Forever 21: Missing out on flash sales may not have been the only thing to put a damper on some U.S. consumer’s holiday shopping. In early November 2017, apparel retailer Forever 21 announced that from at least March to October 2017, an unknown amount of consumer payment card information at an undisclosed number of its worldwide stores had been hacked. Depending on the specific extent of the breach, a number of Forever 21 Consumers may be the targets of identity theft and financial fraud. But experts noted that given the ease at which banks can notice can remedy any fraud, there may be little opportunity for consumers to file class action lawsuits against the company.
PayPal: PayPal’s recent acquisition of Canada-based payment processor TIO Networks went off without much trouble. But not long after the deal closed, TIO announced it had uncovered a data breach affecting up to 1.6 million of its customers. As the new owner of TIO Networks, PayPal is ultimately liable for the breach. So far, only the Pennsylvania attorney general’s office has opened an investigation into the incident. Other state investigations, however, may be forth coming. According to NJ.com, for example, the breach at TIO Networks could have exposed the checking account information of customers of the New Jersey’s electric and gas utility, PSE&G. Credit: serg3d/iStockphoto.com.
Deloitte: In September 2017, Deloitte disclosed that one of its servers was accessed by cybercriminals. The server contained emails from some of Deloitte’s most sensitive clients, including the United Nations, four U.S. federal agencies and a host of multinational corporations. In total, the server stored emails from over 350 clients, but Deloitte said that “very few” had been “impacted" and that none of its government clients' data was compromised by the breach. Early reports of the incident noted that the comprised server had lacked two-factor authentication—a vital access control and common cybersecurity best practice. Still, it is unknown what role, if any, the lack of the two-factor authentication played.
Verizon: In July 2017, Verizon third-party vendor NICE systems said it had inadvertently publically exposed the personal information of around six million Verizon customers, including names, addresses, phone numbers and account identification numbers. The breach at NICE emanated from a misconfigured Amazon cloud server. While it is unknown what harm, if any, was caused by NICE’s breach, Verizon is ultimately liable for all the consequences of the incident. (Photo: Mike Mozart)
SEC: Like Uber, the Securities and Exchange Commission (SEC) experienced a breach in 2016. But it wasn’t until September 2017 that the agency disclosed the cyber theft of information stored in its EDGAR filing system. The SEC believes that the stolen information was used in connection with illegal trades made in August 2017. After news of the breach hit, the SEC was criticized for lacking appropriate cybersecurity protections of its own, while pushing the financial companies it regulates to adopt more robust security practices. SEC chairman Jay Clayton said nonpublic data stored in EDGAR “relates to the operations of issuers, broker-dealers, investment advisers, investment companies, self-regulatory organizations (SROs), alternative trading systems (ATSs), clearing agencies, credit rating agencies, municipal advisers and other market participants.” (Photo: Diego M. Radzinschi)
NHS: The WannaCry ransomware exploded onto the scene in May 2017, affecting computers and networks across the globe. The amount of comprised targets, ranging from utility companies to universities, multinational corporations and law firm DLA Piper, was staggering. But of the hardest hit in the attack was the UK’s National Health Service (NHS). The attack distributed services in 34 percent of NHS trusts—essentially regional healthcare administrations—and led to over 6,900 canceled appointments. The Achilles heel of the NHS was its reliance on outdated, unpatched Microsoft software, especially Microsoft XP, with provided an opening for cyber attackers to make their mark. (Rex Features via AP Images)
Uber: To be sure, the Uber breach happened in October 2016. But the company failed to promptly disclose the breach, in which hackers made off with the personal information of 57 million users and drivers, including names, email addresses and cell phone numbers. Those directing Uber’s breach response paid the hackers $100,000 to delete the stolen information, and the incident was ultimately kept secret until late November 2017. Uber still faces a fair share of legal liability. So far, consumer fraud and state breach law violation lawsuits have been filed in Illinois, Washington and Oregon, while suits have also been filed against the company in federal courts in Los Angeles and San Francisco.
Equifax: One of the biggest breaches of 2017, the Equifax cyberattack, disclosed in September 2017, affected more than 145 million U.S. consumers—almost half the U.S. adult population. As of November 2017, all 50 states, plus the District of Columbia and Puerto Rico, are involved in investigations of the breach, alongside at least four federal agencies, including the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC). By early November, at least 240 class actions lawsuits were filed against Equifax in the U.S. and Canada.(Credit: Reuters)
If 2016 proved that all sectors of the U.S. economy were subject to cyberattacks, 2017 was the year this point hit home.