The 5 Biggest Data Breaches of the 2010s
With companies ramping up cybersecurity efforts, let’s take a look at the five biggest data breaches in the last decade and what we learned from them.
While we entered the new digital world of the 2010s optimistic and trusting, all the major headlines about data breaches at the world’s largest organizations have made us all more cautious.
As we enter a new decade, data security has become more relevant than ever before.
While customers face personal hardships when their data is compromised, companies end up paying millions to make up for their mistakes.
Statista estimates that the average cost of a single data breach worldwide was $3.86 million in 2020. That’s an expensive affair!
To prevent data breaches in the future, we need to learn what went wrong.
With companies ramping up cybersecurity efforts, let’s take a look at the five biggest data breaches in the last decade and what we learned from them.
1. Yahoo
• Date: Announced in 2016; Breached in 2013-2014
• Impact on users: 3 billion user accounts
The data breaches at Yahoo are still the biggest recorded breach in history. In September 2016, Yahoo announced that a 2014 cyber-attack by hackers had compromised 500 million users’ accounts. The stolen information included real names, addresses, telephone numbers, birthdays, and users’ passwords. Yahoo claimed that the compromised passwords were hashed or encrypted, probably in an attempt to soften the blow.
In December 2016, Yahoo announced that a much larger breach had taken place in 2013, which compromised user information on 1 billion user accounts. Apart from personal information, this attack had also compromised security questions and answers. Yahoo later revealed that all 3 billion accounts on the site had been compromised in the 2013 attack.
The company’s multiple data breaches knocked off around $350 million from their original acquisition price by Verizon. Following these revelations, the company faced multiple lawsuits in the U.S. by consumers and shareholders.
What We Learned: Be Straightforward
Many users and experts criticized Yahoo for downplaying the significance of the breaches in its initial announcement. Rather than encouraging users to immediately change passwords and telling them how to protect new ones, the company’s initial statement told users that the compromised passwords were hashed. They did not explain what hashed meant in laymen’s terms and also failed to tell users there was a chance that hackers could decrypt the encrypted passwords.
Yahoo was also majorly criticized for drip-feeding information. The true impact of the cyberattacks was discovered more than a year after its initial statement in 2016. This delay revealed reduced people’s trust in the brand. Its score on the American Customer Satisfaction Index (ACSI) has been steadily declining since then.
2. eBay
• Date: May 2014
• Impact on users: 145 million users
E-commerce giant eBay stated that all of its 145 million user accounts were compromised in 2014.
The attack had taken place in February and March of that year, with hackers stealing personal information such as names, e-mail addresses, physical addresses, and phone numbers, along with encrypted passwords.
An investigation revealed that the data breach occurred after three of their corporate employees’ login credentials were compromised. This gave hackers over 200 days of free access to company information.
What We Learned: Strong Internal Cybersecurity Measures
EBay’s case highlights how important it is for companies to adopt stringent internal cybersecurity measures and control employee access. While eBay’s data breach occurred seven years ago, internal security measures remain extremely important. Verizon estimates that 30% of data breaches in 2020 had internal actors.
Employees, especially those with access to sensitive data, must have multiple authentication levels for their accounts. Another strategy is to employ multi-factor authentication, where users receive one-time passwords (OTPs) as part of the login process. Encouraging users to create strong passwords using password management tools like LastPass should also help prevent hackers from accessing users’ accounts on other platforms with the same username and password. Implementing the use of virtual private networks (VPNs) like ExpressVPN is also highly recommended, especially if employees need to access accounts using public servers, WiFi, or devices outside the office.
3. Marriott International
• Date: Breached from 2014-2018 and 2020
• Impact on users: 500 million customers
Marriott International, one of the world’s largest travel and lodging companies, announced in 2018 that around 500 million users’ information had been compromised going back to 2014.
The company said hackers had accessed the company’s reservation database and stolen personal information along with passport numbers and arrival and departure timings. They also stole some users’ encrypted card numbers and expiry dates.
The data breach took place back in 2014, with hackers having access to the system until 2016. They discovered the breach in 2018.
