Follow me, if you will, on a journey back in time to just one year ago. As 2013 turned into 2014, the information security industry was buzzing about the latest spate of breaches. Target had ushered in a new era of retail security breaches, with 40 million card numbers lost to the hackers. Little did we know at the time that this was just the beginning, and small potatoes in comparison to what was to come. One year ago, Neiman Marcus and Michaels had joined Target, and I wrote in response to the growing number of breach disclosures that “in fact, I have to wonder which retailers have not suffered breaches. The word on the street is that at least a half-dozen other retailers were compromised in the past few months, without publicity.” Sadly, this turned out to be true. I hate being right all the time.
It turned out that 2014 saw at least 20 highly publicized security breaches (that’s more than one every three weeks on average). Just as we learned the details of one breach, another one would hit the news. I don’t know about you, but it kept my head spinning.
Let’s look back at some of the highlights, to put things in perspective.
- Target announced in January that the personal information of 70 million of its customers was added to the previous 40 million credit and debit card numbers (including the codes needed to use them for online shopping), for a grand total of 110 million customers affected by the breach — at that time, the largest breach ever. Unfortunately, this breach was not destined to hold the top position for very long.
- Neiman Marcus declared in January that 1.1 million card numbers were stolen from its retail locations.
- Sally Beauty Supply confirmed in March that it lost 282,000 card numbers to a breach.
- Michaels and Aaron Brothers stores revealed in April that 3 million card numbers were stolen from its retail locations.
- eBay in May took the top position with 145 million passwords and personal information stolen, toppling Target from the top slot and taking the leadership position as the all-time largest breach in history — so far.
- Lowe’s hardware stores informed 35,000 of its employees in May that a data breach exposed their personal identity information including names, addresses, birthdates, Social Security numbers and driver’s license numbers.
- P.F. Chang’s found out in June about a breach of its systems that exposed 7 million card numbers to hackers, according to litigation filed against the restaurant chain by its insurer, Traveler’s, which claimed that its insurance did not cover the liability of the breach.
- Goodwill in July discovered a breach, and later in September admitted that 868,000 card numbers were taken.
- Jimmy John’s restaurant chain found out in July that credit card numbers were stolen from 216 of its stores.
- UPS revealed in August that 51 of its UPS Stores across the U.S. experienced a data breach, affecting 105,000 customers.
- SuperValu and Albertsons grocery store chains were hit in August and then again in September, affecting over 1,000 stores and exposing an undisclosed amount of card numbers, potentially in the millions, according to one source.
- Home Depot announced in September that it lost 56 million card numbers along with 53 million email addresses, surpassing Target to become the largest card breach of a retailer ever.
- JPMorgan Chase discovered in September that 76 million consumers and 7 million small businesses were the latest victims of personal information theft.
- Shepler’s boot stores in September announced that it experienced a breach, compromising credit and debit card numbers, account numbers, names and expiration dates.
- Dairy Queen confirmed in October that nearly 400 of its restaurants experienced a data breach, after months of speculation by news outlets.
- KMart (owned by Sears) filed a breach notification with the SEC in October.
- In November, we learned that Sony Pictures was breached in an apparently politically motivated attack in which the personal information of 6,500 employees was stolen, along with passwords and emails, and destructive malware was unleashed on the company’s network.
- Staples announced in December that it lost 1.16 million card numbers to a breach.
- Bebe revealed a breach in its retail clothing stores in December.
- Chick-Fil-A found out on New Year’s Eve about a breach affecting at least 9,000 cards. Happy New Year.
That comes to over 453 million — the grand total of all the card numbers and personal information records stolen during the year 2014 (that we know about to date — millions more may be disclosed in the coming months). There are 316 million people in the United States. Looking at these statistics, I’d say the chances are pretty good that nearly all of us have been affected by the breaches of 2014. You can safely bet that your own card numbers, passwords, email addresses, contact information and other personal information were compromised in at least one of these breaches.
It’s a new day for information security practitioners — a dark, cold, serious day. The world we live in has changed. Our job used to be to defend against reasonably foreseeable, potential, theoretical threats. It still is — but we no longer need to rely exclusively on risk models and threat prediction to determine where and how to place our defenses. We know where and what the threats are now. They’re out there, in plain sight, organized and deadly efficient, boldly smashing and grabbing. We have seen the enemy, and this is war.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Click here for more security articles.