Apr 25, 2024

Mainframe hacks and consequences

The true cost of a data breach is notoriously difficult to calculate, but one thing is clear: it can be staggering. Multi-year litigation, ongoing response efforts, and settlement costs can sometimes reach into the billions. Moreover, most breaches are not direct attacks on mainframe systems, but rather exploits of open systems and web components that then move laterally, causing significant harm to mainframe data. While details on mainframe involvement are often scarce, the high-profile companies listed in this article all utilize mainframes.

10 largest cyber attacks likely involving mainframes

Equifax (2017): Affecting 147 million consumers, this breach involved unauthorized access to personal data. Mainframes are often used in financial services, making it likely they were part of the infrastructure impacted.
Capital One (2019): Exposing around 106 million records, this financial data breach potentially involved mainframes due to the nature of the data and systems typically used in banking.
Yahoo (2013-2014): While mainly a breach of web services, the scale (3 billion accounts) suggests that underlying systems for data management, potentially including mainframes, were compromised.
First American Financial Corp. (2019): Nearly 885 million records were exposed in this breach of a major title insurance provider, a sector known to use mainframes for transaction processing.
Heartland Payment Systems (2008): Over 130 million credit card details were stolen in a breach involving payment processing systems, which frequently run on mainframe platforms.
Target (2013): Affecting 110 million customers, the breach into one of the largest U.S. retailers likely impacted mainframe systems that manage transaction and customer data.
TJX Companies, Inc. (2006): With 94 million records compromised, this attack on the retailer involved data typically processed and stored on mainframes.
eBay (2014): The personal information of 145 million users was compromised in this breach. While eBay uses a complex infrastructure, mainframe systems could be involved for transaction processing.
JP Morgan Chase (2014): As the largest bank in the United States, the breach that affected 83 million households and small businesses likely involved mainframe systems that handle extensive financial transactions and services.
Marriott International (2018): This incident involved the records of up to 383 million guests. Given the hospitality industry’s reliance on large-scale transaction processing systems for reservations and customer data management, mainframes were likely part of the impacted infrastructure.

These examples highlight breaches where mainframes might have been involved due to the industries and data types affected. However, specific details about the role of mainframes in each incident are typically not disclosed by the companies involved.

#1 - Equifax (2017): 147 million records

Breach Details:

The breach occurred because of both human error and technology failures.
The attackers exploited a vulnerability in Apache Struts, a software used by Equifax, which was not patched despite a notification from the U.S. Department of Homeland Security.

Impact:

Personal data of over 143 million consumers was exposed, including names, Social Security numbers, birth dates, addresses, and driver’s license numbers.
Consumers were offered free credit monitoring and identity theft protection services.
Many consumers experienced frustration with the company’s response and remediation efforts.

Consequences:

Equifax faced numerous class-action lawsuits and a separate suit from the state of Massachusetts.
The company’s CEO, Richard Smith, stepped down in the aftermath of the breach.
Equifax faced a congressional investigation and was criticized for its response to the breach.
The company’s stock price declined, and it faced financial losses due to the breach.

Sources:

How the Equifax hack happened, according to its CEO

#2 - Capital One (2019): 100 million records

Breach Details:

The hack occurred on March 22 and 23, 2019
An outside individual gained unauthorized access to Capital One credit card customers and individuals who had applied for credit card products
The individual was able to access names, addresses, postal codes, phone numbers, email addresses, dates of birth and income
The FBI arrested the alleged hacker, Paige A. Thompson, who is a former Amazon Web Services employee
Thompson allegedly accessed the bank’s data through a misconfigured firewall

Impact:

Personal data of over 106 million customers and applicants was exposed
100 million people in the U.S. were exposed in the breach, and 6 million Canadians
Consumers were offered free credit monitoring and identity theft protection services
Many consumers experienced frustration with the company’s response and remediation efforts

Consequences:

Capital One faced numerous class-action lawsuits and was ordered to pay $190 million in a settlement
The company’s CEO, Richard Fairbanks, issued an apology for the breach
Capital One faced a congressional investigation and was criticized for its response to the breach
The company’s stock price declined, and it faced financial losses due to the breach

Sources:

#3 - Yahoo (2013-2014): 3 billion records

Breach Details:

Yahoo suffered two massive data breaches in 2013 and 2014, which were only revealed in 2016
The 2013 breach affected all three billion user accounts
The 2014 breach affected over 500 million user accounts
The breaches included names, email addresses, phone numbers, birth dates, security questions, and both encrypted and unencrypted passwords
The hackers also stole cookies that allowed them to authenticate as any user without a password

