The 10 Biggest Data Breaches

 

The 2017 cybercrime ‘pandemic’ reportedly cost over $600 billion, and every day we seem to be getting reports on new data breaches.

Whether it’s down to malicious attacks or companies being irresponsible with data, your information is at risk.

Now, you might think you’re the target here. But you’re not.

Instead, hackers apply leverage by going after big fish corporations. The Equifax’s, Yahoo’s, and Home Depot’s of the world. Knock over one and gain access to millions.

When a company loses data, it doesn’t just sit there on a hacker’s computer. It is either ransomed off to the company that lost it or sold on the dark web for big money. The data is also aggregated into future crimes, helping cybercriminals to better target unsuspecting internet users.

Obviously, this is a problem for the affected business. But it’s an even bigger issue for its customers — you — who may have their personal and financial information leaked.

So, why do these breaches keep happening? And what can you do about it?

Let’s take a look at ten of the biggest company breaches and a few important steps you can take to secure yourself online.

1. Yahoo – 2013

Yahoo was like Google before Google, for all you millennials out there.

Now, no one is quite sure what Yahoo is.

The one thing you can be certain of, though, is that the company got hella hacked.

Except, the public was not made aware of the full extent of this attack until 2017 (because, you know, transparency!). Exactly how a breach this massive even happened is still unknown.

They suffered another leak, affecting a further 500 million users, in 2014 too. The US government indicted a group of Russian hackers (it’s always Russian hackers) in connection with that second event.

It also seems that Yahoo has a history of holding on to information that it doesn’t feel the public needs to know.

Initially, they claimed that the 2013 hack only compromised 500 million users (which is not a small number). But they later upped that number to one billion.

And then in October of 2017, they revised their earlier estimates and admitted that all three billion user accounts were victimized.

Way to go, Yahoo. Apparently, you’re as good with math as you are with search.

We’re talking three billion real names, email addresses, dates of birth, and telephone numbers at risk. Not to mention additional information that was included in their emails such as invoices, health data, connected accounts, personal correspondence, and more.

At the time of these estimates, Yahoo was attempting to sell its company to Verizon. The admittance of this massive breach knocked more than $350 million off of the company’s sale price, eventually selling to Verizon for $4.48 billion (in a deal that was once estimated to be worth north of $100 billion).

While this breach is over five years old at this point, Yahoo continues to threaten the privacy of its users on a daily basis.

Not from the outside, mind you. But from within.

According to a 2018 article published in the Wall Street Journal, Yahoo scans user emails, mining data to sell off to advertisers.

So with predatory email monitoring practices, coupled with a security protocol so lax that it compromised three billion people, Yahoo is definitely a service to avoid.

If you could even name one of their properties in the first place.

2. Marriott – 2018

Your room might be en suite, but data security at Marriott was far from on fleek.

That became crystal clear when the world’s largest hotel chain revealed a hack of its Starwood guest database, affecting guests who booked stays at a Starwood property between 2014 and 2018.

The company announced in a statement that it discovered the hack in early September, only a few weeks after merging the Marriott Rewards and Starwood Preferred Guest loyalty programs.

You may struggle to get all this in one take, but affected information includes:

*deep breath*

Names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, genders, arrival and departure information, reservation dates, and communication preferences.

Phew. Quite a lot there.

Even worse, the company noted that 9.1 million payment card numbers and expiration dates were also accessed.

The majority of card info was encrypted, but several thousand unencrypted payment card numbers could also be compromised. Components for decrypting card information may have also been taken, with Marriott officials “unable to rule out the possibility.”

Eventually, the blame for the breach landed at the feet of an Intelligence Group from China, meaning this attack would become known as the biggest recorded personal information breach conducted by a nation state.

Adult Friend Finder – 2016

Many of the people who sign up on sites like Adult Friend Finder may well be looking to expose themselves in front of new people.

However, I’m not sure having their personal information leaked across the dark web was quite what FunLover69 had in mind when they decided to sign up to the hookup site.

That is the fate they suffered, though, when FriendFinder Network, which included casual hookup and adult content websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com, was breached in October 2016.

Twenty years of data that spanned six databases was collected by a Thai hacker, including names, email addresses, and passwords.

Talking of passwords, protecting them with the SHA-1 hashing algorithm is not the best idea. Especially when the accounts in question relate to secretive and private activities between consenting adults.

Aaaand, that’s exactly what they did.

This is exactly the kind of data breach that has British citizens worried about the impending UK porn ban.

Under the new law, due to take effect on July 15 this year, adult content sites will have to adopt age verification (AV) technology or face a website block.

