Breaches and hacks are becoming more and more frequent in the digital age, and the price of recovery keeps growing. Click through to read about five of the most infamous examples of large-scale cybercrime.
South Carolina Dept. of Revenue
Government departments collect an abundance of personally identifiable information, including social security and credit card numbers used by taxpayers, which makes the departments obvious targets for cybercrime. South Carolina’s Dept. of Revenue exposed 3.6 million SSNs to a hacker in during a series attacks beginning on October 10, 2012 and ending on September 13, 2012.
The vast majority of the credit numbers were encrypted, but about 16,000 were not. None of the SSNs were encrypted. The hacker used a foreign IP address to gain access to the data. No public funds were put at risk, and an investigation into the breach is still ongoing. The Hawkins Law Firm is targeting Governor Nikki Haley, the S.C. Dept. of Revenue and the data security firm Trustwave in a lawsuit for failing to protect citizen information.
Anyone who filed a South Carolina tax return since 1998 is urged to find out if they were among those affected. The state is providing one year of credit monitoring and identity theft protection to victims.
TJX Cos. Inc. and Heartland Payment Systems
In July 2005, 94 million credit cards and more than 450,000 personal records including driver’s license and SSNs were exposed in a hack of TJX, the parent company of T.J. Maxx, Marshalls, HomeGoods and other similar stores. One theory is that hackers gained access through the company’s in-store job application kiosks, which were not protected by a firewall. Another is that the data was stolen during a wire transfer between two Florida stores. TJX settled a related lawsuit with Visa for $41 million and other costs were incurred while dealing with regulatory
In 2008, Heartland Payment Systems, a payment processing company, discovered spyware installed on data systems allowed 134 million credit cards to be obtained. The company paid settlements of $60 million with Visa, $3.5 million with American Express, $4 million in consumer class action lawsuits and more than $26 million in legal fees. Albert Gonzalez, ringleader of both breaches, was sentenced to 60 years in prison in March 2010. Eleven others were arrested on related charges.
This online media organization posted 90,000 classified military documents for public viewing on its website. Julian Assange, an Australian publisher and activist, launched WikiLeaks in 2006 and designed the site to be untraceable and uncensorable. Anyone can submit information anonymously.
The documents were submitted by Bradley Manning, a U.S. Army soldier with access to classified information databases. He used his security clearance to copy the documents onto CDs and USB drives. The White House called the leak publication “irresponsible,” and there were fears that details such as names of frontline soldiers could be released and possibly endanger lives. Assange and supporters consider WikiLeaks a system for whistleblowing and uncovering corrupt actions of institutions and governments.
Manning was arrested in May 2012 on suspicion of having passed the classified materials to WikiLeaks. He was charged with communicating national defense information to an unauthorized source and aiding the enemy. The trial is expected to begin February 2013.
In the spring of 2011, Sony suffered back-to-back hacks that left more than 84 million accounts from Sony Online Entertainment and PlayStation Network users at risk. The cyber attack compromised information such as names, addresses, e-mail addresses, birth dates, gender, phone numbers, credit card numbers (including expiration dates), logins and passwords.
These attacks spanned multiple countries and also left 12,700 non-U.S. customers’ personally identifiable information vulnerable. The information was stored in what Sony called “an outdated database from 2007.” In an attempt at compensation, the network gave all of its customers 30 days of additional subscription time and 30 free days of premium PlayStation Plus service. A class action lawsuit, Thompson v. Sony Computer Entertainment, was filed May 2011 in the name of persons who purchased a console, suffered loss of service and had personally identifiable information stolen.
RSA Security provides SecurID authentication tokens to customer networks for security. However, a hack in March 2011 resulted in a speculated 40 million stolen employee records. Hackers posed as individuals and companies familiar to employees to try to gain their trust and gain network access to secured segments of the network. This hack ironically proved that even security companies are not immune to breaches.
The company initially claimed that no customer networks were breached, but subsequent attacks on Lockheed-Martin, L3 and others were believed to be partially related to the RSA crime. RSA offered to recall and reissue customer security tokens in the event that attackers stole technology allowing them to generate valid tokens.
Worried about the saftey of your business's data? Read "Wi-Fi and Mobile Devices Add to Cybercrime Cost and Confusion" by Shannon Frech, including an interview with Travelers' enterprise cyber lead.