Researchers are concerned over the strength and comprehensiveness of cybersecurity in the U.S., as companies across the country are being targeted in cyber attacks at an increasing rate of both occurrence and cost. Concerns continue to grow as both the number of attacks on companies’ networks and the cost to companies are increasing. The quantity and quality of information being hacked, stolen, destroyed, or leaked is becoming more of a problem for consumers and businesses alike.
The Ponemon Institute recently released its 2015 Cost of Cyber Crime, which analyzes the cost of all cyber crime for a variety of 58 U.S. organizations both public and private. The U.S., in comparison with other nations in the Ponemon study, continues to rank highest in its cost of cyber crime at an annual average of $15.4 million per company.
Ponemon surveyed companies in the areas of finance, energy and utilities, and defense and aerospace—three of the most affected sectors—as well as communication, retail, and health care. The annual cost of cybercrime for these companies has more than doubled since 2010, which then averaged $6.5 million. Of the companies surveyed, the minimum cost to a company was $1.9 million while the maximum cost was as much as $65 million in 2015.
This year, companies saw an average of 160 successful cyber attacks per week, more than three times the 2010 average of 50 per week.
Every company surveyed was the victim of a Trojan, virus, or worm type of attack. Ninety-seven percent surveyed were reported to have been the victim of a malware attack and 76 percent were victim of a Web-based attack. Just as worrisome as hackers trying to get into a network system are those with malicious intent who already have access to a system. Forty-three percent of companies reported cyber attacks by malicious insiders and 36 percent of companies suffered attacks as the result of a stolen device.
This paper continues the “Cyber Attacks on U.S. Companies in 2014” paper released last October. The dates listed for each hack reflect the time when these attacks were released to the public and not the date of when the breach actually occurred.
- Sony Pictures Entertainment (entertainment). In November, hackers linked to the North Korean government launched an attack on Sony Entertainment, allegedly over a movie depicting North Korea in a negative light. The hackers took terabytes of private data and released confidential information to the public as well as a number of Sony movies.
- GoDaddy and Gigya (online). The Syrian Electronic Army—a group of hackers loyal to Syrian President Bashar al-Assad—claimed responsibility for an attack on a variety of news outlet Web sites such as CNBC, Forbes, the Chicago Tribune, PCWorld, and The Independent via the Gigya Domain Name Service from GoDaddy.com. No personal information was affected.
- Las Vegas Sands Corp (gaming). In February 2014, the Sands Casino was hacked by a group out of Iran. The hackers brought the $14 billion operation to a standstill as they shut down PCs, servers, and wiped hard drives clean. The attack was suspected to be in retaliation for comments that Sands CEO Sheldo Adelson made about the Iranian government.
- Chick-Fil-A (restaurant). In January 2014, Chick-Fil-A suffered a credit card breach at a number of restaurants, affecting around 9,000 credit cards. The breach is suspected to have occurred over a span of 10 months and could be related to a number of other point-of-sale system breaches that happened in 2014.
- Staples, Inc. (retail). In another point-of-sale system breach, security experts from Staples detected malware at 115 different stores—1.16 million credit cards were reportedly affected. The breach occurred between July and September 2014.
- Morgan Stanley (finance). An employee was fired from Morgan Stanley after allegedly stealing data and account numbers from as many as 350,000 clients. The disgruntled employee was able to post some personal information online, but no money was lost and the personal data was removed promptly after being detected.
- Anthem, Inc. (health care). Health insurer Anthem, Inc., suffered a massive cyber attack that affected upwards of 80 million current and former customers. The compromised information included Social Security numbers, birthdates, addresses, and employee information. The information of anywhere between 8.8 million and 18.8 million customers of Blue Cross Blue Shield was also affected, having been stored on the same servers. The breach has been accredited to the Black Vine cyber-espionage group by cybersecurity firm Symantec, which is also accredited with the later Office of Personnel Management hacks and numerous other breaches dating back to 2012.
- Carbanak (banking and finance). Kaspersky Lab reports a group called Carbanak has, since 2013, attempted cyber attacks on 100 banking and financial institutions in almost 30 countries. The group is accredited with up to $1 billion in losses.
- Uber (transportation). An Uber database was reportedly accessed in May by an unauthorized third party—compromising as many as 50,000 Uber drivers across America. Only the drivers’ names and license numbers were compromised.
- Forbes.com (news and business). In late November, the cyber espionage group Codoso Team used the Forbes.com website as a watering hole (a cyber campaign that uses trusted Web sites to launch attacks) to target U.S. defense contractors and financial services companies.
- Premera Blue Cross (health care). In an attack that began in May of 2014, Premera Blue Cross fell victim to a cyber attack that exposed the medical and financial information of 11 million people, including their clinical records, bank account numbers, Social Security numbers, and birthdates. Also affected in the attacks were Premera Blue Cross Blue Shield of Alaska, Vivacity, and Connection Insurance Services.
- Github (online). The hosting site for two other sites, GreatFire and CN-NYTimes, used for circumventing Chinese state censorship came under a significant distributed denial-of-service attack—almost overwhelming Github with Internet traffic. Experts attribute the attack to China in what is being called the “Great Cannon”—referring to China’s “Great Firewall” of Internet censorship.
- Register.com (online). Register, a site used for Internet domain registry, had its network accessed for about a year by hackers with stolen passwords. Some experts have suggested that the breach is connected to the Chinese military, which could possibly use the breach to redirect traffic in a further attempt to steal trade secrets and information.
