ISSUE BRIEF
Cyber Attacks on U.S. Companies Since November 2014
Riley Walters
R esearchers are concerned over the strength and
comprehensiveness of cybersecurity in the U.S.,
as companies across the country are being targeted
in cyber attacks at an increasing rate of both occur-
rence and cost. Concerns continue to grow as both
the number of attacks on companies’ networks and
the cost to companies are increasing. The quanti-
ty and quality of information being hacked, stolen,
destroyed, or leaked is becoming more of a problem
for consumers and businesses alike.
The Ponemon Institute recently released its 2015
Cost of Cyber Crime, which analyzes the cost of all
cyber crime for a variety of 58 U.S. organizations
both public and private.1 The U.S., in comparison
with other nations in the Ponemon study, continues
to rank highest in its cost of cyber crime at an annual
average of $15.4 million per company.
Ponemon surveyed companies in the areas of
finance, energy and utilities, and defense and aero-
space—three of the most affected sectors—as well as
communication, retail, and health care. The annual
cost of cybercrime for these companies has more
than doubled since 2010, which then averaged $6.5
million. Of the companies surveyed, the minimum
cost to a company was $1.9 million while the maxi-
mum cost was as much as $65 million in 2015.
This paper, in its entirety, can be found at
http://report.heritage.org/ib4487
The Heritage Foundation
214 Massachusetts Avenue, NE
Washington, DC 20002
(202) 546-4400 | heritage.org
Nothing written here is to be construed as necessarily reflecting the views
of The Heritage Foundation or as an attempt to aid or hinder the passage
of any bill before Congress.
No. 4487 | November 18, 2015
This year, companies saw an average of 160 suc-
cessful cyber attacks per week, more than three
times the 2010 average of 50 per week.
Every company surveyed was the victim of a Tro-
jan, virus, or worm type of attack. Ninety-seven per-
cent surveyed were reported to have been the victim
of a malware attack and 76 percent were victim of a
Web-based attack. Just as worrisome as hackers try-
ing to get into a network system are those with mali-
cious intent who already have access to a system. For-
ty-three percent of companies reported cyber attacks
by malicious insiders and 36 percent of companies
suffered attacks as the result of a stolen device.
This paper continues the “Cyber Attacks on U.S.
Companies in 2014” paper released last October.2
The dates listed for each hack reflect the time when
these attacks were released to the public and not the
date of when the breach actually occurred.
November 2014
■■ Sony Pictures Entertainment (entertain-
ment). In November, hackers linked to the North
Korean government launched an attack on Sony
Entertainment, allegedly over a movie depicting
North Korea in a negative light. The hackers took
terabytes of private data and released confiden-
tial information to the public as well as a number
of Sony movies.3
■■ GoDaddy and Gigya (online). The Syrian Elec-
tronic Army—a group of hackers loyal to Syrian
President Bashar al-Assad—claimed responsibil-
ity for an attack on a variety of news outlet Web
sites such as CNBC, Forbes, the Chicago Tribune,
ISSUE BRIEF | NO. 4487
November 18, 2015 

PCWorld, and The Independent via the Gigya malware at 115 different stores—1.16 million cred-
Domain Name Service from GoDaddy.com.4 No it cards were reportedly affected. The breach
personal information was affected.5 occurred between July and September 2014.8

December 2014 January 2015

■■ Las Vegas Sands Corp (gaming). In February
2014, the Sands Casino was hacked by a group out
of Iran. The hackers brought the $14 billion oper-
ation to a standstill as they shut down PCs, serv-
ers, and wiped hard drives clean. The attack was
suspected to be in retaliation for comments that
Sands CEO Sheldo Adelson made about the Ira-
nian government.6
■■ Chick-Fil-A (restaurant). In January 2014,
Chick-Fil-A suffered a credit card breach at a
number of restaurants, affecting around 9,000
credit cards. The breach is suspected to have
occurred over a span of 10 months and could be
related to a number of other point-of-sale system
breaches that happened in 2014.7
■■ Staples, Inc. (retail). In another point-of-sale sys-
tem breach, security experts from Staples detected
■■ Morgan Stanley (finance). An employee was
fired from Morgan Stanley after allegedly steal-
ing data and account numbers from as many as
350,000 clients. The disgruntled employee was
able to post some personal information online,
but no money was lost and the personal data was
removed promptly after being detected.9
February 2015
■■ Anthem, Inc. (health care). Health insurer
Anthem, Inc., suffered a massive cyber attack that
affected upwards of 80 million current and for-
mer customers. The compromised information
included Social Security numbers, birthdates,
addresses, and employee information.10 The
information of anywhere between 8.8 million
and 18.8 million customers of Blue Cross Blue
Shield was also affected, having been stored on

