Technology has never been as superior as it is today. With the technology revolution and the advancements that have been made, it is more difficult than ever to keep personal information private. That being stated, it is also easier than ever for hackers to breach information. However, this is not the simple information that technology used to have stored, this is private, personal information that could cause serious detriment if stolen and leaked. Major corporations and institutions have been impacted by data breaches and cybersecurity threats. This research will explore the timeline of companies that have been affected data breaches from the year 2006 to today.
It is truly incredible to see how far technology has come since the early 2000s. Apple and other companies have changed the way technology were ever known as. So much so, that consumers are now using his or her face to unlock their phone. This advancement, although it is so great, give hackers more ability to gather information than ever before. "Companies believe traditional methods of protecting their infrastructure will keep the "bad guys" away. But, with employees using devices like tablets, smartphones, and laptops to conduct business, hackers have more opportunities than ever to gain access to critical information" (Levine, 2015). There is a common misconception that keeping hackers out of a company's technology is all that is needed to not be hacked. According to president and CEO of the Digital Guardian, hackers know that this mindset is ineffective and exploit it (Levine, 2015). In order to prevent these types of attacks on a company, an organized structure needs to be in place.
In order to keep compliant and safe, the National Institute of Standards and Technology created a basic framework that organizations can follow in order to protect themselves from data breaches and hacks. The framework dives deep into the company with surveys and guidelines that should be followed in order to have the best protection. NIST 800-171 is a set of guidelines pertaining to all "nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations" (Ross, Viscuso, Guissanie, Dempsey, & Riddle, 2015). This is something that will be referenced throughout this paper, as it pertains to the companies that will be explored.
TJX Companies, INC
In 2006, TJX Companies, Inc was hacked and became one of the first breaches in the 21st century. TJX Companies include Bob's Stores, HomeGoods, Marshalls, and T.J. Maxx (Roberts, 2007). According to a company statement, "Hackers may have made off with credit and debit information from transactions in the United States, Canada, and Puerto Rico in 2003 as well as transactions between May and December 2006" (Roberts, 2007). Over a year after the breach, the company finally revealed that 45.6 million credit and debit card numbers were stolen (Vijayan, 2007). At the time, the TJX compromise was the worst when it comes to a loss of personal data (Vijayan, 2007). The interesting part of this breach is that after it was discovered, more data. In its filing, TJX stated that "its systems were first accessed illegally in July 2005 and then on several occasions later in 2005, 2006 and even once in mid-January 2007 — after the breach had already been discovered" (Vijayan, 2007). It took months for investigators to discover how the attackers were able to gain access to so much information. In September of 2007, officials discovered what happened:
"The intruders who broke into TJX's networks and stole data involving more than 45 million credit card and debit card numbers first gained access to the company's systems via poorly protected wireless local-area networks — as some have previously theorized. The break-ins happened at two Marshalls stores in Miami.
The stolen information was accessed from the Retail Transaction Switch (RTS) servers that were responsible for processing and storing information related to customer transactions at TJX stores. The data compromised by the breach included driver's license numbers and other personally identifiable information related to payment-card and merchandise return transactions for which a receipt was not present" (Vijayan, 2007).
Being this time period was just the beginning of the technological revolution, it is hard to imagine how badly this affected the company. Surprisingly, the customers and retail sales were barely affected. The stock price barely decreased too, only by a few cents (Vijayan, 2008). Being that the hackers in this breach were gathering information for a few months, it seems clear that TJX was not actively monitoring the security of the stores. According to the guidelines in NIST 800-171, part 3.11.2 states that companies should be scanning for vulnerabilities in the information system (Ross et al., 2015). If TJX periodically checked for vulnerabilities, the hackers may not have been able to access the massive amounts of data that they did. This could potentially have been stopped in the early months of the breach. Another section of NIST 800-171 that could have been of assistance to TJX is 3.12.2, which states "Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems" (Ross et al., 2015). Instead of being caught off guard and paying about $1 billion over the course of a few years (Vijayan, 2008). The company seems to have come a long way since the 2006 hack, but other companies did not learn from TJX's mistakes, which continues the research for the top 10 data breaches in the 21st century.
