The Top Five Cyber Policy Developments of 2014: A Year of Corporate Cyberattacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blogs.cfr.org/cyber/2014/12/30/the-top-five-cyber-policy-developments-of-2014-a-year-of-corporate-cyberattacks/


While Sony may have dominated the news towards the end of 2014, three major
cyberattacks against U.S. companies shook the corporate world earlier this
year: Target opened the year by announcing in January that hackers had
stolen personal information from an estimated 110 million accounts; hackers
accessed approximately 83 million J.P. Morgan Chase accounts in August; and
Home Depot confirmed that its payment system was breached in September,
compromising an estimated 56 million accounts. Here’s a look back at the
details of each of those attacks, and how they affected the conversation
about cybersecurity in the Untied States and the corporate sector.

Target

Target announced in January that hackers had stolen data—including names,
mailing addresses, phone numbers, and email addresses—from over 70 million
shoppers, and the credit card information of 40 million shoppers. 1 to 3
million of those credit cards were then sold on the black market, raising
an estimated $53.7 million for the hackers. The attack caused enormous
damage to Target’s reputation and stock prices, resulting in the
resignation of Beth M. Jacob, the company’s most senior technology officer
in February, and Gregg Steinhafel, CEO and chairman of the board, in May.
Target executives were summoned to appear before congressional panels about
data privacy, and executives admitted that they had missed certain warning
signs about security gaps. Experts say that Target left itself particularly
vulnerable to attack, ignoring memos circulated by the federal government
and research firms suggesting that new malware was targeting Target’s
payment system, allowed too much access to vendors, and did not do enough
to wall its payment system off from the rest of its network.

The attack cost Target $148 million, and cost financial institutions $200
million, according to the Consumer Bankers Association and the Credit Union
National Association. The company announced a timetable to move its debit
and credit cards to a chip-and-pin system, widely used in Europe but still
rare in the United States. The chip-and-pin system is considered more
secure than credit cards that rely on magnetic strips, and the move will
cost Target $100 million. The company also spent $61 million in anti-breach
technology in the months following the cyberattack, and profits fell 46
percent in the fourth quarter of 2013.

J.P. Morgan Chase

In August, the networks of several banks, most prominently J.P. Morgan
Chase, were infiltrated by a network of hackers who accessed checking and
savings account information. The attack went unnoticed for two months over
the summer. J.P. Morgan estimated that 76 million households and 7 million
small businesses accounts were affected by the attack, although hackers
weren’t able to access the most private data like Social Security or
account numbers. Experts believe that Russian criminals were behind the
attack. However, the origin of the attack is still far from settled, though
the FBI officially ruled out the Russian government as a perpetrator.

Ultimately, though the infiltration was one of the largest known
cyberattacks against a financial institution, the J.P. Morgan attack did
not cost consumers much money. The data accessed was more related to J.P.
Morgan’s marketing functions than banking functions. Even so, that kind of
information allows hackers to write more effective spearphishing emails to
trick Chase customers into giving out information. However, a recent report
argues that the despite J.P. Morgan’s $250 million budget on cybersecurity,
hackers were able to access the company’s servers because the security team
had neglected to add two-factor authentication, an extra layer of security
used by most big banks. This oversight might explain why other institutions
targeted by the same hackers did not suffer nearly as large of an intrusion.

Home Depot

Home Depot confirmed in September that they had been infiltrated by hackers
since April, admitting that 56 million accounts were put at risk, more than
Target’s 40 million accounts. The company expected to pay $62 million to
cover the costs of the attack, including legal fees and overtime for staff,
and causing an estimated $90 million in costs for banks to replace 7.4
million debt and credit cards. Unnamed staff within Home Depot said that
the company’s information security department struggled with high turnover
and old software. The team resisted using the Endpoint security feature of
Symantec’s cybersecurity program, a feature that tracks and alerts system
administrators of suspicious activity, despite the urging of security
consultants. The company also did not encrypt customer card data until
September 2014.

The Takeaway

Target, J.P. Morgan, and Home Depot were only three of many victims of
cyberattacks in 2014; Staples, Healthcare.gov, Neiman Marcus, and many
others also suffered cyberattacks that left customers vulnerable. Several
similarities stand out between these and the Sony attack. First, in these
attacks, the division of responsibility for the costs and defense is not
clear. Even in the case of Home Depot and Target, where lapses in security
were mainly the fault of retailers, financial institutions bore the brunt
of the cost. Second, the attacks show the necessity of protecting the
weakest links and access points, such as through vendor networks. Finally,
and perhaps most surprisingly, customers just don’t seem to care that much
about the security of their data—only a few months after these attacks,
stock prices and sales returned to normal at Home Depot and Target.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!