November 18, 2015 | Issue Brief on Cyber Security
Researchers are concerned over the strength and comprehensiveness of cybersecurity in the U.S., as companies across the country are being targeted in cyber attacks at an increasing rate of both occurrence and cost. Concerns continue to grow as both the number of attacks on companies’ networks and the cost to companies are increasing. The quantity and quality of information being hacked, stolen, destroyed, or leaked is becoming more of a problem for consumers and businesses alike.
The Ponemon Institute recently released its 2015 Cost of Cyber Crime, which analyzes the cost of all cyber crime for a variety of 58 U.S. organizations both public and private. The U.S., in comparison with other nations in the Ponemon study, continues to rank highest in its cost of cyber crime at an annual average of $15.4 million per company.
Ponemon surveyed companies in the areas of finance, energy and utilities, and defense and aerospace—three of the most affected sectors—as well as communication, retail, and health care. The annual cost of cybercrime for these companies has more than doubled since 2010, which then averaged $6.5 million. Of the companies surveyed, the minimum cost to a company was $1.9 million while the maximum cost was as much as $65 million in 2015.
This year, companies saw an average of 160 successful cyber attacks per week, more than three times the 2010 average of 50 per week.
Every company surveyed was the victim of a Trojan, virus, or worm type of attack. Ninety-seven percent surveyed were reported to have been the victim of a malware attack and 76 percent were victim of a Web-based attack. Just as worrisome as hackers trying to get into a network system are those with malicious intent who already have access to a system. Forty-three percent of companies reported cyber attacks by malicious insiders and 36 percent of companies suffered attacks as the result of a stolen device.
This paper continues the “Cyber Attacks on U.S. Companies in 2014” paper released last October. The dates listed for each hack reflect the time when these attacks were released to the public and not the date of when the breach actually occurred.
It should be noted this list is incomplete. A simple search through the Department of Homeland Security’s Daily Open Source Infrastructure Reports or the Department of Health and Human Services’ Breach Portal will show a greater number of breaches than recounted in this list.
In fact, health care services continued to see a large amount of smaller (fewer than 1 million people affected) breaches. Interestingly, a number of universities were also subject to cyber attacks this past year, possibly reflecting greater cyber-ability in their current students. Even though cyber breaches and attacks continually affect a wide variety of industries, there continues to be a pattern in the type of information targeted by these malicious actors.
Congress and the Administration should:
Cyber attacks are on the rise and will continue to be of concern for the foreseeable future. It will be up to private industry to meet these concerns head-on and support the government in its ability to act lawfully against cyber criminals—so long as businesses lack the authority to fight back against those who threaten their systems.—Riley Walters is a Research Assistant in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.
 2015 Cost of Cyber Crime Study: United States, Ponemon Institute, October, 2015, http://img.delivery.net/cm50content/hp/hosted-files/2015_US_CCC_FINAL_4.pdf (accessed November 4, 2015).
 Riley Walters, “Cyber Attacks on U.S. Companies in 2014,” Heritage Foundation Issue Brief No. 4289, October 27, 2014, http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014.
 Timothy B. Lee, “The Sony Hack: How It Happened, Who Is Responsible, and What We’ve Learned,” Vox, December 17, 2014, http://www.vox.com/2014/12/14/7387945/sony-hack-explained (accessed November 4, 2015).
 Lucian Constantin, “Syrian Electronic Army Posts Hacking Message On Several News Sites,” CSO Online, November 30, 2014, http://www.csoonline.com/article/2853498/security/syrian-electronic-army-posts-hacking-message-on-several-news-sites.html (accessed November 4, 2015).
 Ben Elgin and Michael Riley, “Now at the Sands Casino: An Iranian Hacker in Every Server,” Bloomberg Business, December 11, 2015, http://www.businessweek.com/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas (accessed November 4, 2015).
