It’s the Golden Age of the Internet – or at least, that’s what the generation of the digital age tend to believe. When compared to predictions for the future, we’re living in a Wild West of sorts, with largely unregulated bandwidth streaming, legislative gray areas and, to some degree still, protected anonymity.
For the most part, many Internet users are completely comfortable submitting sensitive information – such as payments, medical information and more – online. And the availability of such services online is expanding every day. However, the ease and convenience of putting your entire life online is starting to come with a price – there will always be those Internet users who practice black-hat hacking in order to exploit the massive amount of information stored online.
As a result, internet users are starting to realize that just because a form includes that reassuring, tiny lock symbol next to “Submit”, it doesn’t mean their information is safe, and some have even abandoned online services in favor of keeping their finances and other information “off the grid.”
However, keeping your information offline is often not simply a matter of choice anymore – major banks and corporations have, for the most part, traded in their filing cabinets and records rooms for IT departments and online databases. That means even if you don’t use online banking or other services at home, swiping a piece of plastic in the store could end up putting all of your sensitive information online for the world to see.
It seems an unfortunate fact of life that when it comes to changing technologies, the bad guys will always be a few steps ahead of the good guys. And there’s no doubt that the loopholes hackers are taking advantage of now will likely be the subjects of stronger regulation and legislative movements in the future. The following five biggest data breaches in recent history will likely help shape the future of the Internet as we know it.
4. TJ Maxx: 94 Million Records Compromised
In 2007, “cyber threats” were so far off the world’s radar that TJX Companies, Inc. (parent company of TJ Maxx, Marshalls and other huge retail chains) essentially held their doors open for a small group of international hackers – and thus learned a tough, 4.5 billion dollar lesson in cyber security. At the time, it was the largest security breach in world history.
Cyber Security: What Not To Do
The initial breach occurred in a TJ Maxx whose wireless network was protected by a simple WEP – which is a type of security protocol that’s been proven to be easily penetrable by hackers in less than 60 seconds. Once the hackers were into the store’s network, they were able to also break into the corporate headquarters network – where millions of customers’ account information was stored.
TJX stores were also using out-of-date card reader software that was programmed to capture and store all of the data contents – including card-validation codes and PIN numbers – of each card swiped. (FTC standards explicitly prohibit major retailers from storing these two highly sensitive pieces of data.) Further, TJX had no data security systems in place to alert them to malware, so the intruders were able to access this vast collection of customer data for 18 months – completely undetected.
There was one silver lining: This hack served as a clear warning to other retail chains that cyber security is not a budget item to be overlooked. Well, most retail chains.
3. Target: 110 Million Records Compromised
It all began with a simple e-mail phishing scheme sent to employees at an HVAC firm who worked with Target. Once the hackers had network credentials for the national retail chain, they essentially carried out a nationwide electronic stick-up: stealing credit card data directly from thousands of cash registers in bricks-and-mortar stores all over the North America.
It’s The Most, Vulnerable Time of the Year…
The Target attack began two days before Black Friday 2013 and lasted until a week and half before Christmas – during which time millions of unsuspecting shoppers swiped their cards in the stores.
Target faced liabilities of up to $3.6 billion, plus a tarnished reputation that resulted in a 46% drop in profits for the holiday season. But the real victims of this attack were credit card companies – most contracts include protection against fraudulent charges, so if a card is fraudulently used to buy $3,000 worth of Barbie collectibles, it actually ends up on their tabs. In response, credit card companies will likely begin transitioning to more sophisticated microchips rather than the old-fashioned, extremely vulnerable magnetic strips we use today.
2. The Massive American Business Hack: 160 Million Records Compromised
In 2008, five hackers from Russia and Ukraine infiltrated Heartland Payment Systems – a large-scale payment processing company that processes 100 million transactions per month for more than 175,000 retailers worldwide – as part of the largest data-stealing scheme ever executed in the U.S.
Details of the hack included “SQL injection attacks”, “packet sniffing” and “backdoor malware” – and victims included NASDAQ, 7-Eleven, Dow Jones, Global Payment and other large payment processing firms.
The group infiltrated each company’s servers and leached customer data for several months, and in some cases for more than a year. They stored user names, passwords, credit card numbers, identification and other sensitive information on computers all over the world before selling them for profit. American credit card numbers sold for about $10 a pop – European numbers went for $50 or more.
Suffice to say, the intruders were not amateurs. In fact, one of the hackers involved has already made this list – and world history. Albert Gonzalez was indicted in 2009 for allegedly spearheading the TJ Maxx breach two years before.
1. Heartbleed: Unknown Numbers of Records Compromised
This one’s different, in that it’s not a case of malicious hackers – it’s a widespread bug that was discovered by developers and announced to the world in the hopes of preventing attacks. But just because no malicious activity has been uncovered yet, doesn’t mean Heartbleed isn’t one of the most serious security breaches in the history of the Internet.
Imagine if every deadbolt lock in the world were suddenly discovered to be faulty. That includes locks to banks, doctors’ offices and other major services where confidentiality is vital. Essentially, this is exactly what happened when Heartbleed – which makes it possible to swipe the security certificates that verify the authenticity of web sites – was discovered.
That means when you entered your online banking information, you may have actually been feeding your usernames, passwords, account numbers and other info to a third party disguised as your bank. When you signed in to Google and began browsing the web, a third party may have had access to your entire history. And that one time you e-mailed photos to your boyfriend or girlfriend – well, you get the point.
Since it’s a bug within an encryption technology used by roughly two-thirds of the Internet, the amount of potentially vulnerable data is unprecedented. On a scale of 1-10 many experts say this is an 11. The jury’s still out on whether or not the number of compromised records will surpass other breaches in the past, but one thing’s for sure: The number of potentially vulnerable accounts has never been higher.