Impact:

Users’ personal information was exposed, including names, email addresses, phone numbers, and birth dates
Users’ security questions and answers were exposed, which could be used to gain access to other accounts
Users’ passwords were exposed, which could be used to gain access to other accounts
Users were at risk of identity theft and fraud
Users had to change their passwords and security questions, and monitor their accounts for suspicious activity

Consequences:

Yahoo faced a $117.5 million class-action lawsuit settlement
Yahoo was fined $35 million by the SEC
The breach led to Congressional scrutiny
The breach significantly impacted Verizon Communication’s acquisition of Yahoo
The breach led to the resignation of Yahoo’s General Counsel, Ronald S. Bell
CEO Marissa Mayer’s equity compensation bonus for 2016 and 2017 was pulled
Yahoo’s reputation was damaged, and user trust was lost

Sources:

#4 - First American Financial Corp. (2019): 885 million records

Breach Details:

First American Financial Corp., a title insurance company, experienced a breach in May 2019.
The breach was due to a vulnerability in First American’s online web portal.
The vulnerability allowed access to millions of records of non-public confidential consumer information.
A developer discovered the vulnerability and notified First American, but received no response, leading him to notify Brian Krebs, who made the breach public.

Impact:

The breach exposed millions of records of non-public confidential consumer information.
The exposed information included Social Security numbers, bank routing information, and contact information for parties to title insurance transactions.
The breach put consumers at risk of phishing and business email compromise attacks.

Consequences:

First American faced a $1 million penalty from the New York Department of Financial Services for violating the state’s cybersecurity regulation.
The company faced criticism for its response to the breach and its failure to maintain disclosure controls.
First American agreed to a $488,000 fine and a cease-and-desist order from the Securities and Exchange Commission.
The breach led to calls for companies to strengthen their security posture and conduct regular penetration tests to identify vulnerabilities.

Sources:

#5 - Heartland Payment Systems (2008): 130 million records

Breach Details:

The Fortune 1000 company, which specializes in payment, point-of-sale and payroll systems, suffered one of the worst data breaches in history.
- The breach was due to a SQL injection attack in 2007, which modified the code on a web script and gave attackers access to a web login page.
- The attack, undetected for months as it moved through Heartland’s system, found enough data to create new physical credit cards, including the data coded into the card’s magnetic strip.

Impact:

The breach exposed millions of records of non-public confidential consumer information.
The exposed information included Social Security numbers, bank routing information, and contact information for parties to title insurance transactions.
The breach put consumers at risk of phishing and business email compromise attacks.

Consequences:

Heartland lost its PCI DSS compliance for four months and lost hundreds of customers.
- The total monetary loss to the company, including compensating victims, was more than $200 million.
- Heartland’s stock price fell 50% within days of announcing the breach, sinking more than 77% in the ensuing months.
- It was by far the most damaging publicly reported cyber attack at the time.

Sources:

#6 - Target (2013): 110 million records

Breach Details:

The breach started on November 27, 2013, and was discovered by Target personnel by December 13th, 2013.
The breach was due to a phishing email that was sent to employees of Fazio Mechanical, an HVAC firm that was hired by Target.
The phishing email led to the installation of malware on Target’s point of sale machines, which was accessed via third-party vendors with security flaws in their systems.
The malware was able to infiltrate into the corporation’s systems and give hackers all the access they needed to begin stealing valuable customer information.

Impact:

The breach exposed 40 million credit and debit card records and 70 million customer records containing names, addresses, and mobile numbers.
The breach put consumers at risk of phishing and business email compromise attacks.
The breach put consumers at risk of identity theft and financial loss.

Consequences:

Target lost over $200 million due to the breach.
Target was forced to pay an $18.5 million settlement after hackers stole 40 million credit and debit records.
The company’s reputation was damaged, and user trust was lost.
The breach led to a nationwide lawsuit against the corporation, involving 47 states as well as the District of Columbia.

Sources:

#7 - TJX Companies, Inc. (2006): 94 million records

Breach Details:

The TJX Companies, Inc. hack occurred in 2005 and 2006, with the attackers remaining undetected for 18 months.
The attackers accessed the company’s systems via poorly protected wireless local-area networks at two Marshalls stores in Miami.
The breach was discovered in December 2006, and the company notified affected customers in 2007.

Impact:

The attackers stole over 45 million credit and debit card numbers.
Driver’s license numbers and other personally identifiable information related to payment-card and merchandise return transactions for which a receipt was not present were also stolen.
The breach put consumers at risk of phishing and business email compromise attacks.
The breach put consumers at risk of identity theft and financial loss.
Consequences for the Company.

