October 27, 2014 | Issue Brief on National Security and Defense
The spate of recent data breaches at big-name companies such as JPMorgan Chase, Home Depot, and Target raises questions about the effectiveness of the private sector’s information security. According to FBI Director James Comey, “There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”
A recent survey by the Ponemon Institute showed the average cost of cyber crime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014. The annual average cost per company of successful cyber attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in communications industries.
This paper lists known cyber attacks on private U.S. companies since the beginning of 2014. (A companion paper discussed cyber breaches in the federal government.) By its very nature, a list of this sort is incomplete. The scope of many attacks is not fully known. For example, in July, the U.S. Computer Emergency Readiness Team issued an advisory that more than 1,000 U.S. businesses have been affected by the Backoff malware, which targets point-of-sale (POS) systems used by most retail industries. These attacks targeted administrative and customer data and, in some cases, financial data.
This list includes only cyber attacks that have been made known to the public. Most companies encounter multiple cyber attacks every day, many unknown to the public and many unknown to the companies themselves.
The data breaches below are listed chronologically by month of public notice.
As cyber attacks on retail, technology, and industrial companies increase so does the importance of cybersecurity. From brute-force attacks on networks to malware compromising credit card information to disgruntled employees sabotaging their companies’ networks from the inside, companies and their customers need to secure their data. To improve the private sector’s ability to defend itself, Congress should:
The recent increases in the rate and the severity of cyber attacks on U.S. companies indicate a clear threat to businesses and customers. As businesses come to terms with the increasing threat of hackers, instituting the right policies is critical to harnessing the power of the private sector. In a cyber environment with ever-changing risks and threats, the government needs to do more to support the private sector in establishing sound cybersecurity while not creating regulations that hinder businesses more than help them.—Riley Walters is a Research Assistant in the Asian Studies Center, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.
 James Cook, “FBI Director: China Has Hacked Every Big US Company,” Business Insider, October 6, 2014,http://www.businessinsider.com/fbi-director-china-has-hacked-every-big-us-company-2014-10 (accessed October 10, 2014).
 Ponemon Institute, “2014 Cost of Cyber Crime Study: United States,” Hewlett-Packard, October 9, 2014, https://ssl.www8.hp.com/us/en/ssl/leadgen/document_download.html?objid=4AA5-5208ENW (accessed October 24, 2014).
 For a list of federal cyber breaches, see David Inserra and Paul Rosenzweig, “Continuing Federal Cyber Breaches Warn Against Cybersecurity Regulation,” Heritage Foundation Issue Brief No. 4288, October 27, 2014,http://www.heritage.org/research/reports/2014/10/continuing-federal-cyber-breaches-warn-against-cybersecurity-regulation.
 News release, “Target Provides Update on Data Breach and Financial Performance,” Target, January 10, 2014, http://pressroom.target.com/news/target-provides-update-on-data-breach-and-financial-performance(accessed October 10, 2014).
 Benjamin Elgin, Dune Lawrence, and Michael Riley, “Neiman Marcus Hackers Set Off 60,000 Alerts with Card Thefts,” Bloomberg, February 21, 2014, http://www.bloomberg.com/news/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-in-bagging-card-data.html(accessed October 9, 2014).
 Chuck Rubin, “A Letter from Our CEO,” Michaels Stores, Inc., April 17, 2014, http://www.michaels.com/payment-card-notice-ceo-letter/payment-card-notice-CEO.html (accessed October 9, 2014).
 Hayley Tsukayama, “Yahoo Mail Hacked: What to Do If You’ve Been Affected,” The Washington Post, January 31, 2014, http://www.washingtonpost.com/business/technology/yahoo-mail-hacked-what-to-do-if-youve-been-affected/2014/01/31/2857ef8a-8a7d-11e3-833c-33098f9e5267_story.html (accessed October 14, 2014).
 News release, “Michaels Identifies and Contains Previously Announced Data Security Issue,” Michaels Stores, April 17, 2014, http://demandware.edgesuite.net/aaeo_prd/on/demandware.static/Sites-MichaelsUS-Site/Sites-MichaelsUS-Library/default/v1412927934297/docs/press-releases/Michaels-FINAL-Press-Release-041714.pdf (accessed October 10, 2014).
 Dave Smith, “AT&T Was Hacked in April and Some Customers Had Their Social Security Numbers Stolen,” Business Insider, June 16, 2014, http://www.businessinsider.com/att-hacked-2014-6 (accessed October 14, 2014).
 News release, “eBay Inc. to Ask eBay Users to Change Passwords,” eBay, May 21, 2014, http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords (accessed October 10, 2014).
 News release, “U.S. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S. Corporations and a Labor Organization for Commercial Advantage,” U.S. Department of Justice, May 19, 2014, http://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-us-corporations-and-labor (accessed October 9, 2014).
 A brute-force attack involves repeatedly guessing a password.
