The largest consumer data breach in U.S. history started with an antenna hidden in a Pringle’s can in a Minnesota parking lot.
The criminals used the directional antenna and a laptop to detect and break into the wireless network at a Marshalls store, gaining access first to the manager’s computer login details and then the parent company’s entire computer system.
Over 18 months, the intruders quietly stole the personal data of 45.7 million customers, eventually costing Marshalls’ owner, TJX Cos., nearly $2 billion in restitution. That breach, which began in 2005, hit customers nationwide, including shoppers in Maine.
So far this year, cybercrime has infiltrated targets in Maine, hitting the town of Cumberland, The Works Bakery cafe in Portland, and Agincourt Wallboard in Westbrook, putting at risk private information on customers or employees. These small-scale attacks occurred alongside high-profile attacks at major companies like Facebook and Apple, and publications such as The New York Times and The Washington Post.
TJX’s weak point was its failure to follow basic security practices, such as protecting passwords and updating security software, said Liz Fraumann, executive director of Securing Our eCity Foundation, a San Diego-based organization that promotes safe business and consumer computer practices.
“Whether you are a large company like TJX or the local dry cleaner — it’s Computer 101. Follow the basic protections — firewalls, passwords, updated security software,” Fraumann said.
TJX did not immediately return calls seeking comment.
No company or organization — no matter how big or small — is immune from cyberthreats. As many as 92 percent of targets won’t know they’ve suffered a computer breach until they are notified by an outside party, according to a Verizon report.
“There are only three types of companies out there: those that know they’ve had a breach and reported it; those who know they’ve had a breach and didn’t report it; and companies that didn’t know they’ve had a breach,” said Eva Velasquez, chief executive of the Identity Theft Resource Center.
Cybercrime can involve full-scale criminal activity, warfare and cyberterrorism, data security experts said.
U.S. companies lose about $250 billion to intellectual property theft every year, according to Symantec, a security software maker. Internationally, $114 billion was lost to cybercrime, but that number could be as high as $388 billion if the value of time and business opportunities lost is included, Symantec said.
“The cyberthreat to our privacy, our economy and our national security is real and it is escalating,” said Sari Greene, founder of Sage Data Security in Portland. “The motive can vary — money, political statement, warfare — but the fundamental tools and techniques used by cybercriminals, hactivists and nation states are fundamentally the same. We don’t think of ourselves as being on a battlefield, but we are.”
In the old days, worms and viruses were used to gain notoriety for the hacker. The impact of today’s attacks has escalated to the point where hacking carries political and economic clout, as with “hacktivist” digital denial of service, or DDos, attacks, like those waged by the group Anonymous against targets ranging from major banks to celebrities. Today’s malware can also be used to quietly gather critical information for monetary profit.
While there are many methods of breaching a computer system, one of the most common threats is malware, short for malicious software, which is used or programmed by attackers to disrupt computer operations, gather sensitive information, or gain access to private computer systems.
Malware can enter a computer system in a variety of ways: through an email with a link connected to a malware distribution site, embedded in an attachment that is downloaded to a computer, or by accessing a website that has malware on it.
Malware can do a range of things, such as capture keystrokes, copy data on the computer screen, take screenshots, or mobilize a computer to be a zombie, an unknowing part of another attack. Once the malware is on a computer that is linked to the Internet, it can connect back to whoever is controlling it. The malware also could be preprogrammed to collect information and report back or take additional commands.
It’s not just big, high-profile companies that are at risk. In the first six months of 2012, 36 percent of all targeted attacks were directed at businesses with 250 or fewer employees. That’s a surge from 18 percent at the end of 2011, Symantec said.
“There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against large ones. It almost seems attackers are diverting their resources directly from the one group to the other,” Paul Wood, Symantec’s cybersecurity intelligence manager, said in a statement.
“It may be that your company is not the primary target, but an attacker may use your organization as a stepping-stone to attack another company. You do not want your business to be the weakest link in the supply chain. Information is power, and the attackers know this, and successful attacks can result in significant financial advantage for the cyber criminals behind them. Access to intellectual property and strategic intelligence can give them huge advantages in a competitive market,” Wood said.
Richard French, founder of The Works Bakery chain, said the company’s point of sale computer systems may have been infected by a malware program that was designed to gather information directly from credit and debit cards as they were swiped. He declined to comment on how The Works, whose Portland store was affected, discovered the problem, citing an ongoing investigation.
“It was time-consuming, expensive, disruptive and emotionally taxing for our management team and our employees, and I’m sure stressful for customers,” French said. “We’re a small, little regional company. It’s a sign of the times. I’m confident we’ll see more of this happening to others.”
Federal authorities advised customers who used a debit or credit card at any of The Works’ locations between mid-January and Feb. 1 to contact their financial institution immediately to report the potential compromise. Any card used at the company’s locations should be canceled and reissued.
French said The Works had state-of-the-art cybersecurity already in place when the breach occurred, but the company has installed more security measures since it became aware of the breach, he said.
“We’re different than we were two months ago. We already had systems in place. We thought we were in good shape before, but now we’re stronger,” French said.
The Works Bakery, based in Keene, N.H., has other locations in Manchester and Brattleboro, Vt., and Portsmouth and Concord, N.H.
“The restaurant industry is a noted target because we have a ton of transactions,” French said. “Credit card use is a significant portion of transactions — more than half of all transactions are electronic.”
A PLAN IN PLACE
Every business needs to have a plan for when — not if — a breach happens, analysts said.
“Businesses need to recognize that they are vulnerable and adopt a defense-in-depth posture,” Greene said. “They need multiple levels of safeguards. Just like businesses have door locks and alarms and inventory controls and guards and fences, they need to have multiple cybersecurity controls in place, as well. The Internet in inherently insecure. The designers never envisioned that it would transform into a global infrastructure used for commerce, communication, education, entertainment.”
Hiring a data security consultant can help a business determine what data it needs to protect and then put controls on that information.
Sage Data Security in Portland, for example, has a service called nDiscovery that collects device and application logs every day that are analyzed for potential indicators that a system has been compromised.
If a computer network has been breached, Sage works with the client to triage the problem and advise it on what actions need to be taken. Sage also helps the company determine how to work with its legal counsel, law enforcement, customers and the public.
Some general words of wisdom: Don’t click on any link in an email. Restrict employees’ Internet browsing to the exact sites they need to perform their job. Don’t download information to your computer. Don’t access personal email on a work computer.
“It requires a shift in habits, but the inconvenience pales in comparison to the disruption of a breach. It’s a cost of doing business and of honoring the public trust with the data you manage,” Greene said.
All businesses have some data they need to protect — whether it is customers’ credit card data or employees’ Social Security numbers, said Sam Imandoust, legal analyst with the Identity Theft Resource Center.
Often, small businesses don’t think they are big enough to be a target.
That’s a false sense of security. Hackers are sophisticated enough that it takes them no time or effort to set up a program to ping hundreds of local businesses, hunting for a target. Even if they get just a few credit card numbers out of a business, it could be worth it for them, Velasquez said.
Hackers have honed the concept of “phishing.” While most people still think of spam as a frantic, misspelled email that appears to be from another country asking for money to be deposited in an unknown account, phishing is now called whaling and it’s much more convincing, Imandoust said.
Hackers have gotten so sophisticated that emails appear to come from familiar companies, complete with the correct logo, corporate names, and wording commonly used by a brand.
“Cybercriminals have a lot of time and energy on their hands,” The Works’ French said.
Jessica Hall can be contacted at 791-6316 or at: