While the unofficial mantra is “web is almost secure” the user’s perception is totally different. Not only because cyber attacks can make big companies bend the knee but because our data are frequently stolen or illegally traded without consequences for those that supposedly should care about our privacy. In 2014 the number of customers data stolen from retailers reached a new record and 61 million people saw their full info (name, address, phone and credit card) was stolen and sold in shady websites ruled by black hat people. And it still could go worse; Sony Entertainment knows it. They have a large historial of data loss and now are the target of a more sophisticated attack from (possibly) North Korea which has infringed a serious damage to the company’s reputation.
Attackers secured more than 61 million records in 2014, down from almost 73 million in 2013. However, when the data was narrowed down to only incidents involving less than 10 million records (which excludes the top two attacks over this timeframe, Target Corporation and The Home Depot), the data shows a different story–the number of retail records compromised in 2014 increased by more than 43 percent over 2013.
Sophisticated Methods of Attack
While there has been a rise in the number of Point of Sale (POS) malware attacks, the vast majority of incidents targeting the retail sector involved Command Injection or SQL injection. The complexity of SQL deployments and the lack of data validation performed by security administrators made retail databases a primary target. Over 2014, this Command Injection method was used in nearly 6,000 attacks against retailers. Additional methods include Shellshock as well as POS malware such as BlackPOS, Dexter, vSkimmer, Alina and Citadel.
The data for the number of records compromised and breaches disclosed was analyzed by IBM security experts and was made publically available by Privacy Rights Clearinghouse. The remaining data came from IBM’s Managed Security services team.