MindGeek has developed its own AV system.

Who is MindGeek? Well, it’s the parent company of many free porn tube websites, including Pornhub, RedTube, and two sites compromised in 2012 – Brazzers and YouPorn.

The concern lies in the possibility that another huge data breach could place, with personal information tied to the porn viewing habits of millions of Brits.

3. eBay – 2014

Another blast from Internet past, eBay fell victim to a large-scale data breach between February and March of 2014.

Hackers gained access to the system using stolen login credentials from eBay employees. Once inside, encrypted passwords were compromised, leaving personal information up for grabs.

Thankfully, user payment information was safely encrypted. Instead, the bounty included full names, addresses, and dates of birth.

The problem is that this is basically all a hacker needs to successfully steal someone’s identity.

What’s truly alarming about this breach is that these hackers didn’t just slide in and make off with stolen information overnight, all Ocean’s Eleven-style. They had access to eBay’s system for a whopping 229 days without anyone noticing.

eBay’s CEO John Donahue was criticized heavily for the company’s lack of communication concerning this issue.

And while eBay’s user activity took a dip following the attack, it had little effect on the company’s bottom line. Revenues were actually up 13% in the second quarter, with earnings increasing by 6% — perfectly underscoring how little is generally understood about the risks of cybersecurity.

4. Equifax – 2017

Equifax is one of three major US credit bureaus. It’s literally their job to keep sensitive data under wraps.

A job they totally failed to do when more than 143 million users had their personal data stolen from right under Equifax’s nose (err, servers).

It was reported that several hundred thousand user identities were stolen, but the company did not officially acknowledge the breach in public for several months. It’s believed that the event took place in May, it was not discovered until July, and users were not informed until September.

Giving hackers four months to do their worst to your credit, like that one time the doctor’s office sent my bill to the wrong address and then proceeded to send it to collections just to mess with me.

How did this happen?

I don’t know! They must have written my address down incorrectly.

Oh, you mean the Equifax breach?

According to several reports, hackers took advantage of an application vulnerability through one of Equifax’s websites. This breach in their open source Apache software created doors for hackers to come through and retrieve highly-sensitive information basically whenever they wanted.

The real kick in the teeth for those affected? A patch for the software flaw had been available for months. Equifax just didn’t bother to install the update.

5. Facebook – 2018

By now, the story of Cambridge Analytica is known to all.

The British political consulting firm used data mining and analysis in conjunction with strategic communication during election seasons.

Starting in 2014, Cambridge Analytica began to gather information on Facebook users. They did this using an app called This Is Your Digital Life. After arranging an informed consent process through Facebook, they had several hundred thousand users of the site agree to complete a personality survey. The app gathered the personal data of not just those users who agreed, but to everyone in their social network. By doing this, Cambridge Analytica scooped up the personal data of millions of users who never consented to such an action.

The app took information on the social networks, platform engagement, and personalities of all of these individuals. By the end, Cambridge Analytica had obtained the information of up to 87 million Facebook users. The most affected states, according to Facebook, were California, Texas, and Florida.

The data contained enough details for Cambridge Analytica to create psychological profiles on those they gathered information from.

So, what became of this data? Political organizations used it in an attempt to sway public opinion during the 2016 US presidential election and other major political events in the last few years.

The campaigns of both Donald Trump and Ted Cruz reportedly used it in 2015 and 2016. It was also used in the 2016 Brexit vote in the UK. The Institutional Revolutionary Party of Mexico also made use of this information in the 2018 Mexican general election. All of which ended proceeded really smoothly if you know your recent history.

Facebook’s reaction was divided at first, with many officials balking at those who called this a data breach, stating that the users agreed to share their information when taking the original personality test. But Facebook creator and CEO Mark Zuckerberg called it a breach of trust and a mistake, personally apologizing on behalf of the company.

6. JP Morgan Chase – 2014

Impacting two thirds of all American households, as well as 7 million small businesses, is no mean feat. That’s what this attack on one of the biggest banks in the U.S. managed to achieve.

It all came about as a result of an exploited heartbleed bug and an OpenSSL vulnerability. Through this, hackers were able to gain root privileges on more than 90 of the bank’s servers.

That means these hackers could take actions such as closing accounts and transferring funds.

No big deal.

The bank said that no customer money had been stolen, and there was no evidence of user IDs, social security numbers, passwords, or account numbers being compromised. (Ha!)

The US government indicted four men in relation to this crime.

Gery Shalon, Joshua Samuel Aaron, Ziv Orenstein, and an unnamed accomplice were charged with securities and wire fraud, money laundering, and identity theft.

