Don’t Repeat These 11 Major Data Breaches

A data breach is a cyber incident where sensitive information is attained through accidental or malicious means, and it can irreversibly dent a company's reputation.

What losses did they go on to bear? Were these attacks preventable? How severe was the attack itself?

We’ll take a closer look at the biggest data breaches that the world has seen:

1. Facebook – Social Network

• Severity: 50 million user accounts, not including the Cambridge Analytica scandal which was a separate incident (87 million users’ data accessed).
• Time Frame: September 2018-2019.
• Type of Data Breached: User profile data. Unclear if private messaging and third-party sites included.
• Financial Impact: Updates about this breach are ongoing.
• Impact to the Company: Growing mistrust in the company and its practices.
• Was it Preventable:  Vulnerabilities were patched quickly after bugs were found.
• Conclusion: Vigorous and creative testing of the platform’s features as well as mobile app testing could have helped analysts discover the vulnerabilities.

And even more recently, 540 million Facebook users’ data were exposed on Amazon’s cloud.

2. Home Depot – Retail

• Severity: 56 million credit card details and 53 million email addresses.
• Time Frame:
• Type of Data Breached: Credit card details and email addresses.  
• Financial Impact: Estimated damages paid out to date are $179 million.
• Impact to the Company: This breach is the largest retail data breach of all time. Being associated with a statistic like this is bound to negatively impact its reputation and bottom line.
• Was it Preventable:  All signs point to poor IT security practices within the company. Attackers were able to install malware on payment systems by exploiting a network security vulnerability.
• Conclusion: Regular pen testing and vulnerability assessments ensure the security of systems and networks - closing such vulnerabilities before they can be misused.

Check out this SANS case study about the Home Depot breach.

3. Uber – Transportation

• Severity: 57 million user accounts.
• Type of Data Breached: Names, phone numbers, email addresses of both riders and drivers. Over 600,000 driver's license numbers.
• Impact to the Company: $148 million in fines. The company still faces potential lawsuits and fines.
• Was it Preventable:  The attackers gained access to Uber's GitHub account, which had its AWS credentials saved on it. Credentials shouldn't be stored anywhere in plain text.
• Conclusion: This attack was caused by lax data security practices, further compounded by Uber's attempt to cover it up when the breach was discovered.

Read more about the 2016 Uber breach from The New York Times.

4. Anthem - Healthcare

• Severity: 8 million customer records stolen.
• Time Frame: February 2015.
• Type of Data Breached: Unencrypted names, addresses, Social Security numbers, dates of birth, and employment histories of current and former customers. 
• Financial Impact: An estimated $115 million in fines and settlements.
• Impact to the Company: Not only would customers be at risk of identity theft but the breach extended to the company’s other brands.
• Was it Preventable:  Experts have concluded that this attack was orchestrated through a session-hijacking attack. This kind of attack stems from malware installed on an authenticated system and can be prevented by educating employees about data security.
• Conclusion: Educating employees about good cybersecurity practices is as important as investing in cybersecurity testing and infrastructure.

Read more about the 2015 Anthem breach from The New York Times.

 5. Target - Retail

• Severity: 110 million user accounts (40 million payment details and 70 million users’ contact information)
• Time Frame: 2013, detected in 2014.
• Type of Data Breached: Full names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other sensitive data. 
• Financial Impact: Estimated cost of recovery and reparations is $64 million.
• Impact to the Company: Apart from massive fines in 47 states in the United States, Target also suffered a loss of face and gained the reputation of being unsafe for any sensitive transaction.
• Was it Preventable:  The attackers exploited security flaws in Target's system. Intermittent pen tests would have reduced the chances of such a vulnerability existing unchecked.
• Conclusion: Regular cybersecurity assessments are no longer optional for companies that want to be seen as places to transact business safely.

Check out this SANS case study about the Target breach.

6. Heartland Payment Systems – Payment Technology

• Severity: 130 million payment details.
• Time Frame: Breached in 2008, discovered in 2009.
• Type of Data Breached: Details of over 100 million credit cards.
• Financial Impact: $140 million in fines and lawsuits.
• Impact to the Company: A fall in share prices and a permanent dent in its reputation before being acquired by Global Payments Inc.
• Was it Preventable:  Although the attack initiated in physically by breaking into the offices, this is another case of a business not securing sensitive data. Unencrypted or low-effort encryption on payment details handed the attackers exactly what they needed without much effort.
• Conclusion: Heartland could have fixed the vulnerability that allowed the attacker access to sensitive information and that data could have been encrypted.

Read more about the Heartland Payment Systems breach from Forbes.

 7. Under Armour – Health and Fitness Retail

• Severity: 150 million MyFitnessPal account details accessed.
• Time Frame: Detected on 25th March 2018.
• Type of Data Breached: Usernames, email addresses, and hashed passwords.  
• Financial Impact: Unknown as of yet. However, analysts expect lawsuits and fines in the several millions.
• Impact to the Company: Share price of Under Armour dropped by 3.8% immediately after the news of this breach.
• Was it Preventable:  Investigations are still underway.
• Conclusion: Since the stolen information only included hashed passwords (using bcrypt), the attackers can't get their hands on the actual passwords used by users. However, the attack itself might have been prevented with better attention to cybersecurity infrastructure.

Learn more about the Under Armour breach from Wired.

8. FriendFinder Networks Inc. – Dating and Entertainment

• Severity: 412 million users' personal information leaked.
• Time Frame: First breached on 21st May 2015.
• Type of Data Breached: Unencrypted dates of birth, email addresses, genders, geographic locations, IP addresses, gaces, gelationship statuses, sexual orientations, spoken languages, and usernames.  
• Financial Impact: Estimated damages are $239 million.
• Impact to the Company: This massive breach of extremely personal data has dented the reputation of every company attached to this organization.
• Was it Preventable:  For one, the passwords were stored in plain text or as unsalted SHA1 hashes. The attack was carried out using an injection vulnerability, something that would have been fixed during regular vulnerability assessments and pen tests.
• Conclusion: The FriendFinder Network attack is a prime example of what happens when a business takes data security lightly.

Read more about the FriendFinder Network breach from CSO Online.

9. MySpace – Social Network

• Severity: 427 million users’ passwords, 360 million user accounts affected. Attacked data found for sale on an online attacker forum.
• Time Frame: First breached on 1st July 2008.
• Type of Data Breached: Unencrypted email addresses, usernames and unsalted SHA-1 hashed passwords.  
• Financial Impact: Since this report is relatively recent, although breached long ago, the financial implications are unknown as of now.
• Impact to the Company: Although MySpace is no longer used as widely as it once was, this breach did open the company (now owned by Time Inc.) to a litany of potential legal, social, and corporate ramifications.
• Was it Preventable:  The real reason for this breach has not been made public yet.
• Conclusion: Another case of an acquisition gone wrong. Due diligence regarding data security is a must before a business acquires another and integrates its systems.  

Read more about the MySpace breach from Tech Crunch.

10. Marriott - Hospitality

• Severity: 500 million guests/users.
• Time Frame: Breach remained unnoticed from 2014-2018.
• Type of Data Breached: Unencrypted names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood loyalty program account information, and reservation information. Attackers also gained access to encrypted card numbers and expiration dates. (However, it remains unknown whether the encryption keys were stolen as well).  
• Financial Impact: Bloomberg Analysts say the fines could go as high as $1 billion, as this breach falls under the purview of the EU's new GDPR regulations.
• Impact to the Company: The value of Marriott shares tumbled by 5.6% as soon as the news hit.
• Was it Preventable:  This attack was a result of an infected Starwood Reservation System, which Marriott acquired when it bought out Starwood Hotels and Resorts Worldwide. Due diligence before integrating this system might have at the very least prevented this breach from reaching this scale.
• Conclusion: Hiring cybersecurity experts who'll help assess the security of systems, whether legacy or acquired from other businesses, will ensure that the business doesn't end up as a cautionary tale in data security.

Read more about the Marriott breach from Bloomberg.

11. Yahoo! – Web Services

• Severity: 3 billion affected users. Another breach affecting 500 million users in late 2014, reported in 2016. Attacked data sold online on the dark web and various attacker forums.
• Time Frame: First attack detected in December 2013 and another in October 2014.
• Type of Data Breached: Unencrypted email addresses, backup email addresses, and security questions as well as their answers.
• Financial Impact: Settled at $117.5 million.
• Impact to the Company: Other than the direct fines, Verizon (parent company) reduced the acquisition value of Yahoo! by another $350 million in a deal after the breach was discovered. With a final sale value of just $4.48 billion, this was quite a fall for the once-powerful $100 billion company.
• Was it Preventable:  Yahoo! was often taken to task for having a lax attitude towards cybersecurity. In fact, the company failed to hire a Chief Information Security Officer until around 2014. However, the new CISO resigned in 2015, citing lack of funds to implement necessary cybersecurity and remedial measures as the reason for his departure.
• Conclusion: Even routine vulnerability assessments, penetration tests, and a larger cybersecurity budget would have prevented this unfortunate incident.

Read more about the 2013 Yahoo! Breach from The New York Times.

What do these data breaches teach us?

Proactive, regular, and evolving vulnerability assessments, pen tests, incident response tabletop exercises, and employee education are necessary to ensure that your company’s data and network are secure.

Want more? Read...

• Pretty Much Everything You Need to Know About Incident Response Tabletop Exercises
• How Often Should You Really Test Your Incident Response Plan?
• Pen Testing Sample Reports

OR