With apologies to Al Stewart, 2014 could be referred to as the “Year of the Hack.”
Data theft is the costliest trend in cyber crime, with corporations and medical facilities’ information always at risk of being compromised by those who would look to steal it and, in many cases, sell it to other criminals.
Among insurers, Cyber Liability coverage remains as hot a topic of conversation as ever, with more carriers every week releasing news of new products offering coverage to protect businesses from data thieves. Yet if many insurers are still attempting to one-up each other in terms of policy offerings, not too many exhibit a large appetite for this risk. Even with more than enough capacity to go around in the P&C market, the limits for Cyber risk are not nearly as high as they could be.
One reason for this is that, for all the headlines made this year, lessons are still being learned from affected clients’ brief but sizable loss histories. Cyber losses may often be of low frequency, but high severity—and despite the best security controls money can buy, no client is truly safe. If a data thief wants your information, it’s likely they’ll get it. It’s only a question of how long it will take.
However, one thing is certain: More than one major company took it on the chin in 2014 – and more will surely follow this holiday season and in the year to come.
Click through for a look at some of the largest data breaches of 2014.
The United States Postal Service (USPS) (November)
After nearly two months of suspicious activity on U.S. Postal Service networks that neither postal workers nor customers were apprised of, it was finally revealed on Nov. 10 that the personal information of more than 800,000 USPS employees had been compromised.
The employee data included names, dates of birth, Social Security numbers, addresses, dates of employment and other personal information. Approximately 100 servers and their workstations were compromised.
Officials believe some basic customer information was likewise put at risk, including 2.9 million customer complaints stored on a server that held those customers’ names, addresses, phone numbers and email addresses. U.S. Postal Service cyber-security official Randy Meskanic believes otherwise.
“At this time, we do not believe that Postal Service transactional revenue systems in Post Offices, as well as on USPS.com where customers pay for services with credit and debit cards, were affected by this incident,” Meskanic said during his testimony before Congress at a House oversight hearing. “There is no evidence that any customer credit card information from retail or online purchases, change of address or other services was compromised.”
The breach was first detected by the U.S. Computer Emergency Readiness Team on Sept. 11. Investigators maintain they worked in secret under advice from the FBI in order to not tip off the thieves, Meskanic said.
“It is an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyber intrusion activity,” Postmaster General Patrick Donahoe said in a statement. “The United States Postal Service is no different. Fortunately, we have seen no evidence of malicious use of the compromised data and we are taking steps to help our employees protect against any potential misuse of their data.”
(AP Photo/David Goldman)
Home Depot (September)
Home Depot revealed in September that hackers began accessing its network in April via a third-party vendor's user name and password, then deployed malware on the company’s self-checkout systems to access card information of customers at its U.S. and Canadian stores between April and September. The card information for some 56 million shoppers was compromised, along with 53 million e-mail addresses.
The company is facing 44 civil lawsuits related to the breach, and may face more litigation from customers, banks, shareholders and other parties. It is also facing investigations by several state and federal agencies.
The hardware giant said in a quarterly filing with the Securities and Exchange Commission that it anticipates a fourth-quarter breach-related expense of about $27 million, but only some $6 million after insurance.
Home Depot carries $100 million in coverage for breach-related expenses, with a $7.5-million deductible.
"Our investigation of the data breach is ongoing, and we are still in the process of assessing the financial and other impacts of the data breach," the company said in a statement this week. "It is possible that we will identify additional information that was accessed or stolen."
(AP Photo/Keith Srakocic)
JPMorgan Chase (October)
On Oct. 2, JPMorgan Chase, the nation’s largest bank, publicly acknowledged in a U.S Securities and Exchange Commission (SEC) filing that it had suffered a cyber breach. In the brief filing, it stated that the data of approximately 76 million households and 7 million small businesses, including user contact information (names, addresses, phone numbers and e-mail addresses) and internal JPMorgan Chase information relating to those users, had been compromised.
Bloomberg reported that Russian hackers were to blame for an attack on the U.S. financial system in mid-August, stealing data from JPMorgan Chase and at least one other bank—breaches the FBI is investigating as possible retaliation for government-sponsored sanctions, according to sources.
The New York Times reported on Oct. 3 that nine other financial institutions had also been infiltrated by the same group of Russian hackers, according to sources.
Chase says in a posted FAQ that it sees no evidence that customers’ account numbers, passwords, user IDs, dates of birth or Social Security numbers were compromised during the breach. The company also said that unlike that seen in recent attacks on retailers, “we have seen no unusual fraud activity related to this incident.”
However, the thieves gained access to a list of every application and program the bank uses to protect its servers, which could enable them to perform similar attacks in the future by exploiting potential security flaws in those programs.
In any case, it’s worth noting that while breach notification laws differ by state, banks are not required to report data breaches unless the incident results in financial losses to customers.
(AP Photo/Frank Franklin II)
Community Health Systems (August)
Community Health Systems (CHS), which operates 206 hospitals across the U.S., announced in August that information on 4.5 million patients had been compromised by hackers in China, including patients’ names, Social Security numbers, physical addresses, birthdays and telephone numbers.
CHS’ hospitals operate in 28 states, most notably in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas. Any patient who received treatment from a doctor’s office tied to a network-owned hospital in the last five years was affected.
Hackers did not manage to garner information related to patients' medical histories, clinical operations or credit cards.
However, the pilfered information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law, which means that state attorneys general could bring suit for damages. Additionally, under state laws, patients could sue the hospital network for negligence.
In January, Target announced that its December 2013 breach, during which credit and debit card information from 40 million customers was stolen, was actually even worse than executives had thought. The retailer revealed that 70 million customers’ names, mailing addresses, phone numbers and/or email addresses had also been compromised.
“I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this,” Gregg Steinhafel, Target’s chairman, president and chief executive officer, said in a statement upon releasing this news. Steinhafel, a 35-year company man, stepped down four months later.
All told, Target’s expenses caused by the breach were more than $200 million, although it did collect on the full $90 million for which it was insured through Ace Ltd., AIG, Axis Capital Holdings Ltd., and four other insurers.
(AP Photo/Michael Dwyer)
Just weeks after news of the Target breach, arts & crafts/framing retailer Michaels announced that between May 2013 and January 2014, information from payment cards of 2.6 million customers of Michaels and 400,000 of its subsidiary, Aaron Brothers, had been compromised by criminals using highly sophisticated malware.
The affected systems contained certain payment card information, such as payment card numbers and expiration dates, about both Michaels and Aaron Brothers customers. “There is no evidence that other customer personal information, such as name, address or PIN, was at risk in connection with this issue,” the company said in a FAQ it released in April, in connection with its investigation.
(AP Photo/Matt Rourke)