1. 2015 Cost of Cyber Crime Study: United States, Ponemon Institute, October, 2015,
http://img.delivery.net/cm50content/hp/hosted-files/2015_US_CCC_FINAL_4.pdf (accessed November 4, 2015).
2. Riley Walters, “Cyber Attacks on U.S. Companies in 2014,” Heritage Foundation Issue Brief No. 4289, October 27, 2014,
http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014.
3. Timothy B. Lee, “The Sony Hack: How It Happened, Who Is Responsible, and What We’ve Learned,” Vox, December 17, 2014,
http://www.vox.com/2014/12/14/7387945/sony-hack-explained (accessed November 4, 2015).
4. Unknown, “Syrian Hacking Group Places Pop-up Message on Websites,” BBC News, November 28, 2014,
http://www.bbc.com/news/technology-30232899 (accessed November 4, 2015).
5. Lucian Constantin, “Syrian Electronic Army Posts Hacking Message On Several News Sites,” CSO Online, November 30, 2014,
http://www.csoonline.com/article/2853498/security/syrian-electronic-army-posts-hacking-message-on-several-news-sites.html
(accessed November 4, 2015).
6. Ben Elgin and Michael Riley, “Now at the Sands Casino: An Iranian Hacker in Every Server,” Bloomberg Business, December 11, 2015,
http://www.businessweek.com/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas
(accessed November 4, 2015).
7. Zoe Szathmary, “Chick-Fil-A Warns Security Breach May Have Leaked Credit Card Details Of 9,000 Customers In Five States,” Daily Mail,
January 1, 2015, http://www.dailymail.co.uk/news/article-2893614/Chik-Fil-says-looking-possible-payment-card-breach-affect-9-000-
customer-cards.html (accessed November 4, 2015).
8. “Staples Provides Update on Data Security Incident,” Staples Inc., December 19, 2014,
http://staples.newshq.businesswire.com/press-release/corporate/staples-provides-update-data-security-incident (accessed November 4, 2015).
9. Michael J. Moore, “Morgan Stanley Fires Worker Accused of Stealing Client Data,” Bloomberg Business, January 5, 2015,
http://www.bloomberg.com/news/2015-01-05/morgan-stanley-fires-employee-accused-of-stealing-client-data.html
(accessed November 4, 2015).
10. Robert Hackett, “Anthem, a Major Health Insurer, Suffered a Massive Hack. Here’s What You Need to Know,” Fortune.com, February 5, 2015,
http://fortune.com/2015/02/05/anthem-suffers-hack/ (accessed November 4, 2015).

2
ISSUE BRIEF | NO. 4487
November 18, 2015 

the same servers.11 The breach has been accred-
ited to the Black Vine cyber-espionage group
by cybersecurity firm Symantec, which is also
accredited with the later Office of Personnel Man-
agement hacks and numerous other breaches dat-
ing back to 2012.12
■■ Carbanak (banking and finance). Kaspersky
Lab reports a group called Carbanak has, since
2013, attempted cyber attacks on 100 banking and
financial institutions in almost 30 countries. The
group is accredited with up to $1 billion in losses.13
■■ Uber (transportation). An Uber database was
reportedly accessed in May by an unauthorized
third party—compromising as many as 50,000
Uber drivers across America. Only the drivers’
names and license numbers were compromised.14
■■ Forbes.com (news and business). In late
November, the cyber espionage group Codoso
Team used the Forbes.com website as a water-
ing hole (a cyber campaign that uses trusted Web
sites to launch attacks) to target U.S. defense con-
tractors and financial services companies.15
including their clinical records, bank account
numbers, Social Security numbers, and birth-
dates. Also affected in the attacks were Premera
Blue Cross Blue Shield of Alaska, Vivacity, and
Connection Insurance Services.16
■■ Github (online). The hosting site for two other
sites, GreatFire and CN-NYTimes, used for cir-
cumventing Chinese state censorship came under
a significant distributed denial-of-service attack—
almost overwhelming Github with Internet traf-
fic. Experts attribute the attack to China in what
is being called the “Great Cannon”—referring to
China’s “Great Firewall” of Internet censorship.17
■■ Register.com (online). Register, a site used
for Internet domain registry, had its network
accessed for about a year by hackers with stolen
passwords. Some experts have suggested that
the breach is connected to the Chinese military,
which could possibly use the breach to redirect
traffic in a further attempt to steal trade secrets
and information.18
May 2015

