Turn on the evening news, and it’s likely you’ll hear a story about a security breach. Retailers, banks, social media, and health care facilities — it seems no organization is immune to attacks by cybercriminals who want to steal personal and corporate data for financial gain. Although security breaches are becoming more and more common, some breaches have been more devastating than others.
The following are some of the biggest data breaches in history — and how they could have been prevented.
TJX Companies Inc.
From 2005 to 2007, TJX Companies, which owns stores including TJ Maxx, Homegoods and Marshalls, was hacked multiple times, resulting in the loss of more than 100 million customer records. The thieves collected personal information and credit and debit card numbers from TJX customers and used that information to steal hundreds of thousands of dollars from unsuspecting victims. The breach occurred because TJX was using outdated firewall protection and encryption, as well as an old wireless network for transmitting data that did not have up-to-date security protection; criminals were able to hack into the network and skim data as it was scanned and transmitted.
In 2008, Hannaford, one of the largest supermarket chains in the Northeast, was the victim of a malware attack that compromised the financial information of more than 4 million customers. The malware was inadvertently loaded onto servers at more than 300 Hannaford stores throughout New England and collected information about customers from the magnetic strips on their cards as they were swiped at the checkout. In 2009, Hannaford was involved in a second breach, this one of payment processor Heartland Payment Systems, which processes payments for grocery stores and other retailers. The Heartland breach, also caused by malware, resulted in the information of more than 130 million credit and debit card numbers being compromised. Although it’s estimated that only 2,000 customers actually lost money on the first breach, the repeated breaches highlight the importance for robust malware protection.
U.S. Department of Veteran’s Affairs
A massive data breach involving veterans of the U.S. military in 2006 highlights the importance of a comprehensive mobile-device-management policy and the capability to remotely lock and wipe mobile devices used for business. The breach occurred when an employee of Veteran’s Affairs took a laptop home without authorization and the machine was stolen — potentially comprising the detailed personal records of more than 28 million veterans who had served since 1973; however, the VA was the victim of another, larger breach three years later, when a backup hard drive was sent for repair and recycling — without being wiped first. The drive contained the personal information of more than 76 million veterans. Again, this instance highlights the importance of diligence in removing and wiping data before disposing of used equipment.
Epsilon is an email marketing company that handles online communication for major retailers including Capital One and Walgreens. In 2011, the company’s system was hacked and more than 60 million email addresses were stolen. Criminals sent out millions of spam emails and tricked customers into supplying additional information — setting off a chain of thefts costing millions of dollars and thousands of hours spent on investigation. The Epsilon breach demonstrates the importance of maintaining adequate firewall protection and other measures to keep hackers out, as well as education of consumers on how to identify phishing and spoofing emails designed to trick them into supplying personal data.
These are just a few of the major data breaches that have affected average American consumers. Other companies, including AOL, Sony, Checkfree and TD Ameritrade have also been victims of cybercriminals who have used malware, viruses, hacking and simple theft to steal valuable information. In many cases, the criminals who steal the information sell it to other parties who use it for gain, but the effect is the same: lost money, time and consumer trust.
To avoid security breaches, organizations need to maintain comprehensive and up-to-date security policies and measures. Encryption, firewalls, virus and malware protection, and a robust mobile-device- management policy and program can protect your business from becoming the next victim and news headline.