Sony's PlayStation
In 2011, Sony suffered a breach in the company's gaming system. "This led to the theft of names, addresses and possibly credit card data belonging to 77 million user accounts in what is one of the largest-ever Internet security break-ins" (Baker & Finkle, 2011). Sony's gaming systems were hacked, along with the online subscribers' information being exploited. "The hackers entered the network by taking over the PC of a system administrator, who had rights to access sensitive information about Sony's customers. They likely did that by sending the administrator an email message that contained a piece of malicious software that got downloaded onto his or her PC" (Baker & Finkle, 2011). The company notified the public a few days after the breach, which they received serious backlash about (Baker & Finkle, 2011). Many people were not pleased that the company waited so long to notify them of potential credit card theft, if they knew earlier it could have solved some problems. Sony discovered the hack was performed by LulzSec, a splinter group of Anonymous, the hacker collective (Gaudiosi, 2014). This hacking group was responsible for exploiting famous organizations lack of cybersecurity protection.
"The motive of the LulzSec hacking gang wasn't to make money. In that sense, they were very different from many of the online criminals encountered today.
However, they were set on amusing themselves at the expense of embarrassed organizations, disrupting websites and – in the worst cases – exposing the personal information of innocent people.
Of course, those actions could have costly financial consequences for the companies and individuals who were unfortunate enough to be caught up in the attacks and data breaches" (Cluely, 2013).
After this attack on Sony, which cost them more than $250 million (Gaudiosi, 2014), the company still did not learn their lesson, suffering from more breaches in the months and years to come. Gaudiosi states that Sony could have been so vulnerable to an attack because they are in silos and do not have much protection (2014). "Sony didn't address its organizational issues fast enough after the 2011 hack, Miliesky says. "From that moment on, their CIO should have implemented corporate-wide protection measures and beefed up info-sec training for employees that would be standardized across the organization," he says" (Gaudiosi, 2014).
This would have been the perfect opportunity for Sony to use NIST 800-171 in order to review and restructure their framework for cybersecurity. Obviously, they needed guidelines in order to protect themselves moving forward, especially because the company was already perceived as vulnerable.
US Office of Personal Management
Between 2012 and 2014, personal information of over 20 million federal employees was hacked by a group that was said to be from China (Armerding, 2017). Since the employees are federal workers, background checks need to be conducted during time of hire, involving incredibly in-depth, personal information. "OPM and the interagency incident response team have concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation database" ("Cybersecurity Resource Center, n.d.). Unfortunately, people felt the wrath of this data breach. One victim had to freeze his bank account after someone had spent thousands of dollars at Best Buy in his name, he described the experience as "exhausting and frustrating" (Naylor, 2016). With this kind of information at stake, it is surprising how unprepared the OPM was. According to Armerding, there were "plenty of early warnings about how vulnerable the department was, especially because there were no employees who handled cybersecurity until 2013 (2016). Section 3.2 of NIST 800-171 is about awareness and training of employees. Obviously, it is imperative that businesses have trained personnel in case of a breach like this, which is why it is interesting that the OPM did not have employees in this profession for so many years. If the business followed 3.2.1 of NIST 800-171, which states "Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems" (Ross et al., 2015), they could have avoided this attack. The department also lacked encryption, had no inventory of servers and databases and lacked awareness of the systems connected to its networks (Amerding, 2016). A year after the breach, director Beth Cobert explains that there have been a lot of changes since the attack. The department amped up the cybersecurity including two-factor authentication, tools to detect malware, and the government is now able to see all the devices connected to the network (Naylor, 2016). In the efforts to heal the damage caused, OPM has discussed offering lifetime identity theft protection as part of federal benefits (Naylor, 2016). This option is given to federal workers should give them an ease of mind if something like this were to happen again. Although the department was completely unprepared, it was a lesson learned and they are licking their wounds. OPM is making huge steps in order to fix the past, and protect themselves moving forward.