March 2015 ■■ Penn State University (academia). The College

■■ Premera Blue Cross (health care). In an attack
that began in May of 2014, Premera Blue Cross fell
victim to a cyber attack that exposed the medi-
cal and financial information of 11 million people,
of Engineering at Penn State University identi-
fied a breach that had been existent for about two
years. Although the school claimed that there was
no sensitive material taken, it did notify 18,000
students whose Social Security numbers could

11. Reuters, “Anthem Says at Least 8.8 Million Non-Customers Could Be Victims in Data Hack,” Fortune.com, February 24, 2015,
http://fortune.com/2015/02/24/anthem-says-at-least-8-8-million-non-customers-could-be-victims-in-data-hack/
(accessed November 4, 2015).
12. Jon DiMaggio, “Security Response: The Black Vine Cyberespionage Group,” Symantec, August 6, 2015,
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf
(accessed November 4, 2015).
13. Carbanak APT The Great Bank Robbery,” Kaspersky, February 2015,
http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Carbanak_APT_eng.pdf (accessed November 4, 2015).
14. Ibid.
15. Stephen Ward, “Cyber Espionage Campaign Compromises Web Properties to Target US Financial Services and Defense Companies, Chinese
Dissidents,” iSightPartners.com, February 10, 2015, http://www.isightpartners.com/2015/02/codoso/ (accessed, November 4, 2015).
16. Jim Finkle, “Premera Blue Cross Hacked, Medical Information of 11 Million Customers Exposed,” The Huffington Post, March 17, 2015,
http://www.huffingtonpost.com/2015/03/17/premera-blue-cross-cybera_n_6890194.html (accessed November 4, 2015).
17. Eva Dou, “U.S. Coding Website GitHub Hit With Cyberattack,” The Wall Street Journal, March 29, 2015,
http://www.wsj.com/articles/u-s-coding-website-github-hit-with-cyberattack-1427638940?mod=trending_now_5&alg=y
(accessed November 4, 2015).
18. Gina Chon, “FBI Probes Possible Military Involvement in Cyber Attack,” Financial Times, March 18, 2015,
http://www.ft.com/intl/cms/s/0/ab5d5736-cd24-11e4-b5a5-00144feab7de.html (accessed November 4, 2015).

3
ISSUE BRIEF | NO. 4487
November 18, 2015 

have been compromised. “The university esti-
mates that it has spent roughly $2.85 million
responding to the attacks.”19
■■ CareFirst BlueCross BlueShield (health care).
Around 1.1 million current and former customers
of CareFirst BlueCross BlueShield were said to
have had their username, real name, birthdate,
and e-mail addresses compromised. The com-
pany made sure to mention that Social Security
numbers and other medical and financial records
were not compromised.20
■■ Adult Friend Finder (online). The adult Web
site Adult Friend Finder announced that the
names, e-mail addresses, and sexual preferences
of 3.9 million customers were accessed by hack-
ers. It is unsure where the attack came from, but
new agencies in the U.K. have reported that the
data obtained in the attack were being “circulat-
ed on various dark websites.”21
■■ Economic Espionage. Six individuals are
charged with using their access to U.S. univer-
sities and technology development companies,
such as ROFS Microsystems and Avago, to export
proprietary trade secrets to China. The investiga-
tion goes as far back as 2006.22
■■ Beacon Health System (health care). The
health care firm was the victim of a phishing
attack in which employee e-mails and the person-
al information of 300,000 patients was reported-
ly affected.23
July 2015
■■ Ashley Madison (online). The adult Web site
was hacked by a group calling themselves The
Impact Team. After stealing the information of
37 million users, including banking information,
addresses, and sexual fantasies, the group later
began releasing droves of information online in
large data dumps.24
■■ UCLA Health (health care). The personally
identifiable information, including the Social
Security numbers of 4.5 million users, was com-
promised. The hack began as early as May.25
■■ Medical Informatics Engineering (health
care). The breach to this medical software com-
pany compromised 3.9 million of its users’ Social
Security numbers, health records, and other per-
sonally identifiable information. The hack began
May 7th and was detected May 26th.26

