By Bill Hardekopf
A year ago, the country was rocked by the Target data breach. Previously, consumers rarely thought about the security on their credit or debit cards. But all that changed when Target reported that 40 million debit and credit card numbers had been stolen during the holiday shopping time last year.
Little did we know that data breaches would be the top story that haunted the card industry throughout 2014.
Here is a look back at 20 of the major data breaches of the past year:
In January, news broke of a card hack at Neiman Marcus where hackers accessed the debit and credit card information of customers who shopped at this chain between July 16, 2013 to October 30, 2013. Only in-store customers were affected, not online transactions. Originally, the company estimated that as many as 1.1 million cardholders could have been affected. But further investigation found that it affected a maximum of 350,000 customers. The breach occurred when malicious software was installed onto the Neiman Marcus system that collected payment card data from customers who made purchases during those dates.
In early February, a hotel franchise management company that manages 168 hotels in 21 states suffered a data breach that exposed hundreds of guests’ debit and credit cards information in 2013. White Lodging Services Corporation maintains hotel franchises for some of the top names in lodging such as Hilton, Marriott, Westin and Sheraton. Sources reported that the data breach centered mainly around the gift shops and restaurants within these hotels managed by White Lodging, not necessarily the front desk computers where guests pay for their rooms.
In March, it was reported that over 280,000 debit and credit cards were stolen and sold on an underground crime store. Three different banks bought back their customers’ debit and credit card accounts from this store in the hopes of finding a “common point of purchase” among them. That common point turned out to be Sally Beauty stores. Sally Beauty operates 2,600 retail stores in the United States, selling beauty products to consumers and professionals.
Michaels, the nation’s largest arts and crafts chain, reported a data breach at the end of January. The company said close to 2.6 million cards used in payments at their stores were potentially exposed between May 8, 2013 and January 27, 2014. Another 400,000 cards may have been affected at Aaron Brothers stores between June 26, 2013 and February 27, 2014. Michaels said debit and credit card numbers and expiration dates may have been exposed, but personal information such as addresses, names and PINs were not compromised.
In May, Affinity Gaming, which operates 11 casinos in Nevada, Colorado, Iowa and Missouri, announced they found evidence of a hack on the casino’s debit and credit card system for non-gaming purchases. While the breach did not impact money spent directly on gambling, it did affect customers who paid for other items and services at casino resort facilities. Hotel rooms, food and drinks are all processed through this system. In December 2013, Affinity Gaming announced that its card processing system had been infected with malware which may have compromised card data from customers. This data breach apparently took place between December 2013 and April 2014.
According to a report from New York’s Attorney General, 22.8 million private records of New Yorkers were exposed due to data breaches over the last eight years. The data breaches were reported by over 3,000 businesses, nonprofit organizations and government agencies. Intentional hacking exposed most of the accounts, accounting for 40% of the 5,000 incidents. Lost or stolen equipment, insider wrongdoing and inadvertent errors were also major
In June, P.F. Chang’s China Bistro reported a security breach that affected customers at 33 restaurants located in 16 states. The intruder may have stolen some data from certain credit and debit cards that were used during an eight-month period from October 19, 2013 to June 11, 2014. The potentially stolen credit and debit card data included the card number and, in some cases, the cardholder’s name and/or the card’s expiration date.
Albertsons & SuperValu
In August, some of the country’s most popular supermarkets, including Albertson’s and SuperValu, reported they experienced data breaches over the summer. Hackers broke into the debit and credit card payment networks of the stores under the AB Acquisitions LLC umbrella. This includes Acme, Shaw’s Supermarket, Star Market, Cub Foods, Farm Fresh, Hornbacher’s, Shop ‘N Save and Shoppers Food & Pharmacy. SuperValu said the hack affected 228 of its stores. Albertson’s estimated that more than 700 of its locations were impacted in Idaho, Montana, Southern California, Nevada, North Dakota, Oregon, Wyoming, Southern Utah and Washington. SuperValu and Albertson’s use the same technology to process their payments.
Community Health Systems
In August, Community Health Systems said information on 4.5 million patients was stolen in a cyber attack that may have originated in China. The data breach may have impacted anyone who was a patient in a CHS hospital during the last five years. Hackers may have obtained the patient names, birth dates, addresses, telephone and social security numbers. However, in a filing with the Securities and Exchange Commission, the company said no credit card numbers or medical or clinical information were taken.
