Corporate data thefts have taken a real toll on American consumers, who have had their identities stolen, their credit cards abused by fraudsters, and their bank accounts tapped into.
After a dizzying array of huge data thefts -- including the recent breach at Home Depot (HD) -- signs are pointing toward the likelihood that at some point soon, everyone will have become a victim of this high-tech crime. Credit reporting agency Experian said after 267 million records were breached in 2012 that "experiencing a breach may be inevitable." It has only gotten worse since.
The Privacy Rights Clearinghouse, an identity theft consumer education group, has documented breaches involving more than 930 million records since 2005 in more than 4,400 data break-ins. Given how many reports about breaches didn't include how many records were accessed, the number is far higher, making it next to impossible to hide from the risk.
"Breaches have now evolved from being the third certainty in life to a dead certainty," said Adam Levin, founder and chairman of IDT911, a company that works with businesses and consumers after data thefts. "While companies initially will be judged on whether or not they suffer a breach, the true test in the future will be how an organization responds to a data compromise. An urgent, transparent and empathetic response will go a long way toward quelling fears and rebuilding trust and goodwill."
Here is Levin's list of the top five retail data breaches and his analysis:
The 5 Worst Retail Data Breaches
5 Massive Data Breaches: Will We Ever Be Safe?
Affected: 56 million cards.
Duration of compromise: Five months.
Tactic: Malware was installed to skim payment card data; unclear how hackers found an entry into the company's network.
Analysis: "Home Depot's situation is not only a PR nightmare for the home improvement colossus, but it is becoming the poster child for poor security practices across the board. Based upon the enormity of their footprint and alleged poor security, I'm mystified that it took as long as it did for them to be breached. Clearly, they did not heed Target's Paul Revere moment with sufficient urgency."
Affected: 40 million payment card numbers and 70 million other pieces of customer data; 98 million people.
Duration of compromise: Nov. 30 to Dec. 15, 2013.
Tactic: Used credentials of a heating, ventilating and air conditioning vendor to get into Target's network to install the malware to point of sale systems.
Analysis: "In a nation where everything is super-sized, Target (TGT) was one of the first true big-box retailers thrust into the spotlight after their mega breach. While a number of their executive team members have walked the plank and their board is the target of litigation, and their bottom line and share price have taken a hit, the breach highlights the importance of scrutinizing every vendor's security practices – or at least looking into cyber insurance to mitigate the damage of a vendor caused breach. This was a Paul Revere moment for the retail industry. Unfortunately, recently announced retail mega breaches indicate that not enough organizations have taken it as seriously as they should have."
Affected: As many as 200 of its grocery and liquor stores and millions of cards; credit/debit account information possibly stolen.
Duration of compromise: Almost one month.
Tactic: Network access to system that processes transactions.
Analysis: "Little information about this breach has surfaced, but one can only suspect the tactic was similar to that of other big breaches -- POS malware. And according to Avivah Litan, a fraud analyst at information technology firm Gartner, when someone uses a debit or credit card, there's a one in five chance malware is capturing that information. Although Supervalu (SVU) execs say it's not clear if account information has been stolen, scary stats like this suggest otherwise."
Affected: 3 million customer credit and debit cards (they also had a breach in 2011 where skimmers were installed on about 70 POS systems and financial information was stolen). Affected systems contained certain payment card information, such as credit/debit card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer information, such as name, address or debit card PIN, was at risk in connection with this issue, however, current automated bank systems make it all to easy to change debit card pin numbers.
Duration of compromise: Two separate eight-month-long security breaches.
Tactic: POS malware.
Analysis: "Unfortunately, in the breach lottery Michael's hit the exacta -- old-school skimmers installed in the dead of night on their POS systems did the trick in the first breach, and the now-popular POS malware scorched them for a second time -- for 3 million. Two high-profile breaches in a couple of years isn't a goodwill builder for the craft giant."
Affected: Usernames and passwords of employees and users.
Duration of compromise: Unknown.
Tactic: The origin of the breach comes from hackers compromising a small number of employee log-in credentials, which gave access to eBay's (EBAY) corporate network. EBay says it is working with law enforcement and leading security experts to "aggressively" investigate the matter. Appears to be from a phishing email.
Analysis: "Sophisticated spear phishing scams can turn even the most savvy and sophisticated employee into an unwitting co-conspirator. Comprehensive, continuous security training for all employees, implementation of tough security protocols, use of intricate passwords and rigorous outside testing and monitoring can help avoid a reputation damaging breach."