Target
During the holiday season in 2013, Target stores experienced a not-so-cheery experience. The retailer had hackers break into the system, stealing millions of customers credit card information. Unfortunately for Target, once the hackers were in the network, there was nothing anyone could do to stop them from accessing all cash registers in every single Target store ("Inside Target Corp., Days After 2013 Breach," 2015). The breach was first believed to have happened after Thanksgiving 2013 to December 6, but Krebs later reported it lasted until December 15 (Riberio, 2013). "In the Target incident, 40 million credit and debit card numbers and 70 million records of personal information were stolen. The ordeal cost credit card unions over two hundred million dollars for just reissuing cards (Shu, Tian, Ciambrone, & Yao, 2017). There are different theories that explain how this breach happened since Target has still not release this information (Shu et al, 2017). The theory that has the most evidence and support is that the initial breach didn't actually occur inside Target, it occurred in a third party vendor called Fazio Mechanical Services (Shu et al, 2017). According to this theory:
"Attackers first penetrated into the Target network with compromised credentials from Fazio Mechanical. Then they probed the Target network and pinpointed weak points to exploit. Some vulnerabilities were used to gain access to the sensitive data, and others were used to build the bridge transferring data out of Target. Due to the weak segmentation between non-sensitive and sensitive networks inside Target, the attackers accessed the point of sale networks (Shu et al, 2017).
Fazio Mechanical is a small heating company in Pennsylvania that has worked with Target in the past, and suffered a breach of their own, according to Krebs (2015). When Fazio Mechanical suffered a breach is when the hackers were able to gain access to a private network to remotely connect to Target's network ("Inside Target Corp., Days After 2013 Breach," 2015). After the attackers were connected and gained access to the systems they needed, they installed malware that gathered the credit card data (Radichal, 2014). The data was saved to a .dll file and stored in a temporary NetBios share over ports 139, 443 or 80 (Radichal, 2014). Target, being such a major corporation, stated that they passed security tests earlier in the year and spent a great deal of money on security technology (Radichal, 2014). "Despite the fact that they purchased expensive monitoring software, staff was not sufficient, not well-trained or inadequate processes turned those systems into a liability rather than an asset when it was determined that Target was notified, but did nothing to stop the breach" (Radichal, 2014). According to NIST 800-171, it is part of the framework to have individuals trained to handle these types of situations (Ross et al., 2015). According to NIST 800-171, Risk Assessment is a key aspect of the framework. Target could have evaluated the company off of this section of NIST, being more prepared for the attack (Ross et al., 2015). This could have identified vulnerabilities in the system and scanned for vulnerabilities in the systems (Ross et al., 2015). If Target had done this, the company could have identified the vulnerabilities in their POS system. Analyzing the systems could reveal flaws in the systems, possibly the ones the attackers broke into (Radichal, 2014). The Target breach could have potentially been stopped if they analyzed their systems weak points. Target paid almost $20 million in settlements for the breach, not including all the other fees associated with lawsuits (Masunaga, 2017).
Yahoo
Yahoo is the victim of the biggest data breach in history. In September 2016, Yahoo announced that the names, emails, birthdays, and telephone numbers of 500 million users had been stolen by a "state-sponsored actor" (Armerding, 2017). In December of 2016, the company stated that a different group of hackers compromised 1 billion usernames, birthdays, emails, telephone numbers, as well as addresses, passwords, and security questions (Armerding, 2017). Almost one year later, in October of 2017, Yahoo revised the past claim, now stating that all 3 billion user accounts have been compromised of this information (Armerding, 2017). Three billion accounts, including email, Tumblr, Fantasy, and Flickr were all compromised (Larson, 2017). In March 2017, the Department of Justice announced that four people have been indicted in connection with the hack, including two Russian spies (Brown, Glover, Mallonee, & Kopan, 2017). This was the first time the United States has ever indicted anyone from the FSV for cyber-crimes (Lawerence, 2017). The hackers broke into Yahoo's database, then used it to forge credentials (Lawerence, 2017). "They tricked Yahoo servers into recognizing them as an account holder who had essentially stayed logged in. The maneuver, appetizingly called "cookie minting," allowed them to read the contents of some 6,500 Yahoo accounts without even needing a password or username" (Lawerence, 2017). Surprisingly, Yahoo's security team and senior executive were aware of the 2014 attack and made minimum efforts to solve the problem (Kan, 2017). The company notified 26 users and did not investigate the incident any further (Kan, 2017). Yahoo could have potentially minimized this breach if executives had followed NIST more closely. Some key aspects they should have focused on are awareness and training, incident response, and risk assessment. NIST 800-171, section 3.2 is awareness and training (Ross et al., 2015). This section stresses ensuring users of security risks associated with activities. If Yahoo was constantly implementing password changes, it could have saved a lot of victims from being hacked into. Yahoo should have made users aware of the risks, and advice them what to do to ensure security. Being how large Yahoo is, it is assumed that a massive amount of money is put into their security systems. This money should be used for section 3.6 after the first attack. Instead of the business executives putting bare minimum effort into the 2014 breach, the company should have followed the incident response framework from NIST 800-171. "Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities" (Ross et al., 2015). If the executives had done more than notify just 26 users, the breach could have been less serious. Yahoo has suffered from bad PR due to this incident, is that it was the largest data breach in history. The breach also impacted a deal they had with Verizon Communications' (Kan, 2017). The company was in the works of selling Yahoo to Verizon, after the incident Yahoo took off $350 million dollars from the original offer (Kan, 2017). Additionally, the company is facing about 43 lawsuits (Kan, 2017). After this incident, it will be shocking if Yahoo does not invest the money into setting up a higher cybersecurity platform, possibly by using NIST 800-171.
