Breached systems: lessons from the past

As technology continues to evolve, businesses across the globe are becoming increasingly reliant on new developments in payment processing systems and dynamic point-of-sale (POS) terminals. Yet with increased reliance come data security risks.

According to Gemalto’s 2017 Breach Level Index, 2.5bn records were stolen from consumers and businesses last year. In the UK alone, a government survey found 43% of businesses had been attacked or breached during 2017 – and although improved risk management strategies and encryption technology are helping mitigate those threats, not every business has been successful in avoiding breaches.

In the interest of learning from past mistakes, here are five of the worst payment system data breaches in recent memory:


In December 2013, US retailer Target announced hackers had used a third-party HVAC to install skimming malware on POS terminals that collected the credit and debit card numbers of 41m people. This took place from mid-November until the start of December, which is America’s busiest shopping period.

In a 2015 earnings report, Target estimated the breach cost $162m, leading to the resignation of CIO Beth Jacob and America’s biggest-ever multistate data breach court settlement.

Home Depot 

The world’s largest DIY chain was hit with a similar attack in 2014, with the payment details of up to 56m customers stolen from April until September. Criminals used login details from a third-party vendor to install malware on the company’s self-checkout systems in the US and Canada.

In March 2016, Home Depot agreed to a compensation package of $19.5m to reimburse customers for out-of-pocket losses, covering 40m of those whose payment data was stolen.


When it comes to credit reporting, Equifax is the undisputed king – which is why the 2017 breach that hit the firm resonated across the globe. From May 13 to July 30, hackers were able to access the personal data of 143m customers. They stole the credit card numbers of approximately 209,000 US consumers, with additional unauthorised data access traced in the UK and Canada.

Equifax has since worked to implement more robust systems and now offers a free service enabling customers to lock their credit files.

IHG Hotels

In February 2017, hotel chain giant InterContinental Hotels (IHG) Group – which owns more than 5,100 hotels in 100 countries – reported what it thought was a mild data breach. IHG said POS terminals at bars and restaurants in 12 of the company’s properties had been compromised, affecting customers who used cards there between August and December 2016.

By April 2017, forensic analysis had pushed that figure up to a whopping 1,200 hotel properties across the globe – with IHG blaming malware designed to search for track data stored on magnetic stripes.

Forever 21

The LA-based clothes retailer Forever 21 operates more than 815 stores in 57 countries – and in November 2017 reported a payment systems breach that affected a yet-to-be-disclosed number of US customers shopping at the chain over a seven-month period.

Forever 21 said attackers used malware to harvest credit card details from its POS devices and the credit logs of the local stores between March and November 2017 because the encryption technology they’d rolled out in 2015 had not been switched on in some stores.

Interestingly enough, this wasn’t the first time Forever 21 has been targeted, either. In 2008, up to 99,000 cards were compromised in a series of attacks dated between 2004 and 2007.

Related reading