- Penn State University (academia). The College of Engineering at Penn State University identified a breach that had been existent for about two years. Although the school claimed that there was no sensitive material taken, it did notify 18,000 students whose Social Security numbers could have been compromised. “The university estimates that it has spent roughly $2.85 million responding to the attacks.”
- CareFirst BlueCross BlueShield (health care). Around 1.1 million current and former customers of CareFirst BlueCross BlueShield were said to have had their username, real name, birthdate, and e-mail addresses compromised. The company made sure to mention that Social Security numbers and other medical and financial records were not compromised.
- Adult Friend Finder (online). The adult Web site Adult Friend Finder announced that the names, e-mail addresses, and sexual preferences of 3.9 million customers were accessed by hackers. It is unsure where the attack came from, but new agencies in the U.K. have reported that the data obtained in the attack were being “circulated on various dark websites.”
- Economic Espionage. Six individuals are charged with using their access to U.S. universities and technology development companies, such as ROFS Microsystems and Avago, to export proprietary trade secrets to China. The investigation goes as far back as 2006.
- Beacon Health System (health care). The health care firm was the victim of a phishing attack in which employee e-mails and the personal information of 300,000 patients was reportedly affected.
- Ashley Madison (online). The adult Web site was hacked by a group calling themselves The Impact Team. After stealing the information of 37 million users, including banking information, addresses, and sexual fantasies, the group later began releasing droves of information online in large data dumps.
- UCLA Health (health care). The personally identifiable information, including the Social Security numbers of 4.5 million users, was compromised. The hack began as early as May.
- Medical Informatics Engineering (health care). The breach to this medical software company compromised 3.9 million of its users’ Social Security numbers, health records, and other personally identifiable information. The hack began May 7th and was detected May 26th.
- United Airlines (transportation). Reportedly the victim of the Chinese cyber team Black Vine, United systems were accessed in May or early June, around the same time as OPM and Anthem. Airline records, including flight manifests, were taken.
- Trade on the Market. In early August, a group of 32 U.S. traders and Eastern European hackers from Ukraine worked together to access unpublished press releases in an attempt to gain an edge on Wall Street. This information was traded on, bringing in “over $100 million in ill-gotten gains.”
- American Airlines Group, Inc., and Sabre Corp. (transportation and booking). Also reportedly the victim of Chinese espionage group Black Vine, the airline and booking companies, while not disclosing the amount or type of information accessed, could reach into the millions.
- Excellus BlueCross BlueShield (health care). In another health insurer cyber attack the company Excellus had the financial and medical information of 10 million of its customers compromised. The hackers found their way around the encrypted data and were able to access names, addresses, Social Security Numbers, medical claims information, etc.
- Trump Hotel Collection (hotel). Seven Trump hotels across the U.S. and Canada reportedly had their systems breached, affecting the information of customers who may have visited those locations between May 2014 and June 2015. While the malware collecting the information has been removed, it has been unconfirmed what and how much information was extracted.
- WhatsApp (communications). The cross-platform messaging application reported that up to 200,000 of their Web-based service users are either at risk of a cyber attack or have already had personal information compromised. vCards—electronic contact information—were loaded with malicious code and sent to random users’ phone numbers.
- Experian (finance). Hackers recently attacked the servers of Experian, which stores the credit assessment data of T-Mobile USA, Inc., customers. The attack took the names, addresses, and Social Security Numbers of more than 15 million people.
- Scottrade (finance). The names and addresses of up to 4.6 million users of the trade and investment firm were reportedly targeted between 2013 and 2014.
- Bugat/Dridex Botnet. A large network of computers controlled by hackers was set to automatically steal confidential personal and financial information, including banking credentials and keystrokes (passwords). The FBI attributes up to $10 million in direct losses to the Bugat/Dridex Botnet.
It should be noted this list is incomplete. A simple search through the Department of Homeland Security’s Daily Open Source Infrastructure Reports or the Department of Health and Human Services’ Breach Portal will show a greater number of breaches than recounted in this list.
In fact, health care services continued to see a large amount of smaller (fewer than 1 million people affected) breaches. Interestingly, a number of universities were also subject to cyber attacks this past year, possibly reflecting greater cyber-ability in their current students. Even though cyber breaches and attacks continually affect a wide variety of industries, there continues to be a pattern in the type of information targeted by these malicious actors.
Congress and the Administration should:
- Consider how regulations financially affect businesses. While asking businesses to focus more on cybersecurity is noble, policymakers will need to remember that businesses will focus only on as much security as fits into their business model. However, businesses (especially smaller businesses) will need to think about how cybersecurity breaches will affect their image and bottom line.
- Avoid minimum security standards. Setting obligatory cybersecurity standards for companies will not prevent breaches—in fact, it may worsen security. Telling companies to comply with a minimum set of regulatory standards for security is like asking companies to jump and then having both companies and hackers respond with “How high?” Avoid making companies commit funding to securing one or several aspects, when a hacker can simply attack or breach where funding was misallocated from.
- Increase cooperation with private businesses. As the backbone of the tech market and target of many of these cyberattacks, the private industry is working on best practices and collaborating to create the technology and workforce necessary to counter cyber threats. This includes companies in the U.S., as well as those with a global presence. Increasing cooperation with private business will allow government access to firsthand knowledge on emerging cyber threats, and vice versa will help private businesses prepare using whatever cyber information the government has to share.
Cyber attacks are on the rise and will continue to be of concern for the foreseeable future. It will be up to private industry to meet these concerns head-on and support the government in its ability to act lawfully against cyber criminals—so long as businesses lack the authority to fight back against those who threaten their systems.
—Riley Walters is a Research Assistant in the Douglas and Sarah Allison Center for Foreign and National Security Policy, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.