19. Brian Donohue, “Penn State Offline Following Advanced Two-Year Cyberattack,” Threatpost.com, May 18, 2015,
https://threatpost.com/penn-state-offline-following-advanced-two-year-cyberattack/112872 (accessed November 4, 2015).
20. Andrea Peterson, “Cyberattack on CareFirst Exposes Data on 1.1 Million Customers in D.C., Md. and Va.,” The Washington Post,
May 20, 2015, http://www.washingtonpost.com/blogs/the-switch/wp/2015/05/20/cyberattack-on-carefirst-exposes-data-on-1-1-million-
customers-in-d-c-md-and-va/ (accessed November 4, 2015).
21. “Hackers Access 3.9 Million Records of Adult Dating Website,” Circanews.com, May 22, 2015,
http://circanews.com/news/hackers-target-adult-websites (accessed November 4, 2015).
22. U.S. Department of Justice, Office of Public Affairs, “Chinese Professors Among Six Defendants Charged with Economic Espionage
and Theft of Trade Secrets for Benefit of People’s Republic of China,” May 19, 2015,
http://www.justice.gov/opa/pr/chinese-professors-among-six-defendants-charged-economic-espionage-and-theft-trade-secrets
(accessed November 4, 2015).
23. Jason Krug, “Beacon Health System Alerting Patients of Security Breach,” wndu.com, May 26, 2015,
http://www.wndu.com/home/headlines/Beacon-Health-System-alerting-patients-of-security-breach-304973591.html
(accessed November 4, 2015).
24. Kim Zetter, “Hackers Finally Post Stolen Ashley Madison Data,” Wired.com, August 18, 2015,
http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/ (accessed November 4, 2015).
25. Jose Pagliery, “UCLA Health Hacked, 4.5 Million Victims,” CNN Money, July 17, 2015,
http://money.cnn.com/2015/07/17/technology/ucla-health-hack/ (accessed November 4, 2015).
26. Associated Press, “Medical Informatics Engineering Hack Exposed Data on 3.9 Million People,” NBC News, August 3, 2015,
http://www.nbcnews.com/tech/security/medical-informatics-engineering-hack-exposed-data-3-9-million-people-n403351
(accessed November 4, 2015).

4
ISSUE BRIEF | NO. 4487
November 18, 2015 

■■ United Airlines (transportation). Reportedly
the victim of the Chinese cyber team Black Vine,
United systems were accessed in May or early
June, around the same time as OPM and Anthem.
Airline records, including flight manifests, were
taken.27
August (2015)
■■ Trade on the Market. In early August, a group
of 32 U.S. traders and Eastern European hackers
from Ukraine worked together to access unpub-
lished press releases in an attempt to gain an
edge on Wall Street. This information was trad-
ed on, bringing in “over $100 million in ill-gotten
gains.”28
■■ American Airlines Group, Inc., and Sabre
Corp. (transportation and booking). Also
reportedly the victim of Chinese espionage group
Black Vine, the airline and booking companies,
while not disclosing the amount or type of infor-
mation accessed, could reach into the millions.29
the encrypted data and were able to access names,
addresses, Social Security Numbers, medical
claims information, etc.30
■■ Trump Hotel Collection (hotel). Seven Trump
hotels across the U.S. and Canada reportedly had
their systems breached, affecting the information
of customers who may have visited those loca-
tions between May 2014 and June 2015. While
the malware collecting the information has been
removed, it has been unconfirmed what and how
much information was extracted.31
■■ WhatsApp (communications). The cross-plat-
form messaging application reported that up to
200,000 of their Web-based service users are
either at risk of a cyber attack or have already had
personal information compromised. vCards—
electronic contact information—were loaded
with malicious code and sent to random users’
phone numbers.32
October 2015

September 2015 ■■ Experian (finance). Hackers recently attacked

■■ Excellus BlueCross BlueShield (health care).
In another health insurer cyber attack the com-
pany Excellus had the financial and medical
information of 10 million of its customers com-
promised. The hackers found their way around
the servers of Experian, which stores the credit
assessment data of T-Mobile USA, Inc., custom-
ers. The attack took the names, addresses, and
Social Security Numbers of more than 15 million
people.33

27. Michael Riley and Jordan Robertson, “China-Tied Hackers That Hit U.S. Said to Breach United Airlines,” Bloomberg Business, July 29, 2015,
http://www.bloomberg.com/news/articles/2015-07-29/china-tied-hackers-that-hit-u-s-said-to-breach-united-airlines
(accessed November 4, 2015).
28. “Hackers Allegedly Stole Insider Info To Make Big Trades,” Time, August 11, 2015, http://time.com/3992832/hackers-trading/
(accessed November 3, 2015), and Matthew Goldstein and Alexandra Stevenson, “Nine Charged in Insider Trading Case Tied to Hackers,”
The New York Times, August 11, 2015, http://www.nytimes.com/2015/08/12/business/dealbook/insider-trading-sec-hacking-case.html?_r=0
(accessed November 4, 2015).
29. Jordan Robertson and Michael Riley, “American Airlines, Sabre Said to Be Hit in China-Tied Hacks,” Bloomberg Business, August 7, 2015,
http://www.bloomberg.com/news/articles/2015-08-07/american-airlines-sabre-said-to-be-hit-in-hacks-backed-by-china
(accessed November 4, 2015).
30. Lucian Constantin, “Cyberattack Exposes 10M Records at Excellus,” Computerworld.com, September 10, 2015,
http://www.computerworld.com/article/2983026/cybercrime-hacking/cyberattack-exposes-10m-records-at-excellus.html
(accessed November 4, 2015).
31. “Legal Notice of Potential Security Incident,” Trump Hotel Collection, https://www.trumphotelcollection.com/data-security-notice
(accessed November 4, 2015).
32. Arjun Kharpal, “WhatsApp Hack Attack Puts 200,000 at Risk,” CNBC.com, September 9, 2015,
http://www.cnbc.com/2015/09/09/whatsapp-hack-attack-puts-200000-at-risk.html (accessed November 4, 2015).
33. Chris Davies, “15m T-Mobile consumers Hacked: SSN and More Taken,” slashgear.com, October 1, 2015,
http://www.slashgear.com/15m-t-mobile-customers-hacked-ssn-and-more-taken-01407526/ (accessed November 4, 2015).

