In late fall, think tank Heritage Foundation released a list of cyber attacks on U.S. companies in 2014, and even our seasoned IT experts were floored. The media tends to focus on really big attacks, like the contact information for 70 million Target shoppers that was stolen in December 2013, or the 76 million individual’s (and seven million small businesses’) contact information pilfered from Chase in June 2014.
Certainly, these mega-breaches deserve a lot of attention. However, it was not the size of the individual breaches that surprised us. It was the extent of the total picture, with attacks being lobbed across a very broad spectrum of business models, industries and sectors. Consider these examples, which excludes companies whose breaches were specific to retail:
January |
Communications: Published reports indicate that the Yahoo! Mail email service for 273 million users had been hacked. |
April |
Communications: For a two-week period, AT&T is hacked from the inside by personnel who accessed user information, including social security information. |
May |
Energy and Utilities: The Department of Homeland Security reports that an unnamed public utility’s control systems had been accessed by hackers through an attack on employee log-in passwords. |
June |
Communications: Feedly and Evernote are hit by distributed denial-of-service attacks (malicious attempts to make a server or a network resource unavailable), with 15 million and 100 million users temporarily affected. |
August |
Health Care: Community Health Services (CHS) announces that hackers had accessed and presumably stolen the personal data for 4.5 million patients between April and June, compromising all of its 206 locations. The FBI warns that other health care firms are likely at risk. |
Transportation Services: UPS reports that between January and August, the customer data (including financial details) from more than 60 UPS stores had been compromised. |
September |
Communications: The media reports that five million Gmail usernames and passwords had been compromised. |
Non-Profit Sector: The media announces that between February 2013 and August 2014, data from 330 Goodwill stores—approximately 868,000 credit and debit cards—had been stolen. The culprit was malware that infected the chain through its similarly infected third-party vendors. |
Transportation/Federal Contractors: A Senate report reveals that between June 2012 and May 2013, the networks of the U.S. Transportation Command contractors had been successfully breached 50 times. |
October |
Food and Beverage: Dairy Queen International announces that credit and debit card information from 395 Dairy Queen and Orange Julius stores was compromised. |
Communications: The media reports that the photos of 200,000 users had been hacked from Snapsave, a photo-saving app for instant photo-sharing service Snapchat. |
We have yet to learn the final tally for this year. Furthermore, the complete Heritage Foundation list, which is bigger than ours, does not include the innumerable attacks that went unnoticed. As the Heritage Foundation reported in its article, FBI Director James Comey summed up the current situation best. “There are those who’ve been hacked…and those who don’t know they’ve been hacked.”
As we head into 2015, we wanted to offer this list as a starting point for reflection. Our goal is not to scare you into spending your entire IT budget on security next year. Rather, it is to encourage you to give serious thought to performing mitigations—at the minimum, a vulnerability assessment with the minimal amount of recommended remediation.
As research firm Gartner stated in its Predictions for IT Security Directors, “Enterprises that implement a vulnerability management process will experience 90% fewer successful attacks.” That’s a pretty powerful statistic, and we hope you will take it to heart. To learn how we can help you get started with a vulnerability assessment, feel free to email us or give us a call at 770-643-4400 (toll-free: 877-841-8069).