If you work with sensitive data, you’ve probably heard of the terms “cybersecurity incident”, “malware”, and “breach”. These might cause a lot of stress for you and your organization because getting hacked can be a nightmare to fix.
Unfortunately, data breaches aren’t uncommon. In fact, since 2016, an average of over 4,000 ransomware attacks occur every day in the United States.
Some of the worst breaches involve stolen payment information, resulting in PCI violations. These violate the Payment Card Industry Data Security Standard (PCI DSS), a standard for organizations that deal with credit card data.
A violation doesn’t only lead to monetary losses for the person whose data gets stolen. It also causes financial consequences for the organization.
Getting hacked often means that the organization will spend thousands of dollars, if not millions, trying to resolve the situation. These costs may be from paying fines from a court hearing, or a loss in revenue due to business downtime.
Some of the largest companies have had to deal with these incidents. Let’s look at eight of the worst PCI violations and their consequences.
Table of Contents
Warner Music Group
Several hacker groups combined efforts to create Magecart, a group that targets payment cards used in online purchases. They attack third-party software companies and skim customer data as the business conducts a transaction.
Between April 25 and August 5, 2020, Magecart targeted Warner Music Group (WMG).
The unauthorized third party leaked information such as card numbers, CVC/CVV numbers, and card expiration dates. Magecart also accessed…
Customer names
Email addresses
Telephone numbers
Billing addresses
Shipping addresses
This posed a significant risk for the company’s customers since both personal and financial details could allow the hackers to conduct fraudulent purchases and carry out phishing attacks to get more data.
WMG filed a data breach incident notice with the California Attorney General. The company acknowledged the attack but didn’t reveal the number of customers affected. It stated that personally identifiable information (PII) could potentially have been accessed. While WMG didn’t confirm if PII got leaked during the attack, it did say that leaked information could allow for fraudulent transactions.
The company launched a forensic investigation to address the breach. WMG notified relevant credit card providers to impose additional security measures for the affected consumers and card numbers. It also offered 12 months of free identity monitoring to those impacted individuals.
Equifax
In September 2017, Equifax announced that it suffered a massive data breach. But just how massive was this?
The incident affected over 145 million Americans, equivalent to 45% of the US population and 80% of those who had a credit report. It also impacted citizens of Britain and Canada.
Most of those affected had their social security numbers, birth dates, and addresses compromised. Some unlucky people also had their driver’s licenses and credit card numbers stolen.
The settlement totaled $425 million. Impacted individuals can still file claims for expenses related to identity theft or fraud until January 2024.
Target
A report in December 2013 put the spotlight on Target, saying the company suffered a data breach around Black Friday. Target confirmed that a breach may have impacted cards used in brick-and-mortar locations between November 27 and December 15.
Up to 40 million people had their credit card numbers stolen within those three weeks. The Secret Service, which safeguards the US financial infrastructure and payment systems, confirmed in mid-December that it was investigating this incident.
The hackers stole data on the magnetic strips of shoppers’ cards so that they could create counterfeit versions. They could also withdraw money from ATMs with the counterfeits if they intercepted PIN data.
The data breach led to a settlement of almost $18.5 million, and Target ended up spending over $202 million in legal fees.
Home Depot
Home Depot experienced a PCI violation that compromised 56 million credit cards between April and September 2014. The company stated publicly that it affected people who used payment cards on the self-checkout machines in US and Canadian locations.
The hacker used a vendor’s username and password to gain access to the computer network. They then installed custom-built malware to access the shoppers’ payment card information. As a result, 40 million people had their payment details stolen, and 52 million to 53 million had their email addresses compromised. There was some overlap between these groups of people.
This resulted from outdated antivirus software, and the company failed to watch the network for unusual activity. However, Home Depot didn’t admit to any wrongdoing or liability in court when settling the case.
Ultimately, the home improvement company agreed to pay at least $19.5 million to compensate impacted consumers. Home Depot set up a $13 million fund to reimburse the shoppers. They also spent around $6.5 million to fund one and a half years' worth of identity protection services.
The company booked $161 million of pre-tax expenses for the breach which included consumer settlements. Estimates from court papers at the time said that legal fees and costs for lawyers could reach $8.7 million.
Adobe
Over 38 million Adobe users had their login information stolen in a breach that occurred in October of 2013. This also resulted in a PCI violation with over 3 million stolen credit card records. The incident occurred due to vulnerabilities in cloud-based services.
Between 2011 and 2013, Adobe switched to cloud-based software from desktop licenses. The attack occurred before the company implemented authorization keys that prevent unauthorized access to the cloud. Because it didn’t yet have this security measure in place, it resulted in a hack.
The consequence of this PCI violation was a $1 million settlement after 15 states sued the company. Adobe also paid an undisclosed amount due to violating the Customer Records Act.
As another compensation, the company offered one year of credit monitoring to affected customers. It appointed a Chief Security Officer and underwent a broader reorganization of employees to integrate pockets of security teams within its company.
TJX Companies
TJX Companies Inc. was the victim of a breach that exposed over 94 million accounts between July 2005 and December 2006. More than 80 GB of stolen cardholder data got illegally transferred to a site in California.
The cause was a "traffic capture program,” which intruders installed on TJX's networks. They designed the malware to capture sensitive cardholder data during transmission over the company’s network. The stolen details included information related to the magnetic stripes on the back of payment cards.
Banks sued TJX for violating nine of the 12 PCI controls. It failed to both configure wireless networks and separate which networks carried cardholder data. TJX was also improperly storing prohibited data.
Heartland Payment Systems
Heartland Payment Systems (HPS) experienced a PCI violation in 2009 after a SQL injection (SQLI). This kind of attack occurs when cybercriminals find vulnerabilities in web applications so that they can…
Steal, delete, or alter data
Gain administrative control over systems
They then enter malicious commands into web forms to gain unauthorized access to the data.
Cybersecurity researchers view SQLI as one of the least sophisticated cyber threats. It’s a known, predictable attack with easy countermeasures, but it’s still successful despite how easy it is to defend against an attack.
Visa and Mastercard notified HPS that there was a breach and soon banned the company from processing payments for the following 14 months. HPS ended up paying $145 million in compensation.
First American Financial Corporation
In 2019, there was a design defect in the First American Financial Corporation website which left 885 million records exposed. Anyone could have accessed the documents without authorization. In May, someone reported the exposed files and the company quickly took them offline.
These files included bank account numbers, social security numbers, and wire transactions. Some of the documents were from as early as 2003.
The company couldn’t confirm if cybercriminals had accessed the documents or used the data for malicious purposes.
Conclusion
Because data breaches occur every day, PCI violations aren’t uncommon. Since hackers' goal is to gain money, they especially target financial details such as credit card information.
If an organization fails to follow the PCI DSS and a hacker exploits their vulnerability, they’ll face a PCI violation. Cybercriminals will target any company that handles payment card details, such as retailers or financial institutions.
Since there are major risks associated with payment details, organizations must take precautions to protect that information such as through employee training. If they don’t, they’ll end up becoming a victim to hackers’ schemes. This will result in severe consequences and potentially cost up to millions of dollars in fines or lost revenue.