In August, United Parcel Service reported a data breach may have occurred in 51 of their UPS Stores, possibly leading to the theft of customer debit and credit card information. Malicious software that was not identified by current anti-virus software led to the breach. Customers who used a debit or credit card at the 51 stores between between January 20, 2014 and August 11, 2014 were warned that their names, postal addresses, email addresses and payment card information may have been exposed. These 51 UPS Stores represented just over 1% of the 4,470 franchised center locations across the United States.
In August, International Dairy Queen began an investigation into a data breach in its stores. In November, it confirmed the breach took place in 395 locations and may have affected nearly 600,000 debit and credit cards. The company found that Backoff malware, used in so many recent cyber attacks, affected the payment systems in these locations. Customer names, debit card and credit card numbers and their expiration dates were compromised.
In early September, Goodwill Industries confirmed that a data breach in 330 of its stores may have compromised an estimated 868,000 debit and credit cards. Payment card information, such as names, payment card numbers and expiration dates, may have been compromised. However, personal information such as addresses and PIN numbers were not affected. According to their investigation, a third-party vendor’s systems were attacked by malicious software, enabling criminals to access some payment card data of a number of the vendor’s customers. The impacted Goodwill stores used the same affected third-party vendor to process credit card payments.
In September, Home Depot, the world’s largest home improvement chain, confirmed that a whopping 56 million credit and debit cards were affected by a data breach. Then in November, the company disclosed that hackers had also stolen 53 million email addresses. The company said criminals used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network. The hackers then acquired elevated rights which allowed them to navigate portions of the company’s network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada.
In late September, sandwich shop chain Jimmy John’s confirmed that criminals hacked into their point of sale systems at 216 stores and accessed customer debit and credit card information. The breach took place between June 16 and September 5. Hackers obtained the account numbers on these cards, and may have access to the cardholder name, verification number and/or expiration date. The company, based in Champaign, Illinois, said the hackers were able to obtain the login credentials from the chain’s payment technology vendor and access its point of sale system. The breach did not affect any cards used in any online order or a transaction where the card number was entered manually.
JP Morgan Chase
JP Morgan Chase, the nation’s largest bank in terms of assets, acknowledged a massive data breach that affected 76 million households and 7 million small businesses. The bank disclosed the extent of the breach in a filing in early October with the Securities and Exchange Commission. The bank reported no unusual customer fraud had resulted from this breach. Hackers obtained personal information such as customer names, addresses, phone numbers and email addresses. However, JP Morgan Chase said that sensitive bank information–account numbers, passwords, social security numbers and birthdates–were not part of the breach. The breach occurred in June and July, and affected customers that used Chase web and mobile services.
Most of the major data breaches that occurred in 2014 took place with transactions at store level, not with online purchases. Not so with Sourcebooks, the popular online bookstore. The shopping cart of Sourcebooks was compromised between April and June of 2014. Hackers were able to steal names, addresses, credit card numbers, expiration dates, card security codes and email addresses. Sourcebooks reported that 5,204 customers were affected by the hack.
In a filing in early October with the Securities and Exchange Commission, Kmart said a month-long data breach took place in early September. Debit and credit card numbers appear to have been compromised. Kmart, which is owned by Sears Holding Corporation, did not disclose the scale of the breach. They did not believe hackers were able to obtain social security numbers, email addresses, PIN numbers or personal information from the system.
Office supply chain Staples acknowledged in December that a credit card breach took place in 119 stores between April and September. The malware intrusion may have resulted in the theft of as many as 1.16 million customer credit and debit cards.
In December, Bebe Stores, a women’s clothing retailer, officially confirmed a data breach at its stores during the month of November. The breach impacted shoppers from the United States, Puerto Rico and the U.S. Virgin Islands who visited Bebe between November 8 and November 26. The company operates 175 retail stores as well as 35 outlet locations.
Data continues to come out about this November 24 Sony breach. In early December, hackers leaked five unreleased movies online and some employees’ Social Security numbers. The security firm Identity Finder found the hack exposed over 47,000 Social Security numbers, including over 15,000 current or former employees. In addition, these numbers appeared more than 1.1 million times on 601 publicly-posted files stolen by hackers. A significant number of files containing the Social Security numbers were accompanied by other personal information, such as full names, dates of birth and home addresses, increasing the chances of identity fraud.