Security BreachTechnology and science is making progress, and so is the other side of this double edged sword. Looking at the flip side of the coin once in a while would definitely tell us that we are developing, but facilitating the growth of the darker side of the new world too.

Security breach is one of the biggest examples of the negative effects of the progress in technology. And that is what I am going to talk about today. No security breach is less important than the other. Let it be an online data theft of the credit card number of any person, or the Sep’13 hack of Adobe customer ID and password database, each hack causes important data and capital loss to the concerned individuals/authorities. Just picking out a few particular cases is difficult, and so I have chosen to talk about the five biggest online security breaches, based on the number of records stolen.

#5  April 17-19, 2011:

A year not so good for Sony, LulzSec landed a major blow on Sony once again. This being the third  Security breach on Sony,which cost them a total of 77 million Sony PSN and Qriocity accounts. Usernames, addresses, and possibly credit card data was stolen in what was probably the largest theft of identity data information on record as said by Alan Paller, research director of the SANS Institute.

Sony figured out the security breach after 7 days of the actual attack and was forced to shut down the network immediately, causing a lot of inconvenience for the online customers, and gamers. The “illegal and unauthorized person” obtained people’s names, birth dates, usernames, passwords, security questions and more, as said by Sony on its U.S. PlayStation blog. Sony was also quoted saying “Out of an abundance of caution, we are advising you that your credit card number (excluding security code) and expiration date may have been obtained”.

Paller had pointed out that Sony’s new software that ran its network was erroneous, and might have been the root cause of the breach. He suspected the hackers entered the network through an administrator PC by sending an email with malicious software that got downloaded eventually on the PC.

Sony used to generate an annual revenue of $500million from the service. Michael Pachter, an analyst of Wedbush Securities had pointed out that Sony had a bigger problem at hand figuring out “how the hacker will use the info that has been illegally obtained?”

The company had refused to comment on their investigations.

#4 2004:

Affecting a total of 92 million users, 2004 became one of the most embarrassing years for America Online (AOL). It was the single largest online Security breach till date, and users were affected worldwide.

This was a genuine data hack caused by an insider. A former software engineer of AOL, Jason Smathers. He stole the screen names and email addresses of 92 million user and sold them to spammers which resulted in flooding of email accounts with a total of 7billion unsolicited emails.

While Smathers got a prison sentence for fifteen months, this high level data breach made AOL a lot more careful regarding future threats, even though the 2006 story speaks differently. And as to Smathers, he became a pastor in a church later on.

#3 December 21, 2006:

Hackers hacked into the Wi-Fi network of a store at Minnesota, and stole credit-card and debit-card data of millions of shoppers at TJX, operator of discount chains including TJ Maxx and Marshalls. Over 94million shoppers feared an imminent identity fraud.

The system that stored customer transaction data had become the target of the intruders. The full extent of data theft and the exact number of people affected couldn’t be figured out. It was feared that transaction data from stores in the TJX network, located in regions as far as UK, and Ireland was exposed by the same data breach.

Avivah Litan, a Gartner analyst was quoted saying “It is pretty obvious that it was a very well-orchestrated, targeted attack,” He even suspected that these hackers were the same as those who had stolen data from other retailers too. “These people are piecing together information on millions of Americans. It is quite scary”, he said.

This breach was one of the biggest incidents that had exposed sensitive customer information, bringing several retailers, credit card companies and payment processing authorities under the damage radar. General Dynamics and IBM was hired by TJX for the intrusion assessment and to identify compromised data and secure its systems. Since then, TJX had been working diligently to ensure the security and protection of its customer’s transaction data, and to ensure safe shopping.

#2 January 20, 2009:

The year 2009 witnessed the biggest credit card scam in history. Heartland Payment Systems, a New-Jersey based company that processes credit card based transactions for more than 250,000 businesses, uncovered a massive security breach. The company used to process a hundred million online transactions every month, and this hack was believed to have affected a total of 130million users worldwide.

The data that was stolen included credit card and debit card numbers, cardholder names, and expiration dates. The data stolen included the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. But the authorities gave an assurance that the breach didn’t affect merchant data, social security numbers, unencrypted personal identification numbers, addresses or telephone numbers.

The officials said that it was due to a malicious software present in its processing system. The software was such that it copied all the data built into the magnetic stripe of the credit/debit card, and sent the data to the attackers. This breach created a lot of disturbance and fear among the people as thieves could fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards, using the stolen data.

However, the customers could identify any suspicious activity in their accounts by checking their credit card statements. Re-issuance of new cards to the customers was the only plausible solution found by the payment processing company. Heartland eventually had to pay an amount of $110million to Visa, MasterCard, American Express and other card associations to settle claims related to this breach.

Robert H.B. Baldwin Junior, president and CFO of Heartland was quoted saying “this incident may be the result of a widespread global cyber fraud operation”, and this was the reason why the investigation was handed over to the United States Secret Service and the Department of Justice.

#1 2012, The American Business Hack:

This hack is still the biggest one in the history of mankind. 160million credit and debit card numbers were stolen and 800,000 bank accounts were targeted over this period of 8 years. The hacking ring responsible for this massive hacking scheme had targeted banks, payment processors, chain stores and companies including NASDAQ, 7-Eleven, JC Penney, Hannaford, Heartland, JetBlue, Dow Jones, Euronet, Visa Jordan, Global Payment, Diners Singapore and Ingenicard.

The hackers store log-in credentials of customers, stole the credit and debit card numbers and even penetrated servers used by NASDAQ stock exchange. The hackers used the data to draw money from accounts, or stole the information to middlemen who sold the information through various online forums and other venues. U.S credit card numbers sold for $10 each, Canadians for $15, while the Europeans fetched $50 each. Paul Fishman, U.S. attorney for the District of New Jersey, said “This type of crime is the cutting edge”.

Though uncovered in 2012, it was believed to have been carried out from the year 2005 to 2012, with most of the attacks being executed in 2008-2009. Persistent SQL injection attacks were the primary network used by the attackers to exploit the vulnerabilities in SQL databases and gain access to the corporate computer networks. Then malwares were planted to create backdoors to maintain access to the network. As said by the DOJ, the attackers were very patient and careful.

Five men from Russia and Ukraine were indicted in New Jersey District Court. They were Vladimir Drinkman, 32, of Syktyvkar and Moscow, Russia; Alexandr Kalinin, 26, of St. Petersburg, Russia; Roman Kotov, 32, of Moscow; Mikhail Rytikov, 26, of Odessa, Ukraine; and Dmitriy Smilianets, 29, of Moscow.

[author] [author_image timthumb=’off’][/author_image] [author_info]

Spandan Chowdhury is studying Computer Science and Engineering at NIT Durgapur. A tech enthusiast, gadget freak, and very interested in programming, networking and cyber security.

Currently a member of World Intelligence Network, various high IQ societies and NGOs. Loves psychology, quizzing, playing violin, painting, and athletics.[/author_info] [/author]