JP Morgan Chase
In July 2014, the nation's largest bank, JP Morgan Chase, suffered an attack that affected over 70 million households and 7 million small businesses (Armerding, 2017), The bank confirmed that personal information, including addresses, names, social security numbers, and emails had been compromised (Lewis, 2014). The bank is the victim of the largest theft of customer data from a financial institution in US history (Crowe, 2015). "Gery Shalon, Joshua Samuel Aaron, and Ziv Ornstein were charged in a 23-count indictment" for the incident (Crowe, 2015). " including unauthorized access of computers, identity theft, securities and wire fraud and money laundering that netted them an estimated $100 million. A fourth hacker who helped them breach the networks was not identified" (Armerding, 2017). JP Morgan spent $250 million on computer security, but the hackers were still able to get in through a bank employees login information (Goldstein, Perlroth, & Corkey, 2014).
"Most big banks use a double authentication scheme, known as two-factor authentication, which requires a second one-time password to gain access to a protected system. But JPMorgan's security team had apparently neglected to upgrade one of its network servers with the dual password scheme, the people briefed on the matter said. That left the bank vulnerable to intrusion" (Goldstein et al., 2014).
For a company that spends millions of dollars on cybersecurity, it is surprising that such a simple task was not completed. This is a simple part of cybersecurity, and it is part of NIST 800-171. The company should have been more prepared. In fact, the Federal Bureau of investigation thought Russia was responsible for the attack because it was not expected to have happened for such a simple reason (Goldstein et al., 2014). The frightening aspect of this breach is the fact that it was such a simple thing that could have been prevented. Although the company is spending a lot of money on cybersecurity, it seems they are not following the NIST platform. For if they were, there would have been a two-authentication factor. Although the company failed at protection and security, they excelled with incident response. Section 3.6.1 of NIST 800-171 states "Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities" (Ross et al., 2015). After the attack, JP Morgan implemented a business control group. The group included executives from a technology and cybersecurity background who are able to "assess the fallout to prevent hackers from breaching its network in the future" (Goldstein et al., 2014). According to a study by the Ponemon Institute, the average data breach costs about $154 per record (Howden, 2015). If that study is correct, for the 83 million records that were compromised, the breach should have cost JP Morgan about $12.782 billion (Howden, 2015). This must have been a major hit on the bank, but at least the company is implementing new security teams to prevent anything like this from happening again.
eBay
The eBay data breach in May 2014 is the 3rd largest in history, compromising 145 million users (Armerding, 2017). According to eBay, the hackers gained access to the site by compromising the log-in credentials of three employees (Armerding, 2017). The information stolen consisted of users names, addresses, passwords, and dates of birth, but does not include any credit card information, as this data is stored somewhere else (Armerding, 2017). The attackers were able to gain information of the employees by tricking them into it through social media (Coty, n.d.). According to SC Magazine, the attackers would look up employees who work at eBay, and through other sites be able to gain more information on them, such as email (Coty, n.d.). The attackers then sent the employees an email with a link, that when clicked on would install malware onto the computer and give the attackers complete control of the computer (Coty, n.d). The attack went on for months before eBay was aware of the situation. The website was attacked in February and not discovered until May, which a lot of users were concerned about (Kelly, 2014). In order to prevent further hacks, eBay told users to change passwords regularly and make them unique (Kelly, 2014). There are a few ways in which following the NIST structure could have helped eBay prevent this attack. The first aspect of NIST is section 3.1, access control, which explains who should have access to the network (Ross et al., 2015). This requirement states that the company should "limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)" (Ross et al., 2015). This aspect could have helped the company because the hackers would not have been able to identify who had access to the internal network, or it would have been harder for them to do so. All employees could have been a target in eBay's case, which is a large target to have. If the company followed this framework, it could have prevented the malware email that was sent to the employees. Another section of NIST that could have helped eBay is section 3.17, which is maintenance (Ross et al., 2015). "Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete" (Ross et al., 2015). This aspect could have prevented the hackers from gaining control from an outside computer. Keeping maintenance of passcodes by constantly updating them, and telling users to do so as well, could have also impacted the attack on the company. Another section of NIST that eBay could have used for the framework is section 3.8, media protection. This section advises companies to limit access to CUI to authorized users only (Ross et al., 2015). This could have prevented hackers from gaining so much information from any employees email. Overall, the breach resulted in the decline of user activity but did not have much impact on the company's bottom line (Armerding, 2017).