Consequences:

The breach cost the company over $150 million.
The company faced several lawsuits.
The company was required to implement new security measures to protect customer data.
TJX offered credit and ID theft monitoring services for up to three years for individuals whose driver’s license numbers were compromised.
TJX offered shopping vouchers for those whose card information might have been stolen.
TJX held a one-time three-day event in 2008 during which the company would sell items at a 15% discount in all of its stores

Sources:

#8 - eBay (2014): 145 million records

Breach Details:

eBay’s corporate network was hacked and a database with users’ passwords was compromised.
The attackers accessed the company’s systems via poorly protected employee log-in credentials at two Marshalls stores in Miami.
The breach was discovered two weeks after it occurred, and the company notified affected customers on May 21, 2014.

Impact:

The attackers stole over 233 million eBay customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth.
The breach put consumers at risk of phishing and business email compromise attacks.
The breach put consumers at risk of identity theft and financial loss.

Consequences:

The breach cost the company millions.
The company faced several lawsuits.
The company was required to implement new security measures to protect customer data.
eBay offered credit and ID theft monitoring services for up to three years for individuals whose driver’s license numbers were compromised.
eBay offered shopping vouchers for those whose card information might have been stolen.
eBay held a one-time three-day event in 2014 during which the company would sell items at a 15% discount in all of its stores.

Sources:

#9 - JP Morgan Chase (2014): 83 million records

Breach Details:

The cyberattack on JP Morgan Chase happened between 2011 and May 2015.
The attackers accessed the company’s systems through a compromised employee computer, which became infected with malware that established a VPN tunnel into the bank’s networks.
The breach was discovered in late July 2014, but not completely halted until the middle of August.
The attackers accessed information associated with 83 million accounts, including 76 million households and 7 million small businesses.

Impact:

Names, email and postal addresses, and phone numbers of account holders were obtained by hackers, raising concerns of potential phishing attacks.
The hackers also accessed internal JPMorgan Chase information relating to users.
There is no evidence that user account data, such as account numbers, passwords, user IDs, birthdates, or Social Security numbers, was compromised during the attack.
JPMorgan has not seen any unusual customer fraud related to this incident.

Consequences:

The breach is considered one of the most serious intrusions into an American corporation’s information system and one of the largest data breaches in history.
US federal indictments were issued against four hackers in the massive fraud in November 2015.

Sources:

#10 - Marriott International (2018): up to 383 million records

Breach Details:

The breach occurred between 2014 and 2018, and was discovered on November 19, 2018.
The hackers accessed the Starwood guest reservation database, which included information on up to 500 million guests.
The breach was attributed to a Chinese intelligence group, and was considered one of the largest data breaches in history.

Impact:

The exposed information included names, addresses, phone numbers, email addresses, passport numbers, and credit card information.
Some users also had their loyalty program account information and travel history exposed.
The breach put users at risk of identity theft, phishing, and other fraudulent activities.

Consequences:

Marriott International faced a $123 million fine from the UK’s Information Commissioner’s Office (ICO) for violating the General Data Protection Regulation (GDPR).
The company also faced numerous lawsuits and legal claims from affected guests.
Marriott International implemented new security measures to prevent future breaches, including encrypting sensitive data and implementing two-factor authentication.

Sources:

The slew of high-profile hacks, including Home Depot (2014), Anthem (2015), and Experian (2015), has compromised the personal information of millions of users, leaving them vulnerable to identity theft, phishing, and financial loss. Although the mainframe was not directly breached in every case, it is likely that sensitive data was extracted from these systems, underscoring the importance of robust security measures and vigilant monitoring.

An analysis of these 10 major hacks reveals a stark truth: many breaches can be traced back to preventable errors. Phishing attacks, third-party vulnerabilities, weak passwords, outdated software, lack of encryption, inadequate monitoring, human error, and poor segmentation all contributed to these devastating breaches. By addressing these common vulnerabilities and prioritizing proactive security measures, companies can significantly reduce the risk of falling victim to a similar breach, safeguarding their customers’ sensitive information and their own reputation. By learning from these incidents, we can work towards a safer, more secure digital landscape.

The total cost of a breach is difficult to calculate, and published figures often only reflect the initial costs of response and remediation. The long-term expenses, including litigation, legal settlements, and reputational damage, can far exceed the initial estimates, making proactive security measures a wise investment for any organization handling sensitive data.