7. Anthem – 2015

Anthem is the second largest health insurer in the U.S., and the parent company of many major health insurance organizations, like Blue Cross Blue Shield.

Perhaps unsurprisingly, then, it’s only third to Equifax and Chase when it comes to the amount of sensitive data it stores.

Hacked? Yep.

In February 2015, a phishing scam sent to five Anthem employees made them download a Trojan virus with keylogging software onto Anthem’s system.

Because apparently these five Anthem employees are as tech-savvy as your grandparents.

Hackers used this to obtain passwords, which granted them access to unencrypted data, for what has been called the “largest breach in healthcare history.”

The names, addresses, social security numbers, dates of birth, and employment histories of both current and past customers were up for grabs. This is the ideal recipe for identity theft.

What’s even worse is, the hackers had open access to the breached database for a full month before it was discovered.

An investigation into the breach concluded that these hackers were likely recruited by a foreign government (gotta be those Russians again).

Anthem’s losses exceeded $100 million, despite there being no evidence that any member data had been sold, used, or shared by anyone after the attack.

This is a perfect example of why it’s important to do your research on companies that you do business with before giving them information.

Remember: Anthem’s breach affected not just those currently enrolled with their company, but former customers as well.

8. Target – 2013

Target exudes a sophisticated, tasteful shopping experience, where one can peruse neat, spotless aisles with a warm Pumpkin Spice Latte in hand.

But things aren’t always so clean cut behind the scenes.

Malicious software was installed on Target’s point of sale system in 2013 that exposed the credit and debit card information of its customers.

This was mostly centered around the company’s self-checkout lanes.

According to security news writer Brian Krebs, the data on the stripe found on the back of debit and credit cards could be used to make counterfeit cards. These could then be used to make cash withdrawals at ATMs if the hackers had also gained access to PIN data for debit transactions.

This all happened before Thanksgiving and was not discovered for several weeks. That means Target was, well, targeted during the holiday retail rush.

In response to this situation impacting 110 million customers, the company saw the resignation of its CIO and CEO in the spring of 2014. The breach cost Target an estimated $162 million.

Ouch.

A settlement in mid-2017 also forced Target to make a number of security upgrades, a move that was criticized as being more about keeping attackers out and not about improving the company’s incident response efforts.

Extra note

An additional note here is that Home Depot experienced a very similar breach to Target’s in 2014 (minus the Pumpkin Spiced Latte).

Malware installed on a point-of-sale system stole 56 million credit and debit card numbers.

9. Uber – 2016

Surprised to see Uber on this list?

Ha! Of course not.

Handy if you need a quick ride, but not exactly at the top of the Most Ethical Internet Companies list.

The tale of Uber’s 2016 data breach is a lesson in both trusting the companies that you do business with, as well as how not to handle the fallout of a cyber threat.

Wait, they handled a crisis poorly? Who would have thought?!

The interesting part is that it wasn’t Uber customers at risk. It was the drivers.

This was done by stealing the credentials of Uber engineers for a GitHub account. That was then used to break into an Uber AWS account.

One major issue most people have with this event is that Uber hid it for over a year, failing to alert the public and the government until November 2017.

What’s even worse is, Uber paid the hackers a ransom of $100,000 to prevent them from using the data and exposing the breach.

Uber’s CSO was the company’s clear scapegoat and was fired in the fallout. The ride-sharing organization suffered greatly both financially and in reputation. Uber’s value reportedly dropped from $68 billion to $48 billion.

Bonus breach – Sony Pictures – 2014

“The Interview” was a not-very-funny film featuring comedy legends* James Franco and Seth Rogan. The Sony picture’s plot focused on assassinating North Korean Dictator, Kim Jong-un.

*Nope.

Apparently, Mr. Kim didn’t think that was very funny.

The North Korean government issued threats should the movie be released. Sony demurred. And soon after, Sony found themselves the victim of a major phishing hack.

The attack was undertaken by a group calling itself the Guardians of Peace. They targeted Sony’s employees, convincing them to download email attachments and visit websites which would load malicious software onto their systems.

Social engineering made the emails appear to be from someone the employee knew personally. (Which is often easier and more common than trying to brute-force impenetrable encryption.)

Once infected, their login credentials were stolen.

The hackers then descended on Sony’s system, taking over 100 terabytes of data. This included personal information about the employees of Sony Pictures and their families, inter-office correspondence, executive salary information, and copies of unreleased Sony films.

After stealing the information, the group demanded that Sony not release “The Interview.” Sony canceled the film’s theatrical release but still put it out digitally.

After examining the network sources and software used in the attack, US intelligence officials came to the logical conclusion that the group was sponsored by the North Korean government and Kim Jong-un.

Naturally, North Korea has denied this.

How Can You Protect Yourself?

Unfortunately, you can’t always ever rely on the companies you do business with to keep your sensitive personal information safe.

There are some steps, though, you can take keep your data more secure and decrease the likelihood that we will become victims.

Here are just a few helpful tips and tricks to even out the odds in your favor:

1. Only give over required info – If something like your home address is not a required field, leave it blank. The less data you include, the better.
2. Always use the latest antivirus and security software to protect your personal computer and network. We know: They’re not perfect. But every little bit helps. Antivirus software checks all incoming files, comparing specific sections of code against its database.
3. Make sure that your passwords are intricate and include capital and lowercase letters as well as numbers and symbols. For the love of all that is good in this world, do not make “Password” your password. The US government recommends making your password a long random string of numbers, letters, and symbols that no human or machine could ever guess. Yes, that’s coming from the US government — the least tech-savvy people in the entire world.
4. Use a Firewall – Consider your firewall to be like your personal security guard. It checks everything coming into your system to ensure that nothing malicious is crossing the threshold. Software firewalls are programs that protect a specific device. They tend to pull a lot of processing power. That’s why hardware firewalls, like those found in a router, tend to be more effective. They can protect an entire network of connected systems from computers to smartphones and IoT devices.
5. Backup your files regularly in case your computer is hacked.
6. Research every company you choose to do business with. From VPNs to banks to streaming services and email providers, have a strong understanding of what the companies you work with do with your information. And how they protect it. Read privacy policies, even if they’re mind-numbing. Sometimes, companies hide some sneaky fine print information in there that they don’t want you to know. Also, look for Transparency Reports. If a company doesn’t have one, it may not be the best sign.

We all have a responsibility

Scott Nicholson, Director at Bridewell Consulting, deals with the cybersecurity and data privacy concerns of organizations every day.

We spoke recently, and he raised another great point when it comes to being vigilant online:

We are in danger of becoming numb to data breaches, due to the frequency and scale they are being reported. While organizations must take steps to protect their systems and ultimately customer data, we all have a responsibility when it comes to operating securely on the internet. It is just like Health and Safety when working within or visiting a dangerous area. There can be safety signs, instructions and equipment available; but if you don’t read the signs, put the equipment on and pay attention to what is going on around you, you’re raising the risk of getting injured. That’s no different to using the internet and staying safe online.

Scott also offers two additional security nuggets to help you sure up your digital defenses:

1. Use a password manager
2. Set up Multi Factor Authentication (MFA) on everything you use, from your bank account through to your gaming console

The password manager can be used to help you store passwords more securely and create secure passphrases, whilst enforcing MFA prevents your accounts from falling victim to Brute Force attacks.

MFA also helps protect your account should your username and password be captured in a data breach.

The importance lies in the reasoning that many breaches are addressed publicly by the companies who have suffered. And it’s extremely common for people to duplicate passwords across accounts.

We all know it’s true. Passwords are often reused because they’re easy to remember.

This is the real danger.

Hackers can use captured breach information and perform password spray attacks to check if these passwords are used anywhere else on the web.

To see if your email account or password has been breached in any successful hacks, you can visit Troy Hunt’s haveibeenpwned.com – just remember to use a VPN if you’re connected to a public Wi-Fi spot.

Conclusion

It’s horrifying to imagine that a simple daily action like using a self-checkout machine at a department store could lead to your credit card data and private information becoming compromised.

Unfortunately, that is the world we live in.

Even something as simple as reading reviews online about the companies you’re considering signing up with can go a long way toward making your personal and financial information a little safer.

As these examples should illustrate, the threat of cybercrime looms over our lives constantly. Sometimes we can protect ourselves, like choosing to upgrade the security of our personal computers, or using a VPN to make all of our web activity private.

Be smart about the companies you trust. Remember that not all data breaches come from faceless hackers in some underground lair. Some, like the Facebook/Cambridge Analytica situation, come from a lack of oversight and information.

That’s why it’s so important in this day to actually read the privacy policy or terms of use page for every company that you do business with. Yes, they’re long and boring and stuffed with legal jargon, but it’s important to know what’s going to happen to the information you input.

If you’re a US citizen who has been the victim of a data breach, you can report it through the US government’s Identity Theft department. Victims in the UK should reach out to the Economic Crime Command.