Bigger is often better. A bigger slice of pizza or a bigger paycheck sounds pretty nice. An extra-large data breach, not so much.
Listing out the biggest data breaches of all time can be challenging, as the next big one could be right around the corner. At the time of this writing, reports are out that the Personally Identifiable Information (PII) of 1 billion people in China may have been exposed when a police database was hacked and held for ransom of $200,000 in bitcoin. Experts are still confirming details, but if the reports to-date hold, the breach in China would rank among the top huge data leaks.
The cost of a data breach to an individual organization can be enormous and to an individual person, life altering, if that information is used for bribery, humiliation, or identify theft.
An article by Decrypt highlighted seven big breaches from the past 10 years that made headlines. As analysts continue to dig into breaches that happened since, this list is sure to change, and more big-name companies will potentially be added to the ranks.
1. Misconfigured Firewall Created Vulnerability for Capital One
This credit company fell victim to exploitation of misconfigured firewalls to the tune of 106 million records exposed in 2019. Those records included US Social Security numbers, Canadian Social Insurance numbers, and 80,000 bank account numbers. The bad actor then used the servers to mine cryptocurrency, also known as cryptojacking.
Related Reading: What is Cryptojacking?
2. Personally Identifiable Information Exposed in Microsoft Breach
Personally Identifiable Information (PII) is information you really want to keep out of the hands of others. Sensitive information can include your full name, Social Security Number, financial information, driver's license, and medical records.
At the end of 2019 anyone with a web browser was able to access the PII of more than 250 million customer support records due to a misconfiguration of an internal support database. Luckily, no malicious use was found, but customers did have their information exposed. Much of the PII exposed was redacted (hidden from view) but some information, such as emails and IP addresses were stored in plain text.
A data loss prevention (DLP) solution is one security layer organizations can apply to files sent through secure file transfer, such as GoAnywhere MFT. DLP seeks out sensitive information and either redacts it or blocks the file from being sent all together.
On-Demand Webinar: How to Remove Data Security Risk from File Transfers
3. Uh Oh! Adult Dating Sites Exposed Users
These two breaches go back to 2015 and 2016, when Ashley Madison, a site geared to those seeking outside relationships, and Friend Finder Network, an adult dating site, were both hacked. User information, including email addresses and passwords, and in the Ashley Madison case, names, were eventually used as part of a “sextortion” campaign, where individuals were threatened with exposure if they didn’t send money. The Friend Finder Network hack exposed 319 million accounts, and the Ashley Madison one exposed 32 million names.
Ransomware is an increasingly popular cybercrime, where information is held hostage, often for bitcoin which is untraceable.
Related Reading: What is Ransomware and How to Prevent and Detect It
4. Major Hotel Chain Didn’t Sleep Well After Huge Breach
For four years, hackers had access to the personal information of about 500 million guests of Marriot Hotels. This information included encrypted credit card information, addresses, passport numbers, emails, telephone numbers, and birthdates. Pretty much everything you’d need to steal an identity.
This breach is often cited as one of the largest and costliest breaches, with the chain eventually fined around $23.8 million in penalties. The cost to the chain’s reputation will linger for many years as well. It was determined the breach most likely happened when Marriott acquired the Starwood properties’ IT system, making the point that data security needs to be considered at all levels, including during acquisitions.
Related Reading: Data Security Best Practices Every CISO Should Know
5. Mortgage Company Inadvertently Held an Open House to Customer Data
A leading title insurance and settlement services provider, First American, found out the hard way how important authentication measures are to data security. In 2019, 885 million customer records, including buyer/seller documents, Social Security Numbers, account statements, and more were discovered to be accessible from the company’s own website. A real estate developer discovered the data while on the site. It was quickly shut down and thankfully fraud has not been found. The millions of documents available for all to see dated back to 2003.
Related Reading: 5 Ways to Protect Your Financial Organization from a Data Breach
6. Facebook Facepalms After Three Serious Data Breaches
One, twice, three times, and Facebook is still not “out.” But three separate breaches of this social media giant in 2019 exposed or compromised millions of user accounts. The first breach exposed up to 600 million passwords; the second breach endangered 540 million users’ data, including account names, ID numbers, and more due to unsecured Amazon servers; and the third breach had 267 million users not “liking” the fact their information was leaked and posted on a hacker forum for 10 days.
7. Yahoo Not Ecstatic Over Huge Data Breach
Three billion accounts, that’s every single account Yahoo had in 2013, were breached. And this attack was not discovered until years later when Verizon bought the company. Poor encryption allowed the hackers to grab names, birthdates, passwords, and even backup emails used to get around passwords. Encryption matters.
Get the Guide: Why Automating Encryption and Decryption Makes Good Cybersecurity Sense
Defend Yourself Against Hacking and Breaches
While it’s not fun to think like a criminal, getting your mindset into how a hacker might breach your organization is a good exercise. Think Like a Hacker is a brief guide to help you and your organization put up defenses against would-be cybercriminals.