Two years after the first announcement, Marriott's database was compromised again. In March 2020, the company said malicious actors stole 5.2 million users’ information using two employees’ login credentials.
What We Learned: Hire Post-Breach Consultants
Marriott could have contained these data breaches and rectified the situation had the company employed the right post-breach consultants after the first incident.
Post-breach consultants identify how a breach occurred and help companies set up better cybersecurity measures.
Hiring these consultants also shows customers that you’re serious about security and helps rebuild their trust with the brand.
4. Equifax
• Date: Announced in September 2017; Breached in May 2017
• Impact on users: Information of 143 million customers
Equifax is one of the three largest credit reporting agencies in the US. On September 7, 2017, the company revealed that hackers had accessed the data of 143 million customers. Unlike other breaches, this one was particularly bad since the stolen data included social security numbers, driver’s license numbers, and credit card information.
In 2020, the US government charged four Chinese military officers for the hack, but many criticized Equifax for essentially “leaving the door open” through inadequate cybersecurity protocols and ignored warnings.
What We Learned: Hire the Right People
A report on the breach revealed that Equifax was warned “about multiple unpatched and misconfigured systems” by Mandiant, a cybersecurity firm, in March 2017. Rather than act on this information and employ better cybersecurity personnel to prevent damage, Equifax ignored the warnings until a major incident occurred. It was also later revealed that IT personnel had scanned the systems for any vulnerabilities in March, but the scan did not work as intended.
Customers heavily criticized the company after discovering that its Chief of Security was a music major whose professional LinkedIn profile showed no education related to technology or security. Despite the Chinese involvement, many argue that Equifax could have prevented this incident with a competent Chief of Security and the right people in IT. This is why it’s essential to check the track record and experiences of the personnel you employ.
5. Uber
• Date: Announced in 2017; Breached in 2016
• Impact on users: 57 million user accounts
In November 2017, Uber’s then newly appointed Chief Executive Dara Khosrowshahi revealed that the company was the victim of a massive data breach in 2016 that compromised 57 million user accounts spread across the world. Apart from personal details, hackers also snatched 600,000 driver’s license numbers. Rather than fessing up and dealing with the situation openly, Uber decided to pay the hackers $100,000 to delete the stolen data and did not publically talk about the breach.
When the breach went public more than a year after it happened, It drew the ire of customers, drivers, and state authorities from the U.S., United Kingdom, Australia, and the Philippines. The incident was one of Uber’s biggest embarrassments and led to significant legal troubles. After a 10-month investigation, Uber was fined $148 million in the U.S. and faced further fines in the UK, the Netherlands, and France. The company also received multiple lawsuits from drivers and riders.
What We Learned: Don’t Hide
Uber is a perfect example of how not to handle a breach. The company should have disclosed the hack when it happened and encouraged users to change sensitive account information — like passwords — immediately.
Uber’s efforts at covering up the hack showed customers that it is untrustworthy, embarrassed the company, incensed authorities around the world, and cost them more than a hundred million dollars in fines.
Conclusion
The cases we’ve listed above show how hacking attacks can damage even the most successful companies. While large corporations have millions set aside to make up for their fumbles, smaller companies might not be as lucky.
Considering the current online shopping habits of millennials and the way sensitive information is shared on the internet, it’s become even more important for companies to ensure data security. In a world where data breaches are only increasing, both users and companies need to protect themselves by following security protocols and best practices.
Automate Server Hardening with AutomateCIS
Safeguarding IT systems against cyber threats would take lots of time and required many meetings between IT and Security to debate which configuration settings.
Center For information security(CIS) has developed CIS Benchmarks for operating systems and cloud platforms. But applying them to individual systems and auditing their current state is impracticable.
AutomateCIS is a scalable platform to Audit your Servers against CIS Benchmarks, Remediate the failed audits, and rollback the remediation just in case the remediation is causing issues on your application
Try AutomateCIS Free here: (https://www.zippyops.com/automatecis)
Relevant Blogs:
Recent Comments
No comments
Leave a Comment
We will be happy to hear what you think about this post