5
ISSUE BRIEF | NO. 4487
November 18, 2015 

■■ Scottrade (finance). The names and addresses
of up to 4.6 million users of the trade and invest-
ment firm were reportedly targeted between
2013 and 2014.34
■■ Bugat/Dridex Botnet. A large network of com-
puters controlled by hackers was set to automati-
cally steal confidential personal and financial
information, including banking credentials and
keystrokes (passwords). The FBI attributes up to
$10 million in direct losses to the Bugat/Dridex
Botnet.35
It should be noted this list is incomplete. A simple
search through the Department of Homeland Secu-
rity’s Daily Open Source Infrastructure Reports36
or the Department of Health and Human Servic-
es’ Breach Portal37 will show a greater number of
breaches than recounted in this list.
In fact, health care services continued to see a
large amount of smaller (fewer than 1 million people
affected) breaches. Interestingly, a number of uni-
versities were also subject to cyber attacks this past
year, possibly reflecting greater cyber-ability in their
current students. Even though cyber breaches and
attacks continually affect a wide variety of indus-
tries, there continues to be a pattern in the type of
information targeted by these malicious actors.
Congress and the Administration should:
■■ Consider how regulations financially affect
businesses. While asking businesses to focus
more on cybersecurity is noble, policymak-
ers will need to remember that businesses will
focus only on as much security as fits into their
business model. However, businesses (especially
smaller businesses) will need to think about how
cybersecurity breaches will affect their image
and bottom line.
■■ Avoid minimum security standards. Setting
obligatory cybersecurity standards for compa-
nies will not prevent breaches—in fact, it may
worsen security. Telling companies to comply
with a minimum set of regulatory standards for
security is like asking companies to jump and
then having both companies and hackers respond
with “How high?” Avoid making companies com-
mit funding to securing one or several aspects,
when a hacker can simply attack or breach where
funding was misallocated from.
■■ Increase cooperation with private business-
es. As the backbone of the tech market and target
of many of these cyberattacks, the private indus-
try is working on best practices and collaborating
to create the technology and workforce necessary
to counter cyber threats. This includes compa-
nies in the U.S., as well as those with a global pres-
ence. Increasing cooperation with private busi-
ness will allow government access to firsthand
knowledge on emerging cyber threats, and vice
versa will help private businesses prepare using
whatever cyber information the government has
to share.
Conclusion
Cyber attacks are on the rise and will continue to
be of concern for the foreseeable future. It will be up
to private industry to meet these concerns head-on
and support the government in its ability to act law-
fully against cyber criminals—so long as businesses
lack the authority to fight back against those who
threaten their systems.
—Riley Walters is a Research Assistant in the
Douglas and Sarah Allison Center for Foreign and
National Security Policy, of the Kathryn and Shelby
Cullom Davis Institute for National Security and
Foreign Policy, at The Heritage Foundation.

34. “Cyber Security Update,” Scottrade, October 1, 2015, https://about.scottrade.com/updates/cybersecurity.html (accessed November 5, 2015).
35. U.S. Department of Justice, Office of Public Affairs, “Bugat Botnet Administrator Arrested and Malware Disabled,” October 15, 2015,
http://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled (accessed November 5, 2015).
36. U.S. Department of Homeland Security, “Daily Open Source Infrastructure Report, October 22 - November 5, 2015,”
https://www.dhs.gov/publication/daily-open-source-infrastructure-report (accessed November 5, 2015).
37. U.S Department of Health and Human Services, Office of for Civil rights, “Breaches Affecting 500 or More Individuals, 2009-2015,”
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf (accessed November 5, 2015).