Most Internet users are accustomed to changing their online passwords regularly. They limit their shopping to sites with a trusted security certificate, and use companies like PayPal for safe transactions. But the last year has demonstrated that even the most cautious user is vulnerable to data breaches that can lead to fraud and identity theft.
Luckily, timely disclosure about these breaches is becoming more standard for the organizations affected, enabling users to act quickly to change their passwords and check their credit reports. However, with data breaches becoming more common, the best Internet users can hope for is that these quick security fixes, plus a new password, will be enough to protect them in the future.
Here are the top ten data and security breaches of the past twelve months—the year some have called the year of the stolen password.
The Heartbleed encryption bug is probably the biggest and best-known breach of the last 12 months (if not the last few years). The existence of the bug was made public by security firm Codenomiconon in April, although it operated undetected for almost two years. Heartbleed affected about 17% of the Internet's secure web servers making passwords vulnerable to theft—information that was normally protected by SSL/TLS encryption.
A massive number of companies were affected including Amazon, Pinterest, Reddit, Tumblr, Airbnb, Wordpress, and Wattpad. Users on each site were advised to change their passwords, while companies were advised to patch their copy of OpenSSL to fix the problem. Operating systems like Android 4.1.1 were also discovered to be vulnerable.
The industry mobilized one of its biggest responses ever to a data breach by creating the Core Infrastructure Initiative, a multi-million dollar project to fund critical elements of the web's infrastructure. Backed by companies like Amazon, Dell, Facebook, Google, and Microsoft the funding will help lead developers on various projects and pay for security audits and software development.
Major US retailer Target announced a massive breach of its point-of-sale terminals in early December of last year. The breach affected an estimated 70 million Black Friday shoppers. Customer credit and debit cards were compromised and customer names, mailing addresses, email addresses, and phone numbers were stolen.
Target's website has an FAQ dedicated to answering consumer questions about the breach. The company assures customers they won't be held liable for fraudulent charges. In response to the theft, and in order to step up credit card security for its customers, Target is fast-tracking plans to implement chip-enabled technology with its store branded credit cards by early 2015.
Target also announced that it has joined forces with a host of other retailers to launch the Retail Cyber Intelligence Sharing Center, which will enable them to share information, analyze data, and help address cyber crime in tandem with U.S. law enforcement. Target CEO Gregg Steinhafel announced his resignation after 35-years with the company and Target CIO Beth Jacobs stepped down after 6 years with the organization.
Adobe revealed that it had been the victim of a sophisticated security attack last October. At least 38 million customers across various Adobe properties were affected by the breach. Information removed from the system included customer names, credit and debit card numbers, expiration dates, and order information—much of which was later posted online.
Customers whose debit or credit card information was compromised received a notification letter and the option of enrolling in a complimentary credit monitoring service for one year.
4. Facebook, Google, Twitter
In November of last year, hackers stole passwords and usernames for almost two million accounts across a number of social networks. Sites affected include Facebook, Gmail and YouTube, Twitter, LinkedIn, as well as the payroll service ADP.
The hack was the product of keylogging software that had been installed on a number of computers worldwide—enabling hackers to capture login credentials for millions of users and route them to their own server over a month long period.
The breach was discovered by researchers at cyber security firm Trustwave who traced the server to the Netherlands. A spokesperson at Trustwave suggested there could be more active servers they haven't yet tracked down—and that the hack could be ongoing. Users are advised to update their antivirus software, download the latest patches for their Internet browser, Adobe, and Java, and change their passwords.
5. Washington State Courts
More than one million driver's license numbers and 160,000 Social Security numbers were accessed in a data breach at the Washington State Administrative Office of the Courts' website. Citizens booked at a city or county jail, or with a traffic case in a district or municipal court through 2012, or anyone with a DUI citation in the state going back to 1989 may have had their data compromised.
The court discovered the breach in late February of last year and has said they have taken steps to enhance their online security. The court advised citizens who may have been affected to call the court's administrative office for more information.