 Zoe Szathmary, “Chick-Fil-A Warns Security Breach May Have Leaked Credit Card Details Of 9,000 Customers In Five States,” Daily Mail, January 1, 2015, http://www.dailymail.co.uk/news/article-2893614/Chik-Fil-says-looking-possible-payment-card-breach-affect-9-000-customer-cards.html (accessed November 4, 2015).
 “Staples Provides Update on Data Security Incident,” Staples Inc., December 19, 2014, http://staples.newshq.businesswire.com/press-release/corporate/staples-provides-update-data-security-incident (accessed November 4, 2015).
 Michael J. Moore, “Morgan Stanley Fires Worker Accused of Stealing Client Data,” Bloomberg Business, January 5, 2015, http://www.bloomberg.com/news/2015-01-05/morgan-stanley-fires-employee-accused-of-stealing-client-data.html (accessed November 4, 2015).
 Robert Hackett, “Anthem, a Major Health Insurer, Suffered a Massive Hack. Here’s What You Need to Know,” Fortune.com, February 5, 2015, http://fortune.com/2015/02/05/anthem-suffers-hack/ (accessed November 4, 2015).
 Reuters, “Anthem Says at Least 8.8 Million Non-Customers Could Be Victims in Data Hack,” Fortune.com, February 24, 2015, http://fortune.com/2015/02/24/anthem-says-at-least-8-8-million-non-customers-could-be-victims-in-data-hack/ (accessed November 4, 2015).
 Jon DiMaggio, “Security Response: The Black Vine Cyberespionage Group,” Symantec, August 6, 2015, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf (accessed November 4, 2015).
 Carbanak APT The Great Bank Robbery,” Kaspersky, February 2015, http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Carbanak_APT_eng.pdf (accessed November 4, 2015).
 Stephen Ward, “Cyber Espionage Campaign Compromises Web Properties to Target US Financial Services and Defense Companies, Chinese Dissidents,” iSightPartners.com, February 10, 2015, http://www.isightpartners.com/2015/02/codoso/ (accessed, November 4, 2015).
 Jim Finkle, “Premera Blue Cross Hacked, Medical Information of 11 Million Customers Exposed,” The Huffington Post, March 17, 2015, http://www.huffingtonpost.com/2015/03/17/premera-blue-cross-cybera_n_6890194.html (accessed November 4, 2015).
 Eva Dou, “U.S. Coding Website GitHub Hit With Cyberattack,” The Wall Street Journal, March 29, 2015, http://www.wsj.com/articles/u-s-coding-website-github-hit-with-cyberattack-1427638940?mod=trending_now_5&alg=y (accessed November 4, 2015).
 Gina Chon, “FBI Probes Possible Military Involvement in Cyber Attack,” Financial Times, March 18, 2015, http://www.ft.com/intl/cms/s/0/ab5d5736-cd24-11e4-b5a5-00144feab7de.html (accessed November 4, 2015).
 Brian Donohue, “Penn State Offline Following Advanced Two-Year Cyberattack,” Threatpost.com, May 18, 2015, https://threatpost.com/penn-state-offline-following-advanced-two-year-cyberattack/112872 (accessed November 4, 2015).
 Andrea Peterson, “Cyberattack on CareFirst Exposes Data on 1.1 Million Customers in D.C., Md. and Va.,” The Washington Post, May 20, 2015, http://www.washingtonpost.com/blogs/the-switch/wp/2015/05/20/cyberattack-on-carefirst-exposes-data-on-1-1-million-customers-in-d-c-md-and-va/ (accessed November 4, 2015).
 “Hackers Access 3.9 Million Records of Adult Dating Website,” Circanews.com, May 22, 2015, http://circanews.com/news/hackers-target-adult-websites (accessed November 4, 2015).
 U.S. Department of Justice, Office of Public Affairs, “Chinese Professors Among Six Defendants Charged with Economic Espionage and Theft of Trade Secrets for Benefit of People’s Republic of China,” May 19, 2015, http://www.justice.gov/opa/pr/chinese-professors-among-six-defendants-charged-economic-espionage-and-theft-trade-secrets (accessed November 4, 2015).
