You must have heard by now that Sony’s PlayStation Network and Qriocity services were compromised severely, and sensitive data belonging pertaining to many as 77 million registered users might have been stolen. The full ramifications of the breach will become obvious only in the days to come. However, Sony might have lost the trust and goodwill of millions of customers forever. The severity of this intrusion is mind bogging, both in scope and scale. However, this is not the biggest incident of online data theft. It’s not even close. DataLossDB.org and PrivacyRights.org tracks all data theft incidents of note. Here are the top fifteen incidents of data theft through hacking* in the past five years (2007-11):
- 1. T.J. Maxx – In a carefully planned and long drawn out operation, Albert Gonzalez stole sensitive information belonging to more than 100 million customers of T.J. Maxx, an American departmental stores chain. The hack was carried out over a period of 18 months, ending in 2007. As many as 45.6 million credit and debit card numbers were stolen. Unlike other entries in this list, this wasn’t an entirely remote operation. Instead, poorly secured in-store computer kiosks were exploited to gain access to company’s networks.
- 2. TD Ameritrade Holding Corporation – In September 2007, Joe Moglia, the CEO of Ameritrade, an online brokerage company revealed to clients that one of its databases with 6.3 million customer records had been hacked. Ameritrade had fallen victim to a backdoor based network. Although the same database contained extremely sensitive information like Social Security Numbers, they were not taken. Other confidential data such as passwords were not violated either.
- 3. Hannaford Bros. Supermarket chain – In March 2007, another supermarket chain was compromised. Hannaford lost credit and debit card numbers, expiration dates and PIN numbers of 4.2 million customers. The leak has led to over 1,800 reported incidents of fraud. The culprit was once again Albert Gonzalez. This time around he broke in by using SQL-injection attack.
- 4. Chilean Ministry of Education – In May 2007, Chilean government servers were hacked, and identity card numbers, names, and addresses of 6 million people were posted on public forums. The hacker claimed that his intention was to highlight the lackluster security infrastructure.
- 5. RBS WorldPay – Four Russians – Viktor Pleshchuk, Sergei Tsurikov, Oleg Covelin and an unnamed guy known as “Hacker 3” carried out this attack. The hackers managed to gain personal information of 1.5 million users, including sensitive information like social security numbers of 1.1 million users. This was a highly sophisticated and coordinated attack that led to the theft of $9 million from ATMs through a network of “cashers”.
- 6. CheckFree Corporation – CheckFree, an online bill payment service, fell victim to a DNS hijacking scheme in December, 2008. However, the incident didn’t come to light until January 2009. The company’s website was redirected to a Ukrainian website that hosted Trojan horses that were designed to steal data from customers. Since, CheckFree lost control of its website, the exact extent of the damage couldn’t be calculated. However, an estimated 5 million consumers might have been affected.
- 7. Heartland Payment Systems – Heartland is chiefly a payment processor, but it also provides a range of services to other merchants. In the single biggest incident of data theft reported so far, Albert Gonzalez, whose name has already appeared twice in this list, reportedly broke in after managing to successfully install sniffing software on Heartland’s network. The software was installed in early 2008 and went undetected for months. During that period, Heartland was said to be processing about 100 million transactions per month. The estimated number of credit card information harvested is above 130 million.
- 8. pHpBB – The popular free forum (bulletin board) software was hit hard in February 2009, when an attacker managed to gain access to its entire database through a security bug in (an outdated version of) PHPlist, a third party email application. The intruder managed to scrape 400,000 names, email, address, and hashed passwords.
- 9. RockYou – A severe SQL-injection flaw in the popular developer of social games allowed at least one hacker to gain access to its complete user list, along with information like userid, and password, which was shockingly enough stored in plain text. The number of affected users was 4.2 million.
- 10. Network Solutions – The webhosting company Networking Solutions has a particularly poor security track record. Between March 12 and June 8 of 2009, hackers broke through its defenses, and managed to install malware that stole name, address, and credit card numbers of more than 570,000 customers. If that wasn’t bad enough, the very next year, Network Solutions was hacked twice in the space of one week.
- 11. Triple C Inc. – The Puerto Rico Department of Health was breached in a series of attacks spread out over several years. The breach was finally discovered in September 2010. The hackers are believed to have gained access to health information of 400,000 patients.
- 12. Gawker – In December 2010, Gawker Media blogs were hacked by a group called Gnosis. Not only did this group go on to give interviews to competitors of Gawker Media, but it also uploaded the entire database of 1.3 million registered users (with usernames and hashed passwords), and confidential staff conversations to a torrent website. The breach prompted many other web services (like Twitter and LinkedIn) to carry out forced password resets for affected members.
- 13. Epsilon – Epsilon is a leading email marketing service provider that has dozens of tier-1 companies as its client. On March 30, a hacker succeeded in gaining access to a subset of Epsilon clients’ customer data. Data stolen included names and email addresses. Epsilon maintains that only 2% of its customers were affected, and hasn’t disclosed exactly how many records were breached. However, given that the affected clients include big names like CitiGroup, Best Buy, and JPMorgan Chase, this breach might turn out to be the biggest ever.
- 14. WordPress.com – Earlier this month, the hosted blogging solution owned by Automattic suffered from a low-level break-in to several of its servers. All information on these servers could have been accessed. However, it’s unlikely that financial information was stolen. Passwords were hashed and salted, which should make cracking them almost impossible. Nevertheless, the hacker might have obtained information on as many as 18 million users.
- 15. Sony – Of course, this is the big breaking news of the week. There’s a lot of things that we still don’t know about this incident. However, Sony has confirmed that the hacker could have accessed all personal information, including password and address. Credit card details (excluding security code) could also have been obtained by the hacker. However, the credit card table was encrypted. According to Sony, the total number of accounts affected is in the range of 77 million. However, many of them are probably inactive or duplicates.
As we continue to increasingly rely on online services, it’s imperative that the vendors we entrust our personal information with take the appropriate precautions to protect that data. The frequency of data thefts is alarming. Every year confidential information on millions of web users are exposed through data breaches. I had earlier called upon the Congress to enforce certain minimum security practices upon all entities that store sensitive data like credit card information. Several members of the Congress are already preparing to introduce legislation that will “provide consumers with additional safeguards to protect against such data breaches”. A consensus needs to emerge in order to reduce the probability of such incidents happening in the future.
* Only data-theft cases that involved hacking have been considered. Data breaches resulting due to insider efforts, or lost assets have not been included.