 Jim Finkle, “U.S. Utility’s Control System Was Hacked, Says Homeland Security,” Reuters, May 20, 2014, http://www.reuters.com/article/2014/05/21/us-usa-cybercrime-infrastructure-idUSBREA4J10D20140521 (accessed October 14, 2014).
 Oliv, Seb, and Edwin, “Denial of Service Attack [Neutralized],” Feedly, June 11, 2014, http://blog.feedly.com/2014/06/11/denial-of-service-attack/ (accessed October 10, 2014).
 News release, “USIS Comments on Recent Self-Reported Cyber-Attack on Corporate Network,” US Investigations Services, August 6, 2014, http://www.usis.com/Media-Release-Detail.aspx?dpid=151 (accessed October 10, 2014).
 Jose Pagliery, “Hospital Network Hacked, 4.5 Million Records Stolen,” CNN Money, August 18, 2014, http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/ (accessed October 10, 2014).
 Hannah Kuchler, “UPS Hit by Cyber Attack,” Financial Times, August 21, 2014, http://www.ft.com/intl/cms/s/0/fb206340-28be-11e4-8bda-00144feabdc0.html (accessed October 14, 2014).
 News release, “Los Angeles Grand Jury Indicts Chinese National in Computer Hacking Scheme Allegedly Involving Theft of Trade Secrets,” Federal Bureau of Investigation, Los Angeles Division, August 15, 2014, http://www.fbi.gov/losangeles/press-releases/2014/los-angeles-grand-jury-indicts-chinese-national-in-computer-hacking-scheme-allegedly-involving-theft-of-trade-secrets (accessed October 10, 2014).
 Press release, “The Home Depot Completes Malware Elimination and Enhanced Encryption of Payment Data in All U.S. Stores,” Home Depot, September 18, 2014, https://corporate.homedepot.com/MediaCenter/Documents/Press%20Release.pdf (accessed October 10, 2014).
 Alexis Kleinman, “5 Million Gmail Usernames and Associated Passwords Leaked,” The Huffington Post, September 11, 2014, http://www.huffingtonpost.com/2014/09/11/gmail-passwords-hacked_n_5805104.html (accessed October 14, 2014).
 Steve Kovach, “We Still Don’t Have Assurance from Apple That iCloud Is Safe,” Business Insider, September 2, 2014, http://www.businessinsider.com/apple-statement-on-icloud-hack-2014-9 (accessed October 14, 2014).
 Charlene Sarmiento, “Goodwill Provides Update on Data Security Issue,” Goodwill Industries International, http://www.goodwill.org/press-releases/goodwill-provides-update-on-data-security-issue/ (accessed October 14, 2014).
 Martyn Williams, “Second Cyberattack Hits SuperValu Grocery Stores’ Payment Systems,” PCWorld, September 29, 2014, http://www.pcworld.com/article/2689372/second-cyberattack-hits-supervalu-grocery-stores-payment-systems.html (accessed October 10, 2014).
 Mike Freeman, “Cyber Attack Hits San Diego Hotel Chain,” San Diego Union-Tribune, September 9, 2014, http://www.utsandiego.com/news/2014/sep/09/target-home-depot-bartell-hotels-cyber-hacking/ (accessed October 10, 2014).
 U.S. Senate, Committee on Armed Services, Inquiry into Cyber Intrusions Affecting U.S. Transportation Command Contractors, 2014, http://www.armed-services.senate.gov/imo/media/doc/SASC_Cyberreport_091714.pdf (accessed October 9, 2014).
 Emily Glazer, “J.P. Morgan’s Cyber Attack: How the Bank Responded,” The Wall Street Journal, October 3, 2014, http://blogs.wsj.com/moneybeat/2014/10/03/j-p-morgans-cyber-attack-how-the-bank-responded/ (accessed October 9, 2014).
 News release, “International Dairy Queen Confirms Malware Intrusion at Some U.S. Locations,” American Dairy Queen Corporation, October 9, 2014, http://www.dq.com/datasecurityincident/press-release/ (accessed October 10, 2014).
 Alexis Kleinman, “200,000 Snapchat Photos Leaked on 4Chan,” The Huffington Post, October 10, 2014, http://www.huffingtonpost.com/2014/10/10/snapchat-leak_n_5965590.html (accessed October 10, 2014).
 Paul Rosenzweig and David Inserra, “Government Cyber Failures Reveal Weaknesses of Regulatory Approach to Cybersecurity,” Heritage Foundation Issue Brief No. 3968, June 12, 2013, http://www.heritage.org/research/reports/2013/06/weaknesses-of-a-regulatory-approach-to-cybersecurity (accessed October 14, 2014).
 Steven P. Bucci, Paul Rosenzweig, and David Inserra, “A Congressional Guide: Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace,” Heritage Foundation Backgrounder No. 2785, April 1, 2013, http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace.