This article looks into the biggest data breaches of the 21st century (so far!). We thought we’d do it as a countdown to the top breach by looking primarily at the number of impacted users. Of course there is more to it than the number of users impacted as there is usually a huge reputational and financial cost associated with each breach.
In today’s world user data is a highly valuable currency. The most powerful companies in the world are the digital giants that monopolise data, prompting ongoing conversations about antitrust legislation and digital privacy.
Companies that contained a breach in less than 30 days have saved more than $1 million compared to those that took more than 30 days, according to IBM. Not long ago, it would have been big news that a breach exposed the privacy of a few million individuals. Breaches which affect hundreds of millions or even billions of people are now way too common.
Have a read through these whoppers and let us know what you think!
10. Yahoo (2013-2014)
Impact: 3 million – 1 billion user accounts
Yahoo announced in September 2016 that in 2014 it had fallen victim to what at that time would be the biggest data breach in history, whilst in sales talks with Verizon for its core site service. This caused Yahoo to knock $350 million off their sales price to Verizon. The attackers, which the company believed were “state-sponsored actors”, comprised names, email addresses, telephone numbers, date of birth, passwords and encrypted security questions. Following these attacks in December 2016, Yahoo disclosed another breach by a different attacker. This time taking email addresses, names, date of births and passwords of 1 billion user accounts. As a result of reputational damage, Yahoo changed their name to ‘Altaba Inc’.
9. Target (2013)
Impact: 40 million consumers
Retailer, Target, reported a data breach in December 2013 and stated that the credit and debit card numbers, as well as the full names, addresses, email addresses and telephone numbers of about 40 million consumers, were stolen after hackers obtained access to Target’s point of sale payment card readers from a third party HVAC vendor.
The CIO and CEO of Target both stepped down, and the company projected the breach cost them at least $162 million.
8. Uber (2016)
Impact: 57 million Uber users and 600,000 drivers’ PII compromised
Uber became aware that the names, email addresses and mobile phone numbers of 57 million Uber app users and driver licence numbers of 600,000 Uber drivers had been stolen by hackers. Uber’s handling of the crisis made it particularly noteworthy: they waited for almost a year before officially admitting the intrusion and offered $100,000 to criminals to delete the data in such a manner that no verification could be made.
At this time, Uber claimed it was a ‘bug bounty fee’, however soon after this news was released they fired their CSO. The relatively misuse of $100K (mice nuts for Uber) massively understates the impact this breach and its poor handling had on the company’s reputation.
7. Capital One (2019)
Impact: 106 million bank customers and applicants.
As one of the largest banks in the US, Capital one experienced a data breach in March 2019 which exposed the personal information of nearly 106 million customers and applicants. The breach resulted in a hacker gaining access to personal information related to credit card applications from 2005 to early 2019. The hacker was revealed as Paige Thompson, who used to work as a software engineer for Amazon Web Services, the cloud hosting company that Capital One was using. According to the US Department of Justice, Thompson broke into the server and gained access to 140,000 social security numbers and 80,000 bank account numbers.
According to Capital One, they fixed the issue immediately and those whose information was affected were offered ‘free credit monitoring and identification protection’. Morgan Stanley estimated Capital One could face between $100 to $500 million in U.S fines.
As a result of the well publicised breach, Michael Johnson, former Chief Information Security Officer, was demoted from his position within Capital One 4 months after the major data incident.
6. Equifax (2017)
Impact: 143 million customers personal information and credit card data of 209,000 customers.
Equifax, one of the biggest US credit bureaus, confirmed in September, 2017 that a flaw in an application on one of their platforms contributed to a data leak that could impact around 40% of the US population. The violation was found on July 29 2017, although the organisation suggested it had actually started in mid-March. The breach compromised the personal information of 143 million consumers (including social security numbers, birth dates, addresses and in some cases driver’s licence numbers). It is known that 209,000 customers had their credit card information leaked.
Equifax failed for a number of lapses in safety and response. Chief among them was that the vulnerability of the application which allowed access to the attackers was unpatched. Inadequate segmentation of the system facilitated lateral movement for the attackers i.e. once they were in – it was way too easy for them to get access to the other elements of the system.
5. eBay (2014)
Impact: 145 million users
eBay was the victim of a breach of encrypted passwords between February and March 2014. This resulted in ebay forcing all of its 145 million users to reset their passwords. To control this cache of user info, attackers used a small collection of employee passwords.
The compromised information contained encrypted passwords and other sensitive records, including names, e-mail addresses, addresses, phone numbers and dates of birth. After a month-long investigation by eBay, the breach was disclosed in May 2014. What is unique about this incident is that the hacking had hardly any effect and their CEO stated they only saw “a small decline in user activity”.
4. Adobe (2013)
Impact: 153 million users
As security blogger Brian Krebs wrote in early October 2013, Adobe initially announced that hackers had stolen approximately 3 million encrypted consumer credit card information, plus login details for an undetermined amount of user accounts. Later that month, Adobe raised that estimate for 38 million “active users” to include IDs and encrypted passwords. Krebs reported that a file posted just days earlier “appears to include more than 150 million Adobe usernames and hashed password combinations”.
An agreement in August 2015 called on Adobe to compensate court costs of $1.1 million and an unspecified sum on customers to resolve charges for violation of the Customer Records Act and discriminatory market practices. The sum payable to the customers was listed at $1 million in November 2016.
3. Marriott International (2014)
Impact: 500 million users
In November 2018, Marriott International revealed that attackers had stolen around 500 million customers data. The breach originally occurred on Starwood Hotel brand support systems starting in 2014. When Marriott bought Starwood in 2016 the perpetrators stayed in the network and incredibly were not found until September 2018. A combination of contact details, passport numbers, Starwood Preferred Guest numbers, travel details, and other sensitive information was taken by the attackers.
It was thought that the credit card numbers and expiration dates of more than 100 million customers were stolen, but Marriott was uncertain whether the credit card numbers could be decrypted by the attackers. According to a report in the New York Times, the hack was eventually traced to a Chinese security agency trying to collect data on US civilians.
2. Facebook (2019)
Impact: 540 million users data was exposed to the internet
Facebook allowed two apps to access it’s users data stored personal information on insecure servers without putting security measures in place. It was discovered by Amazon Web Service that a Mexican digital publisher, Cultura Colectiva, had uploaded the user’s Facebook ID, comments, likes, reactions and account names. Facebook and Amazon worked together to remove both sets of data. A further 419 million phone numbers connected to Facebook profiles were identified digitally through geographies in September 2019, including: 133 million records on Facebook located in the USA, 18 million in the UK and 50 million records in Vietnam.
The event placed consumers at risk for spam calls and sim switching threats as a consequence of an intruder being able to change a user’s password while they have their phone number. These cases react quickly to the rising pressure on Facebook by British and US authorities after the Cambridge Analytica controversy.
1. WhatsApp (2019)
Impact: 1.5 billion users worldwide
WhatsApp suffered a highly advanced cyber attack on 14 May 2019 that compromised its messaging network to deliver ransomware to a multitude of users’ mobile devices. The Guardian reported that the assault affected 1.5 billion people, and that the breach was a “significant infringement of rights.”
WhatsApp then filed a complaint in the US court in October 2019 attributing the attack to a spyware company called NSO group, an Israeli company called Cyber Weapons. The software of the NSO group, pegasus, has the potential to capture personal and confidential data from a specific device, such as: reading messages, browsing contacts, and accessing cameras and microphones.
Data breaches are hard to recognise, costly to fix and inflict reputational harm that certain businesses can not recover from. However, considering the importance of the data and the inevitability of cyber crime, the most that businesses can do to minimise the consequences of an infringement is to adopt a robust risk control strategy for identification, mitigation, and contact after a data breach.
For more information on this article, or to talk to a member of the Salt Communications team, please contact us on firstname.lastname@example.org.
About Salt Communications
Salt Communications is a multi-award winning cyber security company providing a fully enterprise-managed software solution giving absolute privacy in mobile communications. It is easy to deploy and uses multi-layered encryption techniques to meet the highest of security standards. Salt Communications offers ‘Peace of Mind’ for Organisations who value their privacy, by giving them complete control and secure communications, to protect their trusted relationships and stay safe. Salt Communications is headquartered in Belfast, N. Ireland, for more information visit our website.