Year in review 2014

A look back at 2014's data protection nightmare

There were nearly one billion records compromised in 2014, due in part to poor supply chain protection, malicious insider access, and lackluster access management policies. Today, Salted Hash looks back at the facts and figures of a nightmarish year in information security.

01 gargoyle

Nightmarish Realities

In first nine months of 2014, after 1,922 confirmed incidents, criminals managed to compromise 904 million records. Here's a look back at some of the year's most notable breaches.

02 korea credit bureau

Korea Credit Bureau

Janurary 2014: An employee working for the Korea Credit Bureau exposed 104 million credit cards, as well as PII for 20 million people. At scale, this represented 40 percent of those living in South Korea.

03 michaels crafts store

Michaels Stores, Inc. / Aaron Brothers Inc.

January 2014: Michaels, an arts and crafts chain, and their subsidiary Aaron Brothers, has 3 million records compromised due to POS malware. The company reported that some of the stolen cards were used fraudulently.

04 neiman marcus
Marlon E. (Creative Commons BY or BY-SA)

The Neiman Marcus Group

January 2014: Upscale retailer Neiman Marcus has 350,000 records compromised due to POS malware. The company wasn't aware of the incident until six weeks after the attackers had stopped harvesting data. Initially, the incident was thought to have compromised 1.1 million records.

05 forbes dot com vs. the SEA

February 2014: The Syrian Electronic Army defaced and published the names, email addresses, and encrypted passwords for more than a million users.

06 orange telecom


February 2014: Orange discloses an attack on their website led to the compromise of 800,000 records. While passwords were not at risk, the attackers did manage to compromise PII, leading to a heightened risk of Phishing.

07 home depot

Home Depot

February 2014: Three Human Resources employees are arrested and charged with theft of corporate data. The stolen employee records were used to open credit card accounts. Home Depot estimated that 10-20,000 records were exposed.

08 south korean flag

KT Corporation

March 2014: South Korean telecom, KT Corp. reported that 12 million customers had their data compromised (PII and financial). At one point, the attackers were able to get 300,000 records in a single day. Moreover, the attackers were able to work for more than a year before being discovered.

09 boxee

Boxee Inc.

March 2014: Shortly after announcing a move to Samsung, popular Web-TV service Boxee was compromised. The attacker, leveraging SQL Injection, leaked 158,000 user accounts.

10 sally beauty supply
Mike Mozart (Creative Commons BY or BY-SA)

Sally Beauty Supply

March 2014: Cosmetics and beauty retailer, Sally Beauty Supply, confirmed that attackers had used POS malware to compromise 25,000 credit card data.

11 botox vials

The Harley Medical Group

April 2014: One of Britain's most-known cosmetic surgery centers had 500,000 customer records compromised by attackers, who then attempted to blackmail the company. According to reports, the attackers compromised the company's website targeted a database with web enquiry details.

12 ebay sign
Steven Arnold (Creative Commons BY or BY-SA)

eBay, Inc.

May 2014: 145 million users were encouraged to change their passwords, after auction giant eBay confirmed a breach on their network. According to the company, attackers compromised employee credentials and potentially gained access to user databases.

13 orange telecom storefront


May 2014: The French telecom confirmed a second breach, larger than the one in February. The company said that 1.3 million records were compromised, all of them included PII.

14 montana landscape

Montana Department of Public Health & Human Services

May 2014: DPHHS officials confirmed that 1.3 million people would be notified after a server was compromised. The server housed PII as well as other clinical information.

15 amex card

American Express

May 2014: American Express confirms that at least 76,608 people will be notified after Anonymous Ukraine published their credit card details online. The group released more than 7 million records, of which American Express was the smallest set.

16 avast

AVAST Software

May 2014: AVAST software said that 400,000 users had their usernames, passwords, and email addresses exposed after attackers exploited vulnerabilities in the software used to power the company's support forums.

17 home depot interior

Home Depot

May 2014: Faced with the second incident of the year, and insider compromised 30,000 accounts, and was able to distribute details on at least 500 of them to third-parties before they were caught and arrested.

18 dominos pizza
TAKA@P.P.R.S (Creative Commons BY or BY-SA)

Dominos Pizza (France)

June 2014: Crooks stole data pertaining to 600,000 customers, and threatened to expose them if the company didn't pay a ransom. The compromised data includes PII taken from the online ordering system.

19 butler university campus bulldog
By Redsox17862 (Creative Commons BY or BY-SA)

Butler University

June 2014: The school notified 163,000 students, alumni, faculty, staff, and past applicants that their personal data was exposed after a network compromise. The incident happened in late 2013, but remained undetected until May of this year. Notifications were sent in June.

20 goodwill industries

Goodwill Industries

July 2014: Goodwill Industries confirms that a third-party vendor was attacked, and as a result payment card data was compromised. The POS malware was removed, but not before crooks managed to get 868,000 records.

21 jpmorganchase

JPMorgan Chase

August 2014: JP Morgan Chase & Co. confirms that 83 million records were compromised after attackers breached their network. The data compromised included PII as well as internal data on customers. The company says that 76 million households were impacted, as well as 7 million small businesses.

22 heartbleed

Community Health Systems

August 2014: Attackers, which according to speculation are from China, used Heartbleed to target a vulnerable Juniper device. Gaining access to VPN credentials, the attackers went on to compromise 4.5 million records.

23 homedepot paypal

Home Depot

September 2014: POS malware was responsible for the third security incident at Home Depot this year. In all, the POS breach resulted in the compromise of 56 million payment cards and 53 million email addresses.

24 tripadvisor
Travelarz (Creative Commons BY or BY-SA)

Trip Advisor

September 2014: TripAdivsor's subsidiary, Viator, said that 1.4 million people were to be notified after attackers compromised a third-party payment processor.

25 pandora tv logo

Pandora TV

October 2014: Pandora TV, South Korea's video sharing web operator, said that 7.45 million records were compromised by attackers. The records contained various amounts of PII. Pandora blamed China for the incident.

26 usps workers


November 2014: The United States Postal Service said that PII was compromised after attackers breached their network. The incident impacted 800,000 employees and 2.9 million customers.

27 hsbc sign

HSBC Turkey

November 2014: HSBC Turkey said that card and linked account numbers, as well as expiration dates and cardholder names were compromised. The financial group will not replace the 2.7 million compromised cards.

Copyright © 2014 IDG Communications, Inc.