The great but terrifying thing about the security world is that it’s never peaceful. Security breaches occur at rapid rates, companies are being intruded on having their networks taken offline, while hackers and security professionals are at the forefront of an battle against each other. In 2014 a peaceful moment was hard to come by. There was an endless parade of severe vulnerabilities scouring the web, high-profile data breaches, government sponsored hacking attacks and a swath of security breaches around the world. The year was filled with a lot of Heartbleed, Shellshock, POODLEs and a lot of late nights for network administrators. Through the endless pain, the end nears for 2014, and hey, the networks are still standing and we are still online!
As the year is coming to an end, we thought it best to wrap up the worst data breaches of 2014, some affecting individuals while others left companies in ruins and absolutely devastated. Here is FreedomHacker’s countdown starting from the top 10, enjoy!
10) Country of Germany: 18 Million Users Email Credentials Leaked Online
Early April a German pres outlet broke news of a massive data breach, the hacking and public leak of private German citizen data included within email credentials. Also included in the leak was data belonging to major Internet corporations for numerous other countries, what the data contained was not released.
The source of the email breach was never pinpointed, but many custom .com domain emails were also leaked online.
Not only did the hackers hijack millions of email accounts they sent amass of spam emails and hijacked financial data found throughout emails in users mailbox. Attackers hijacked mailing portals, stole financial information, and leaked the information online for others to wreak havoc on.
The second largest e-commerce retailer in the world (at the time), eBay, suffered a data breach of over 145 million active users credentials. Information stolen included emails, physical addresses, encrypted passwords and dates of birth. The company assured customers no financial information such as credit cards or PayPal information was stolen in the breach.
The company said they not see any unauthorized access on breached accounts but forced users to reset their passwords as an added security precaution.
8) P.F. Chang’s Hacked: Restaurant Suffers 9 Month Long Credit Card Breach
33 PF Chang’s restaurant locations were found infected with card stealing malware infecting their point of sale systems. Hackers stole an unknown number of payment cards and began selling them on an underground marketplace before the restaurant was aware their systems had been compromised.
Some 33 locations were infected starting from October 2013 to mid June 2014, spanning over 20 states nationwide. United States Secret Service notified P.F. Chang’s of the breach but gave no additional information on the number of cards affected in the breach.
In a bizarre turn of events, nearly five million Google mail/Gmail account credentials were leaked online. In a FreedomHacker exclusive story, the author details that nearly 5 million Gmail account credentials were leaked online. Throughout a number of tests users found their credentials to be leaked online with the correct matching password while others claimed their old passwords were leaked.
Google published a statement later that day claiming the Gmail security team found no evidence of their systems being compromised. Many speculated a number of other low quality sites may have been hacked and people who reuse passwords across those sites had their credentials leaked online. Due to the attack, WordPress.com had to reset over 100,000 user accounts due to the leaked credentials matching those of their WordPress.com login.
Mid November the United States Postal Service (USPS) suffered a costly data breach, affecting all 800,000 of their employees. Personal information stolen in the breach included names, e-mail addresses, phone numbers, and minimal information customers provided to the USPS corporate support center.
The FBI identified the attack originated from China, blaming the country for stealing the large number of employee documents and minimal customer data. The attack occurred the same day President Barack Obama arrived in Beijing for a high-level meeting with China’s president, ironically to try and discuss their cyber-attacks.
Prior to the breach, the United States Secret Service had issued a number of statements warning companies of highly-skilled government-backed Chinese hackers, and their plans to begin attacking U.S. businesses.
5) Home Depot: 6 Month Breach, Every Store Infected, and 56 Million Credit Cards Stolen
In the highlight retailer data breach of the year, Home Depot made their debut when nearly every store (99.4% of stores to be exact) became infected with point-of-sale malware.
The card stealing malware resided on the companies network taking over each store gradually sending the attackers stolen credit and debit card information for over a six month period. It was estimated to set the company back $62 million for investigation costs, credit monitoring for affected customers, increased call center staffing, legal and professional services, among various other fees. The company was also estimated to be offset by a $27 million insurance reimbursement.
