Worst security breaches of the year 2014: Sony tops the list

The breach of Sony Pictures Entertainment is clearly the biggest data breach of 2014, but theft of credit card numbers from retailers dominated the biggest cyber thefts.

As 2014 winds down, the breach of Sony Pictures Entertainment is clearly the biggest data breach of the year and among the most devastating to any corporation ever.

Attackers broke in and took whatever they wanted, exfiltrating gigabytes and gigabytes of documents, emails and even entire movies, apparently at will for months and months on end.

+ Also on Network World: The weirdest, wackiest and coolest sci/tech stories of 2014 | Peeping into 73,000 unsecured security cameras thanks to default passwords +

Posting the stolen data and the celebrity nature of much of it has resulted in a public relations nightmare for the company. It revealed snarky personal comments never meant to go public as well as personal information such as Social Security numbers and salaries and competitive information about projects in progress.

The scenario is any corporate IT security pro's worst fear being pwned and hung out to dry publicly. Add to that lawsuits being filed against Sony by former employees seeking damages they say they suffered because the company failed to adequately protect the data.

Whereas most breaches are carried out for profit such as theft of credit card information this attack was intended to hurt its victim as much as possible on multiple fronts and has been very successful.

Many of the big for-profit breaches involved compromises of the credit/debit card swiping machines at retail stores, among them Target, Home Depot, Neiman Marcus, Michael's and PF Chang.

[ Read all of Network World's year in review stories ]

A common way the crooks got in was by infiltrating trusted business partners and stealing legitimate credentials for accessing the victims' networks. Once inside, they moved from machine to machine until they reached the subnets containing point-of-sale machines, which they infected with scrapers to steal card numbers and expiration dates.

Sony's woes dominate headlines about hacks, there were some other significant break-ins this year. Here are a few of them briefly described.


Data compromised Seemingly everything stored in the network.

How they got in Unknown. Speculation ranges from an attack launched in a Thailand hotel to an inside job.

How long they went undetected Unknown.

How they were discovered On Nov. 22 employee computers received messages threatening public distribution of stolen data and displays of skulls on their screens.


The Target breach happened last year but the important details came out this year so it's included here.

Data compromised 40 million credit and debit cards, 70 million phone numbers, mailing addresses and email addresses.

How they got in Hacking the credentials of a legitimate business associate, an HVAC company, to get on Target's network, then installing malware on point-of-sale machines.

How long they went undetected About two weeks.

How they were discovered The Department of Justice told them about it, but anti-malware software flagged the problem as well.

Home Depot

Data compromised As many as 56 million credit cards put at risk, 53 million email addresses

How they got in Via a third-party vendor's credentials followed up by exploiting an unpatched Windows flaw.

How long they went undetected From April to September.

How they were discovered The stores' executives were told by bank and law-enforcement officials.

Goodwill Industries (C&K Systems)

Data compromised 868,000 credit/debit card numbers.

How they got in By infecting point of sales card-swipe machines after compromising the network of the operator of the machines. Two other unnamed clients of C&K Systems were also compromised.

How long they went undetected 18 months.

How they were discovered Federal officials and payment card investigators told them.

JP Morgan

Data compromised Phone numbers and email addresses for 76 million households plus 7 million small businesses.

How long they went undetected Three months

How they were discovered Internal investigation as well as outside data about a massive stolen credit card ring.

Data compromised An unconfirmed number of credit card numbers, but possibly as many as an estimated 7 million

How they got in Undisclosed but point-of-sales systems were compromised

How long they went undetected Nine months.

How they were discovered The Secret Service told them about the breach

Neiman Marcus

Data compromised 350,000 payment cards

How they got in Uncertain but point of sales systems were compromised

How long they went undetected Three months.

How they were discovered Credit card processors warned about a possible breach and a consultant confirmed it.


Data compromised 2.6 million credit/debit cards

How they got in Undisclosed but point-of-sale machines were infected

How long they went undetected Eight months

How they were discovered Undisclosed

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachYear in review 2014sony

More about Department of JusticeHome DepotJP MorganMorganSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place