Human factor behind cyber attacks: Recent data breaches

In today’s world, cyber-attacks are one of the greatest concerns of the digital world. With the increasing number of organizations moving to the cloud, the risk of data theft is at an all-time high.

A large number of cyberattacks at some of the biggest organizations and governments in the world have proved that more attention or transformation is required in the field of data security to protect sensitive and confidential information. Furthermore, these attack events have proved that no matter how secure systems are in place, the information on the web is always at a risk of being stolen.

A cyber attack is a malicious attack, led by an individual or an organization, on a computer system for information, access of a network of the components linked with that network. The attack aims to steal or alter the information in a computer or destroy the network/computer system.

The three basic elements are crucial for successfully preventing cyberattacks in an organization — People, Process, and Technology. The efforts have concentrated on process improvement strategies, business process re-engineering, and infrastructural transformation for a long time, i.e., focusing major resources on process and technology. But, unfortunately, companies had essentially ignored the factors related to the people or employees.

Because of this, a recent study shows that 75% of the cybersecurity initiatives have either completely failed or haven’t been able to achieve their desired objectives in the long term. Therefore, the People should also be considered a part of the focus for a holistic solution. In this post, we will focus on some of the recent data breaches caused by human error.

Recent data breaches caused by human error

1. eBay: In 2014, a group of attackers stole login credentials of as many as 100 eBay employees through phishing attempts. The information was used to get into the internal network, where they downloaded names, physical addresses, email addresses, passwords, and other personal information of 145 million customers.

2. Anthem: In 2015, the health insurance company revealed that attackers could get their hands on consumers’ and employees’ personal information. The attackers stole the admin’s login credentials using social engineering techniques. More than 80 million customers were affected by this breach, which cost around $31 billion to the company.

3. JPMorgan Chase: In spring 2014, the login credentials of one of the employees of the company were stolen by the hackers, who then exploited an oversight- there was no 2-step verification in the bank’s security system for one of the servers to hack into the company’s corporate network. Following the initial attack, the hackers were able to gain access to a total of 90 servers.

4. Target: In November 2015, the attackers installed malware on the POS terminal at one of Target’s stores using network credentials stolen from Fazio Mechanical Services. The attackers gained about 40 million credit and debit card records and about 70 million personal information records, costing Target around $105 million.

5. Home Depot: In September 2014, attackers were able to get into the retailer’s network using login credentials of a third-party vendor and installed malware onto 7500 self-checkout systems in the US and Canada. Details about 56 million customers’ credit and debit cards and 53 million customers’ email addresses were stolen.

5. NHS Trust: In September 2014, a staff member of the 56 Dean street clinic accidentally sent out a newsletter that allowed all recipients to view every other subscriber’s email address and full names of 730 of those 781 subscribers. In response, a fine of £180,000 was issued against the trust.

6. Pentagon: In July 2015, the attackers used a spear-phishing attack to hack into the Pentagon’s email system and leak the stolen information online. The attack affected about 4000 military and civilian personnel.

7. Sony Pictures Entertainment: In 2014, the attackers stole the login credentials of Apple accounts of many of Sony’s top executives through a phishing attack. The attackers stole about 100 TBs of data from the company’s computer networks.

8. Ubiquiti fraud: The attack against Ubiquiti’s finance department resulted in a transfer of about $46.7 million from the company’s Hong Kong subsidiary to other third-party overseas accounts. It was determined later an outside entity made “fraudulent requests” and involved “employee impersonation.”

9. Facebook: In 2008, the dates of births of about 80 million users were accidentally made publicly accessible while upgrading to a new website design.