4) Israeli Defense Firms Hacked, Critical Missile Documents Stolen in Data Breach
Three Israeli defense contractors housing detailed schematics of information on anti-ballistics missiles, information about rockets, and a trove of critically sensitive documents were comprised by hackers in a data breach dating back to 2011 and 2012, reports showed in 2014.
A Maryland-based threat intelligence firm identified that Chinese-based attackers were able to hack into the firms’ networks and breach a large amount of sensitive documents pertaining to the iron dome, the anti-missile defense system. Companies affected were Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems, all high-profile aerospace-based companies.
3) JPMorgan Chase Bank: Severe Attack Affects 76 Millions Customers and 7 Million Businesses
In possibly the largest financial institution hack of all time, and especially of 2014, JPMorgan Chase bank suffered a massive data breach affecting 83 million customers in total.
Hackers comprised over 90 internal servers housing the amass of financial data for businesses and households around the United States. Hackers gained access to the banks network by infecting an employee computer with higher privileged network access, shortly after, hackers compromised several more servers through the network.
Hackers could have caused a far more devastating breach federal officials said, but such ill intentions did not occur.
The massive attack promoted JPMorgan Chase bank to upgrade their cybersecurity budget by 50%, raising it to $500 million. The massive breach also prompted New York financial regulators to send a letter urging banking institutions to heavily audit their security protocols currently in place and in the future.
The Chase bank breach defiantly put financial institutions security in the spotlight in 2014.
In one, if not the largest celebrity leak of all time, hundreds of celebrities had their nude photos leaked online. In August, The Fappening made its debut, leaking the nude photos of Jennifer Lawrence, Kate Upton, Kaley Cuoco and countless others. Several waves of The Fappening came later, leaking revealing photos of Kim Kardashian, Cara Delevingne, Anna Kendrick, Nina Dobrev, Daisy Lowe, Nicola Peltz, Sarah Shahi, among countless others over the course of four months.
How did hackers gain access to all these A-list celebrities nude photos? Hackers hijacked celebrities iCloud and other cloud storage provider accounts in a specifically targeted attack. Apple concluded an investigation and noted celebrities iCloud accounts were hacked due to weak passwords, not a vulnerability in their service. Due to the outrage and massive leak of celebrity photos Apple swiftly implement 2 factor authentication, requiring a second level of authentication before being able to log into the account.
The Fappeneing died off late November and the hackers remained anonymous yet the FBI continues to investigate.
1) Sony Hack: Attackers Steal Just Under 100TB of Sensitive Data Including Emails, Passwords, Trade Secrets and More…
In what we all thought was going to be the hack of the year, The Fappening, celebrity nudes fell just short of the massive Sony Pictures Entertainment hack. In a hack occurring only four weeks ago, hackers hijacked Sony’s network broadcasting images on every entertainment employees computer, forcing Sony to turn their network offline, and hijacking just under 100 terabytes of data.
Hackers demanded Sony comply with their ransom or their files would be leaked accordingly. Sony has yet to make a public statement to the hackers and instead has been dealing with the embarrassment of leaked emails, corporate secrets being leaked and pulling their own film, The Interview, to comply with hackers demands.
The Sony hack takes the end of the year as the number one breach of 2014, trumping all others due to its severity, the size of breach and the backlash the company has suffered. The company is still dealing with the severe breach and appears to be dumbfounded on how to reply. Sony has begun sending legal complaints to journalists covering the topics exposed in the corporate insider breach.
The Sony Pictures Entertainment hack is still ongoing and hackers have promised more to come.
Cyber-Security defiantly took a beating this year, especially in the security breach region. Since the massive attack on the Target retailer which struck the company on black Friday in 2013 last year, point-of-sale hacking and card stealing malware has been at an all time high.
As hacks have been at an all time high, so have underground markets and fraudulent purchases. 2014 showed time-and-time again no matter how large the security budget is or how big the corporation is, any system is vulnerable.
This was FreedomHackers end of the year review for the top 10 worst data breaches of 2014, we hope to see a better security filled year this upcoming 2015!