December 17, 2014 By Jaikumar Vijayan 3 min read

Technology experts are sure to look back at 2014 as a watershed year for data breaches. Seldom has there been a 12-month period in which so many major companies experienced so many significant data compromises. The incidents have shredded assumptions about the preparedness of modern businesses to withstand cyberthreats and are sure to prompt major revisions in corporate security strategies over the next few years.

In a sense, the string of breaches began with the intrusion at Target late last year and then continued in relentless fashion through 2014, culminating with the devastating attack on Sony Pictures in late November. The following are five of the most significant breaches in terms of scope and the nature of the intrusion:

JPMorgan Chase

Few incidents caused as much consternation within the security industry and among lawmakers than the intrusion at JPMorgan Chase in September, which exposed the names, addresses, Social Security numbers and other data from a staggering 83 million account holders. Experts have warned that the personally identifiable information that was compromised in this incident could enable widespread identity theft and financial fraud for years to come. The fact that the nation’s largest bank — and a company that spends $250 million annually on cybersecurity — could still be compromised in such spectacular fashion sent shock waves through the industry and pushed some lawmakers to open investigations into cyberpractices at major banks.

Sony Pictures

November’s cyberattack on Sony is sure to go down in the annals of cybercrime as one of the worst ever in terms of scope and sheer destruction. Details of the intrusion, performed by a group called “Guardians of Peace,” are still unfolding. Still, the data that has been leaked online by the attackers suggests a complete compromise of its systems. In addition to stealing and leaking five unreleased Sony movies, the attackers have also destroyed data and leaked documents containing details on Sony’s payroll, per-employee severance costs from layoffs this year, performance reviews, executive salaries and even snarky internal email exchanges about major Hollywood actors. The breach could end up costing the company hundreds of millions in financial damages and incalculable reputational damage.

Home Depot

If the breach at JPMorgan Chase was massive, then the one disclosed by home improvement giant Home Depot in September was larger still in terms of compromised records. A total of 56 million credit and debit cards and personal information on an additional 53 million people were exposed in a weekslong intrusion at the company. Apart from its sheer size, the breach was also noteworthy for its eerie resemblance to the Target intrusion months earlier. Just like Target, the data compromise at Home Depot was set in motion when attackers stole login credentials belonging to a third-party vendor used by Home Depot. They then used those credentials to gain a foothold in the retailer’s network.

Community Health Systems

Between April and June this year, unknown intruders stole a total of 4.5 million records containing names, Social Security numbers, birth dates and other personal information belonging to patients of Community Health Systems, one of the nation’s largest health networks. The breach, executed by an advanced persistent threat group based overseas, put people in 28 states at heightened risk of identity theft. This attack highlighted the growing menace that health care organizations face from cybercriminals. Though only nonmedical patient identification data was stolen in this particular incident, security experts predict a surge in targeted attacks against health organizations in the next few years.

Michaels

A total of 3 million credit and debit cards were compromised in a data breach at arts and crafts store chain Michaels earlier this year. What made the breach noteworthy was the fact that the attackers who pulled it off managed to remain hidden on the company’s networks for eight months.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today