In the immediate aftermath of a large-scale data breach, you see and hear plenty of information about it as the story unfolds. Some data breaches remain in the news for a few months, while others fade away after just a couple of weeks. However, just because a story isn’t getting headlines anymore doesn’t mean that nothing is happening with it. Sometimes, a new development will bring a breach which has become old news into the forefront — such as last week’s revelation that the 2013 Yahoo breach exposed nearly 3 billion user accounts, twice as many as originally reported — but sometimes updates don’t make it to the front page. As part of our ongoing National Cyber Security Awareness Month coverage, we decided to follow up on four past data breaches we’ve covered in the past few years to find out what’s happened to the companies or organizations involved and the breach victims since they stopped being the main news event.
Target: 110 million exposed
The data breach: The payment card breach that slammed Target at the tail end of 2013 lives in infamy as the first of what has seemed to be an endless onslaught of similar-style payment card breaches of retailers, eateries and other merchants in the years since. Malware installed on Target’s payment system stole the information of every card swiped during the busiest shopping time of the year, Black Friday, impacting an approximate 40 million payment cards (including encrypted PINs) and customers’ personal information, including email addresses and phone numbers, ultimately impacting more than 100 million customers. The Department of Justice notified Target of a problem on Dec. 12, 2013, and the company issued a public statement on Dec. 19 — the day after the story was broken by a cybersecurity researcher.
Who was responsible: Cyberattackers used stolen credentials from a third-party vendor (gained from sending a phishing email) to access Target’s systems and install the malware in November 2013. Incredibly, it was revealed that multiple alerts from the malware-detection security system Target had installed were ignored before and during the data theft. It was later determined that the malware used in the attack was created by a 17-year-old Russian hacker, though it’s still not certain who was actually at the helm of the breach itself.
How it affected Target: In 2015, Target estimated it spent $252 million to manage the breach, and that was before any settlements were reached or money paid out to victims who suffered loss as a result of the breach. The terms of a recently settled suit with multiple states to resolve their investigations into the breach dictate that the company follow a list of regulations, including taking steps to control network access and segregating cardholder data from the rest of its network. The company also suffered profit loss following the breach, though not as much as many might have anticipated.
What happened to the victims: Target settled a $10 million class-action lawsuit in 2015, promising to pay up to $10,000 to customers who could provide evidence of losses directly resulting from the breach. Unfortunately, since the burden of proof in cases like this is on the victim, it’s unlikely many people will actually see any money from this settlement. Although consumer confidence in Target was rattled, the retailer is doing well just four years later. The same style of malware has hit many other retailers, such as Home Depot, and it’s likely that the push to implement chip cards in the U.S. was somewhat influenced by this breach. Target itself sped up its implementation of chip readers by six months following the data breach.
Anthem: 79 million exposed
The data breach: In early Feb. 2015, health insurance provider Anthem announced that it had experienced a data breach, wherein the hackers accessed a database which contained the personal information of some 79 million current and former Anthem customers (as well as customers of affiliated insurers). Exposed information included names, birth dates, medical ID numbers, social security numbers, home addresses, email addresses and employment information (including income), though no credit card or medical data such as test results were exposed. This breach threw the security of the healthcare industry into the public eye, especially as several other high-profile insurance providers were breached around the same time.
Who was responsible: A lengthy investigation into the breach by seven state insurance commissioners was finalized and the results released in a report at the beginning of 2017. Their investigation determined that the Anthem breach started on Feb. 18, 2014 when an employee opened a phishing email and clicked a link, which downloaded malware. The report stated that the attack against Anthem was launched by a foreign nation-state, but wouldn’t state which one. However, just this past August, the FBI announced it had arrested a Chinese national on charges related to Sakula, the malware which was used in this breach as well as the one which hit the Office of Personnel Management (detailed below).
How it affected Anthem: The health insurance giant shelled out some major dollars in the aftermath of this breach — more than $260 million to cover the costs of hiring experts, making security improvements, notifying the public and affected individuals and providing credit monitoring to those who were impacted. Although the investigative commission decided not to fine Anthem, it did work out a regulatory settlement which requires significant investments in security. Anthem will be spending an additional $260 million on further improvements to its cybersecurity — something it clearly needs, as just this past July, a breach of an Anthem contractor exposed the data of more than 18,000 Medicare enrollees.
What happened to the victims: This breach was so significant because it impacted adults as well as children. Victims were provided with free credit monitoring for up to two years following the breach. More than 100 lawsuits were filed in the aftermath, which were all consolidated to present a single case to a U.S. District Judge in California. A settlement for $115 million was reached in June 2017, though the final approval hearing for the case isn’t slated until Feb. 2018. Those who are eligible to benefit in the settlement will be contacted starting in October, and those who decide to participate will receive an additional two years of free credit monitoring. If you are already enrolled in credit monitoring, you can elect to receive cash instead.