 Jason Krug, “Beacon Health System Alerting Patients of Security Breach,” wndu.com, May 26, 2015, http://www.wndu.com/home/headlines/Beacon-Health-System-alerting-patients-of-security-breach-304973591.html (accessed November 4, 2015).
 Kim Zetter, “Hackers Finally Post Stolen Ashley Madison Data,” Wired.com, August 18, 2015, http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/ (accessed November 4, 2015).
 Jose Pagliery, “UCLA Health Hacked, 4.5 Million Victims,” CNN Money, July 17, 2015, http://money.cnn.com/2015/07/17/technology/ucla-health-hack/ (accessed November 4, 2015).
 Associated Press, “Medical Informatics Engineering Hack Exposed Data on 3.9 Million People,” NBC News, August 3, 2015, http://www.nbcnews.com/tech/security/medical-informatics-engineering-hack-exposed-data-3-9-million-people-n403351 (accessed November 4, 2015).
 Michael Riley and Jordan Robertson, “China-Tied Hackers That Hit U.S. Said to Breach United Airlines,” Bloomberg Business, July 29, 2015, http://www.bloomberg.com/news/articles/2015-07-29/china-tied-hackers-that-hit-u-s-said-to-breach-united-airlines (accessed November 4, 2015).
 “Hackers Allegedly Stole Insider Info To Make Big Trades,” Time, August 11, 2015, http://time.com/3992832/hackers-trading/ (accessed November 3, 2015), and Matthew Goldstein and Alexandra Stevenson, “Nine Charged in Insider Trading Case Tied to Hackers,” The New York Times, August 11, 2015, http://www.nytimes.com/2015/08/12/business/dealbook/insider-trading-sec-hacking-case.html?_r=0 (accessed November 4, 2015).
 Jordan Robertson and Michael Riley, “American Airlines, Sabre Said to Be Hit in China-Tied Hacks,” Bloomberg Business, August 7, 2015, http://www.bloomberg.com/news/articles/2015-08-07/american-airlines-sabre-said-to-be-hit-in-hacks-backed-by-china (accessed November 4, 2015).
 Lucian Constantin, “Cyberattack Exposes 10M Records at Excellus,” Computerworld.com, September 10, 2015, http://www.computerworld.com/article/2983026/cybercrime-hacking/cyberattack-exposes-10m-records-at-excellus.html (accessed November 4, 2015).
 “Legal Notice of Potential Security Incident,” Trump Hotel Collection, https://www.trumphotelcollection.com/data-security-notice (accessed November 4, 2015).
 Arjun Kharpal, “WhatsApp Hack Attack Puts 200,000 at Risk,” CNBC.com, September 9, 2015, http://www.cnbc.com/2015/09/09/whatsapp-hack-attack-puts-200000-at-risk.html (accessed November 4, 2015).
 Chris Davies, “15m T-Mobile consumers Hacked: SSN and More Taken,” slashgear.com, October 1, 2015, http://www.slashgear.com/15m-t-mobile-customers-hacked-ssn-and-more-taken-01407526/ (accessed November 4, 2015).
 “Cyber Security Update,” Scottrade, October 1, 2015, https://about.scottrade.com/updates/cybersecurity.html (accessed November 5, 2015).
 U.S. Department of Justice, Office of Public Affairs, “Bugat Botnet Administrator Arrested and Malware Disabled,” October 15, 2015, http://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled (accessed November 5, 2015).
 U.S. Department of Homeland Security, “Daily Open Source Infrastructure Report, October 22 - November 5, 2015,” https://www.dhs.gov/publication/daily-open-source-infrastructure-report (accessed November 5, 2015).
 U.S Department of Health and Human Services, Office of for Civil rights, “Breaches Affecting 500 or More Individuals, 2009-2015,” https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (accessed November 5, 2015).