For a number of high-profile retailers and financial institutions, 2014 turned out to be expensive. And embarrassing.
According to a survey published by the Ponemon Institute, large American retailers lost an average of $8.6B to cybercrime last year while typical financial service providers lost an eye-popping $20.8B!
Huge numbers to be sure. Who were the biggest losers, though?
While much of the damage can be directly traced to compromised credit and debit card numbers, the numbers are magnified by the loss of confidence that can be attributed to stolen social security numbers, email and physical addresses and login credentials.
One of the most interesting aspects of many of these crimes is that data is frequently stolen and held for ransom. Many cyber criminals apparently believe that companies can be made to cave in to the threat of identity theft perpetrated with information that has been entrusted to them. Two of the best examples of this from the last year were the cases involving Domino’s Pizza and the news aggregator, Feedly.
In the Domino’s case, credit and debit card records of over 600,000 French and Belgian customers were stolen and held for ransom by the hacker group, Rex Mundi. According to reports, if the company didn’t fork over $40,000, the information would be released on the open market. Ultimately, Domino’s refused to cave in to the demands and, after a few days, was able to assure its customers that no data damage had actually been done.
The Feedly case reads only slightly differently. In mid-June of last year, the news aggregator suffered a series of Distributed Denial of Service (DDoS) attacks. The attackers threatened to continue the assault unless a ransom payment was agreed to. The company refused to be bullied and the attacks stopped shortly after.
This is all very Lindbergh’s Baby/Patty Hearst (look ‘em up!), but what of the “Invaders at the Gate and They’ve Come for Our Credit Scores”, or “Dude, Where’s My Social Security Number?” variety of cyber attack? Well, 2014 had you covered there, too.
How about 83 million email and physical addresses – 76 million home and 7 million small businesses – reported stolen from J.P. Morgan Chase in late August?
Or 233 million home and email addresses, phone numbers and login credentials appropriated from eBay last spring? Fortunately for eBay customers, the company keeps financial information encrypted and separate from other user data, but this isn’t always the case.
On June 9th of last year, an unspecified number of P. F. Chang’s China Bistro customer credit and debit card numbers were offered for sale on the open market. As many as 33 of the chain’s restaurants had been compromised between early March and May 19th – a potentially huge number of transactions. While waiting for new encryption-enabled terminals to be installed, restaurants were forced to resort to the old-school method of using manual imprinters for all card transactions. Not a good way to inspire consumer confidence. In addition to this indignity, the chain is currently offering free fraud alert protection to any customer who has used a card to complete a transaction at one of their restaurants in the last eight months. What a Public Relations nightmare.
While we’re on the subject of food, let’s take a quick look at what befell Dairy Queen and a franchise of its sister company Orange Julius as reported last October. No cross country road trip or visit to the local shopping center food court would be complete without a stop at the DQ or Orange Julius, right? So it’s a shame to find out that, because of an infection of Backoff malware in 395 stores, the Minnesota based company is now offering free identity repair services to customers who suffered from identity theft because of the attack.
But these are not the largest or most widely publicized attacks of the past year.
No list could be complete without at least mentioning Sony or the kingpin, Target.
In late November, hackers assumed to be working for the North Korean government broke into Sony’s internal network exposing employment and salary records. In addition, the contents of a number of private emails that had been passed back and forth between Hollywood executives, many of them potentially embarrassing, were released as well.
As embarrassing as the very high profile Sony story might be, it pales however when compared to the ugliness perpetrated on Target. Technically, Target’s security breach happened in late 2013, but it gets credit for ’14 because of the profound residual effects of the hack in which 110 million accounts, 70 million contacts and 40 million card account numbers, were stolen. The ripple effect of this crime is still being felt today in the over $200 million dollars spent by financial institutions in reissuing cards to victims whose accounts were compromised in the hack, or the over $100 million spent by Target in the upgrade of payment terminals to newer, more secure technology. There are plenty of other numbers to drop, but you get the picture.
The numbers related to cybercrime are staggering. And they are only going to get larger. In fact, to paraphrase James Comey, the Director of the FBI, there are currently two types of companies in the US: those who have been hacked, and those who don’t know that they’ve been hacked.
The need for qualified security providers has never been higher.