Search
  • Julie Liu

When You Ignore the Warning Signs

Updated: Oct 7, 2020

Let's look at the big "cyber" data breaches that have affected millions of Americans over the past 10 years.

Target Corporation 2013

Home Depot 2014

Sony Pictures 2014

Federal Office of Personnel Management 2015

Equifax 2017

Facebook 2018

Marriott International 2018

Capital One 2019

Federal Emergency Management Agency 2019


We see some common patterns:

1. Persistent negligence - when those in charge ignore the warning signs.

2. Denial - the first sign of weakness.

3. Mis-directed priorities - when the bottom line matters more than security.


In each of these cases, the initial weaknesses that allowed the cyber-attack and subsequent data exfiltration were known, yet ignored. Here are some of the highlights:


Target 2013

  • HVAC vendor falls prey to email phishing campaign, November 2013

  • Company lacks enforceable password policy

  • Corporate network using unpatched systems with "worse than weak" security configurations

  • Hackers to implant malware that is able to traverse the corporate network

December 2013, hackers easily traversed the corporate network and installed malware on the Point of Sale systems. They stole around 40 million credit card numbers and personal information from 70 million customers. Only after the fact, did Target Corporation spend the money to hire a security team to audit their corporate network and promote a security plan.


Home Depot 2014

  • Home Depot management notified about the failure to encrypt Point of Sale data, 2009

  • Employees reported major in-store sales device flaws to management, 2010

  • Security department warned management about lack of anti-virus software, 2014

  • Management refused to address data security concerns due to cost

During the 5-year timespan from when the Home Depot management knew about critical security flaws in their corporate network, the credit card records from over 56 million individuals was stolen.


OPM 2015

  • Department of Homeland Security discovers malware on an OPM server, July 2012

  • No measures are taken to remove this or any other malware until April 2015

During the 3-year timespan of gross negligence and miscommunication between those in charge, over 21 million sensitive personnel records, including background checks and fingerprints, from over 4 million individuals were stolen.


Equifax 2017

  • Website weakness discovered and reported to management, March 9 2017

  • Left unaddressed until July 29

During that timespan, hackers were able to implant malware and steal 143 million social security numbers, dates of birth, addresses, and driver's license numbers. Adding insult to injury, Equifax offers customers another website, for free, but this new website is also easily hacked.


What's the message? Do NOT ignore the warning signs. Do NOT deny the facts. Greed does not always pay off - sometimes you really DO have to spend on resources that might not be part of your short-term profit plan.