Top 5 cases of Data Breach caused by Human Error

Data Breach is every organization’s worst nightmare. It can cause embarrassment, disclosure of highly confidential information including personal information and trade secrets. It can also be used to blackmail an organization like that happened in Sony Pictures leak. Every cyber security team must keep an eye of all data breaches happening across the globe and across the industries so as to keep themselves updated with the new vulnerabilities being exploited by the hackers and new methodologies being employed. The security teams should plug the loopholes immediately once they come to know about such breaches.

Today, we take you through the Top 5 cases of Data Breach caused by Human Error

1. Sony Pictures Entertainment

In November 2014, a hackers group named “Guardians of Peace” leaked confidential data from the network of Sony Pictures. The data included personal and professional information of employees, scripts and copies of unreleased Sony films. The attack began when hackers sent fake Apple-Id verification emails to the top executives of Sony Corporation. The email was basically a social engineering ploy aimed to phish the executives by stealing their Apple Id credentials. The verification link took the user to a fake page. The hackers stole the credentials and applied them to get access to Sony’s internal network in a hope that some person would have used similar credentials in all accounts and they succeeded. The hackers deployed Wiper Malware to steal 100 TB of data from Sony. Later the attackers demanded that Sony should pull down its film “The Interview” a comedy about a plot to assassinate DPRK’s leader Kim Jong-un. Apparently little Kim was not pleased with the movie and asked his hackers to do something about it. The “Guardians of Peace” later threatened to carry out terrorist attacks if the film was not pulled off the screens. Sony pictures obliged to the demand and skipped the theatrical release. The attack was ascribed to North Korea which as usual denied it.

2. JPMorgan Chase

In July 2014 the famous American bank JPMorgan Chase discovered a massive data breach that is estimated to have compromised data associated with over 83 million accounts including accounts of as many as 76 million households and 7 million small businesses. However, the breach was disclosed only in September 2014. The JPMorgan Chase data breach is considered to be one of the largest data breaches in history. The attackers stole the access credentials of one of the employee at JPMorgan and used that to intrude into the network. What helped that attacked was the security team of JPMorgan had not implemented two-factor authentication on one of the network servers.The attackers were able to gain access to 90 servers in total. As per the bank, the attackers were able to steal sensitive information of 83 million accounts. The information included names, email and postal addresses, phone numbers. However, the login information was not stolen by the attackers. Subsequently JPMorgan Chase announced that it would spend as much as $250 million annually on cyber security.

3. eBay

In May 2014, eBay came out with a blog disclosing its servers were compromised in a breach. The breach apparently happened in late February or early March 2014. As per the internal investigation carried out by eBay the attackers most likely used phishing to steal credentials of a good number of employees. These credentials were then used to gain access to the internal network of eBay. What happened next was the attackers succeeded in treasure hunt. The attackers exfiltrated the personal information that included names,passwords, email and physical addresses, phone numbers and date of birth of as many as 145 million customers.

4. Pentagon

In July 2015, Russian hackers used a Spearphishing attack to hack the unclassified email system of Pentagon’s Joint Staff. The attackers exploited a zero-day vulnerability in the Pentagon’s server. However, the beauty of attack was not the Spearphishing itself, but in the hacker’s “clever exfiltration of data.” In Spearphishing the attackers send email disguised as people personally known to the target. The attack established how advanced the hackers had become that would even trick the military personnel at Joint Staff. The size of data breach was not disclosed by the Pentagon

5. NHS

A serious human error caused Chelsea and Westminster National Health Service Foundation Trust £180,000 in fines when a staff member of the 56 Dean Street Clinic sent a newsletter to hundreds of subscribers of a service that allowed patients with HIV to receive test results and schedule appointments via email. However, the staff member instead of entering the emails in the “BCC” field entered them in “TO” field disclosing personal medical information of many patients. The recipients of the email looked out online for other details of as many as 730 patients of the total 781 subscribers whose full names were given in the email addresses.