Adult Friend Finder
In October 2016, the second largest breach in history compromised more than 400 million accounts on adult content website Adult Friend Finder (Armerding, 2017). The hacker is said to be from Thailand and was very confident because they are out of reach from law enforcement in the United States, and therefore continued to post Adult Friend Finder records (Ragan, 2015). The hacker stole addresses, emails, language, sex, race, and birth dates from users, just to name a few (Ragan, 2015). "Using the handle ROR[RG], the hacker claims to have breached the adult website out of revenge, because a friend of theirs is owed money – $247,938.28. They later posted a $100,000 USD ransom demand to the forum in order to prevent further leaks" (Ragan, 2015). The trouble of this hack also influenced users' social lives, while some users are married or in a relationship, and want their use of this website to be kept a secret (Ragan, 2015). The hackers were able to access the network's sites through a local file inclusion exploit that was sent to users (Dickey, 2016).
"FriendFinder messed up in a few ways. For one, the company either stored user passwords in plaintext, without any protection or hashed them using the notoriously weak SHA1 algorithm, according to LeakedSource. The company also kept logins for a site they don't even run anymore (FriendFinder sold Penthouse.com to Penthouse Global Media in February). FriendFinder also retained email and passwords for over 15 million people who had deleted their accounts" (Dickey, 2016).
If the website followed the NIST structure this hack could have been prevented and the customer base could have been saved. After the incident, the company hired a FireEye company to conduct a proper investigation and prevent this from happening in the future (Ragan, 2015).
Equifax
In 2017, Equifax suffered a breach exposing personal information of 143 million consumers (Armerding, 2017). This information included Social Security Numbers, birth dates, addresses, drivers' license numbers, and credit card data (Armerding, 2017). This access occurred from May to June of 2017 and was just announced in September (Ragan, 2017). The CEO stated that the breach "occurred because of both human error and technology failures. These mistakes – made in the same chain of security systems designed with redundancies – allowed criminals to access over 140 million Americans' data" (Swanson, 2017). The first time hackers gained access to the website was in May of 2017 and continued to access private information through a vulnerability in the system (Swanson, 2017). According to the CEO, there were major security scans that did not identify a vulnerability in the system, Apache Struts (Swanson, 2017). Because of this, the vulnerability was in the system for much longer than it should have been (Swanson, 2017). The company received a lot of backlash for the way the breach was handled, especially for waiting months to notify users of the attack (Armerding, 2017). The scary part of the time waited to notify users is the fact that this information could have been sold on the black market. Unfortunately, the information is out there and there are a few things the be done to prevent it being wrongfully used. If Equifax followed the NIST framework, the vulnerability could have potentially been spotted. Also, by following NIST, the appropriate way to handle the breach to the public would have been followed. This would have lessened the backlash the company received for handling the breach the wrong way. The investigation is still ongoing, and users are urged to freeze their credit and be extra cautious.
Companies need to follow NIST 800-171 in order to decrease vulnerability to breaches. The breaches in this paper effected both companies and individuals, and the only way to stop it is through proper preparation. It is evident that these breaches are only going to worsen as time goes on, so it is important to be prepared. The companies in this paper are just a handful of examples of what can happen in data breaches, especially with technology being where it is today. Hopefully in the future companies will follow the NIST 800-171 framework and be able to protect themselves and their customers moving forward.