JPMorgan Chase: 76 million exposed
The data breach: As part of an attack on 10 different financial institutions in the U.S. in 2014, hackers accessed the personal information — including names, phone numbers, email addresses and physical addresses — from approximately 83 million JPMorgan Chase banking customer accounts. The exposed accounts involved approximately 76 million households and seven million small businesses, making it one of the largest data breaches of all time. JPMorgan Chase disclosed the breach in September 2014, after discovering it several months earlier in July.
Who was responsible: The attack was carried out against nearly a dozen financial institutions, including Fidelity Investments, though only JPMorgan Chase and Fidelity actually had data stolen. Hackers used stolen employee credentials to access high-level servers, using an outdated server as an entry point. Several arrests have been made in connection to a fraud ring which is believed to have perpetrated these attacks, among other frauds. Those involved include two Israeli citizens, who were extradited to the U.S., as well as an American who evaded authorities before successful capture in 2016.
How it affected JPMorgan Chase: A huge embarrassment to the financial giant, especially since it was spending $250 million on data security at the time, the breach was investigated thoroughly. Many changes were implemented when it comes to security, such as the building of a robust cybersecurity team. It was discovered that the server the hackers used was not upgraded to use two-factor authentication, which would have stopped their attempted entry. This relatively simple error highlighted how easy it is for something to slip between the cracks at large institutions and create huge problems.
What happened to the victims: Despite criticisms, the bank did not reach out to customers affected by the breach or provide any assistance, which means most people were unable to figure out whether or not they were involved. Chase cited that it was unnecessary to offer compensation or protection because no account information was compromised, and there wasn’t any suspicious activity as a result of the breach. Unfortunately, due to the sheer size of banks like JPMorgan Chase, customers often don’t have much recourse other than closing their accounts and moving elsewhere. We’ve seen just how much banks can get away with — and for how long — with the saga of the Wells Fargo fraud scandal.
Office of Personnel Management: 21.5 million exposed
The data breach: In June 2015, the Office of Personnel Management (OPM) — which acts as the human resources department for federal government employees — announced that its computer systems had been breached. As the investigation continued, it was discovered that two different breaches committed by the same attacker had been carried out, exposing the data of approximately 21.5 million people combined. This included current and former government officials, as well as people who had applied for federal jobs and the spouses or partners of some people applying for security clearance. Among the exposed data were extensive background check documents with tons of personal information, from social security numbers and birth dates to psychological and medical information, and 5.6 million digital images of fingerprints.
Who was responsible: It was determined that the attack was carried out at the hands of Chinese state-sponsored hackers, who were able to gain access thanks in part to a plethora of outdated systems within the OPM as well as the use of sophisticated malware and hacking techniques. The arrest of the Sakula creator noted earlier was the first arrest by the U.S. linked to the OPM breach — China made arrests within its own borders in Dec. 2015 and denied any government involvement on its part.
How it affected OPM: Although in January 2015, OPM had instituted a multi-factor authentication system which requires a chip-enhanced ID card that correlates with an employee’s username and password in order to access systems, it was too late, as the hackers gained access in 2014. In the aftermath, the director of the agency resigned and hearings were held similar to those we’ve recently seen for the Equifax breach to probe what happened and why. Action was taken by numerous federal agencies, well beyond OPM, to assess their potential security flaws and make upgrades. June 2015’s Cybersecurity Sprint pushed agencies to meet certain guidelines for increased cybersecurity, and legislation has been proposed to increase standards in both government and private sectors.
What happened to the victims: In the aftermath of the breach, OPM offered those impacted free credit monitoring and identity theft protection from CSID. Initially, this was meant to extend up to three years, but due to the scope and severity of the breach, it was later expanded to 10 years. Coverage with CSID expired on Dec. 1, 2016, and following the 10-year commitment, all impacted victims were urged to re-enroll for coverage with ID Experts (MyIDCare) at no cost. Unfortunately, a good many of the 21.5 million people exposed in the OPM breach were never even notified, as noted in this Washington Post article — if you think you might’ve been impacted, you can check your status here and get yourself enrolled in free coverage.
Even more frustrating for victims who sought to take legal action, two of the lawsuits levied against OPM by two different federal employee unions were recently thrown out by a federal judge who cited no legal basis. One of the unions has appealed, but it’s uncertain whether there will be any success in this venue. Although it’s now been two years since the OPM breach, none of the stolen data has been used, that investigators have been able to tell — a fact which is certainly unsettling to everyone involved, considering how many high-clearance government employees were exposed.
Although these four past data breaches were among the biggest that have rocked the nation in recent years, they’re just a few drops in the bucket. Make sure you’re in the know when it comes to every major data breach and other cybersecurity news, plus get tips on protecting yourself and your data, by following our identity theft protection blog.