alternative to Apple Pay) that hadn’t even launched yet was hacked and the email addresses of everyone who had signed up were stolen.  Though no financial information was taken and the platform has continued on, having users of an electronic financial system be told “that unauthorized third parties obtained the e-mail addresses of some of you” was not a promising beginning.

4. Home Depot

In September, Home Depot suffered from the theft of 56 million credit and debit cards–the biggest data breach in retailing history.  The data showed up in black markets and worries at the time were that up to $3 billion in illegal purchases might be made with the stole information.

The New York Times reported that Home Depot didn’t take its data security seriously, even in the wake of Target having lost 40 million credit card numbers the year before:

Interviews with former members of the company’s cybersecurity team — who spoke on the condition they not be named, because they still work in the industry — suggest the company was slow to respond to early threats and only belatedly took action.

3. Celebgate

If you were living on planet earth in August of this past year, you heard about this one. Hackers targeted iCloud accounts and stole almost 500 pictures of celebrities, including the nude pictures of several female actors–which were then widely distributed online.

Aside from the betrayal of personal privacy of those in the pictures, the hack also posed challenges for Apple and its promises of security in the cloud, especially with its then-imminent launch of Apple Pay.

2. South Korea

In August, a huge data breach targeting South Korea’s gaming industry affected 220 million private records–over 70 percent of the adult population of South Korea.

1. Sony

How could we not list the Sony attack as the number one security hack of 2014?  As a targeted attack, it led to huge real-world problems for Sony.  Employees in the days following the attack were forced to work on whiteboards in their offices as workstations were inaccessible; private and embarrassing internal emails were revealed publicly; the President of the United States assigned blame to North Korea and took diplomatic action following the attack and a major motion picture was not released in the face of threats made during the breach. The fallout is still occurring, as Amy Pascal, Chair of the Motion Pictures Group of Sony, recently stepped down.

There were several other major attacks in 2014, including one targeting JP Morgan Chase. The proper lesson is not that technology is dangerous or threatening; rather, it’s that technology has vulnerabilities that certain actors will look to exploit and its worthwhile for every organization to work to deter that and plan in case it does happen.