Attackers broke in and took whatever they wanted, exfiltrating gigabytes and gigabytes of documents, emails and even entire movies, apparently at will for months and months on end.
Posting the stolen data and the celebrity nature of much of it has resulted in a public relations nightmare for the company. It revealed snarky personal comments never meant to go public as well as personal information such as Social Security numbers and salaries and competitive information about projects in progress.
The scenario is any corporate IT security pro’s worst fear – being pwned and hung out to dry publicly. Add to that lawsuits being filed against Sony by former employees seeking damages they say they suffered because the company failed to adequately protect the data.
Whereas most breaches are carried out for profit – such as theft of credit card information – this attack was intended to hurt its victim as much as possible on multiple fronts and has been very successful.
Many of the big for-profit breaches involved compromises of the credit/debit card swiping machines at retail stores, among them Target, Home Depot, Neiman Marcus, Michael’s and PF Chang.
A common way the crooks got in was by infiltrating trusted business partners and stealing legitimate credentials for accessing the victims’ networks. Once inside, they moved from machine to machine until they reached the subnets containing point-of-sale machines, which they infected with scrapers to steal card numbers and expiration dates.
Sony’s woes dominate headlines about hacks, there were some other significant break-ins this year. Here are a few of them briefly described.
Data compromised – Seemingly everything stored in the network.
How they got in – Unknown. Speculation ranges from an attack launched in a Thailand hotel to an inside job.
How long they went undetected – Unknown.
How they were discovered – On Nov. 22 employee computers received messages threatening public distribution of stolen data and displays of skulls on their screens.
The Target breach happened last year but the important details came out this year so it’s included here.
Data compromised – 40 million credit and debit cards, 70 million phone numbers, mailing addresses and email addresses.
How they got in – Hacking the credentials of a legitimate business associate, an HVAC company, to get on Target’s network, then installing malware on point-of-sale machines.
How long they went undetected – About two weeks.
How they were discovered – The Department of Justice told them about it, but anti-malware software flagged the problem as well.
Data compromised – As many as 56 million credit cards put at risk, 53 million email addresses
How they got in – Via a third-party vendor’s credentials followed up by exploiting an unpatched Windows flaw.
How long they went undetected – From April to September.
How they were discovered – The stores’ executives were told by bank and law-enforcement officials.
Goodwill Industries (C&K Systems)
Data compromised – 868,000 credit/debit card numbers.
How they got in – By infecting point of sales card-swipe machines after compromising the network of the operator of the machines. Two other unnamed clients of C&K Systems were also compromised.
How long they went undetected – 18 months.
How they were discovered – Federal officials and payment card investigators told them.
Data compromised – Phone numbers and email addresses for 76 million households plus 7 million small businesses.
How long they went undetected – Three months
How they were discovered – Internal investigation as well as outside data about a massive stolen credit card ring.
How they got in: Criminals compromised the computer an employee with special privileges that was used both at work and at home.
Data compromised – An unconfirmed number of credit card numbers, but possibly as many as an estimated 7 million
How they got in – Undisclosed but point-of-sales systems were compromised
How long they went undetected – Nine months.
How they were discovered – The Secret Service told them about the breach
Data compromised – 350,000 payment cards
How they got in – Uncertain but point of sales systems were compromised
How long they went undetected – Three months.
How they were discovered – Credit card processors warned about a possible breach and a consultant confirmed it.
Data compromised – 2.6 million credit/debit cards
How they got in – Undisclosed but point-of-sale machines were infected
How long they went undetected – Eight months
How they were discovered – Undisclosed