10 Biggest Data Breaches of All Time - And How to Prevent Them
Data breaches are often the result of simple data management mistakes. By implementing proper data breach prevention practices now, you can drastically reduce the likelihood of your organization suffering a data breach and recover more efficiently in the event it does.
Data breaches. The term itself can ring alarm bells in most organizations, and for good reason. A data breach usually means thousands spent on remedial measures, millions in regulatory fines and the invaluable loss of customers' trust and confidence. (Also read: Massive Data Breaches: The Truth You Might Not Know About.)
There have been numerous data breaches in modern times, forcing other organizations to undertake adequate data privacy and protection measures.
Here are the top 10 such breaches, and how to keep your organization from landing on a list like this:
1. Yahoo (2013)
There's really no other way to start a list of the biggest data breaches ever than with the 2013 Yahoo breach, which affected almost three billion users.
The breach's impact was a rapid $350 million reduction in Yahoo's market value -- while they were in the middle of a Verizon acquisition. The cyberattack's perpetrators were never identified, but Yahoo issued a statement asserting it believed "state-sponsored actors" may have been responsible.
Almost all Yahoo users' real names, email addresses, dates of birth, telephone numbers, authentication questions and other sensitive information was leaked in what is still considered the biggest data breach of all time.
2. First American Financial Corporation (2019)
Nearly a billion records were compromised when the First American Financial Corporation faced a data breach that led to bank account numbers, mortgage and tax records, social security numbers, wire transfer receipts and bond transaction receipts being compromised.
What sets this breach apart from the rest on this list is that it wasn't a breach in the traditional sense of the word. Rather than hackers breaking into the databases, the First American Financial Corporation failed to implement a secure authentication protocol which meant no one had to prove their identity to view the aforementioned documents. Once they accessed the documents, hackers used Advanced Persistent Bots (APBs) to collect, catalog and copy all data they had access to.
This glaring error went unnoticed for years. The New York State Department Financial Services (NYDFS) claimed the First American Financial Corporation did very little to ensure it had appropriate security measures to protect its critical data.
3. Marriott Hotels (2018)
Marriott is not a typical digital service provider, which sets it apart from some of the other names on this list. However, the international hotel chain suffered a breach in 2018 that affected more than 500 million users.
The affected users' contact information, passport numbers, travel history, credit card information, social security details and Starwood Preferred Guest numbers were among the sensitive data that was breached.
Marriott faced a PR catastrophe, as it was slapped with a $24 million fine in the UK, hundreds of class action lawsuits and calls for its senior management to resign.
Following an internal audit, Marriott's use of outdated encryption protocols to store and secure its databases was the primary cause of the breach. The audit concluded the breach was carried out using a Remote Access Trojan (RAT) and Mimikatz. (Also read: Encryption Just Isn't Enough: Critical Truths About Data Security.)
4. MySpace (2016)
MySpace may not have been as popular as some of the other social networking sites in 2016, but it wasn't any less shocking when the company announced to its users that their old information may be available for sale online -- or, more accurately, that it had been up for sale online for at least three months.
Time Inc., which acquired MySpace, reported a data breach had left 360 million accounts compromised, with their usernames and passwords available to be used to access users' information on other sites. The hackers behind the data breach were thought to be responsible for similar data breaches at Tumblr and LinkedIn.
5. Adult FriendFinder (2016)
When Adult FriendFinder suffered a data breach, there was absolute pandemonium all around. This was owed to the nature of the data breach, with information about users' casual hookups and other adult content being made public.
More than 400 users' the names, email addresses, passwords, pictures and other personal details were leaked online and freely available on leaksource.com. The databases compromised had 20 years' worth of information, with the users' credentials also available online. The site's use of SHA-1 hashing algorithm -- a fragile protocol by modern standards -- was the primary reason the database was so easily breached.
6. Twitter (2018)
How a company the size of Twitter managed to commit such a gaffe will forever remain a mystery. In May 2018, the company sent an email to its 330 million users urging them to change their passwords, since some of them passwords had been stored on its internal computer system in readable text format.
Twitter reassured its users that the glitch had been identified before any data breach, so none of their information had been compromised. However, a 2010 Federal Trade Commission inquiry revealed that there had been at least two data breaches at Twitter where users' private data had been compromised due to lapses in Twitter's security protocols. (Also read: Uncovering Security Breaches.)
7. Equifax (2017)
Compared to some others on this list, the Equifax data breach is fairly mild. However, the fact that the organization had to spend upwards of $700 million in remedial measures to help affected users made it a cautionary tale for other organizations.
Approximately 150 million users had their social security numbers, dates of birth, home addresses, driver's license numbers and credit card information stolen. The people responsible for the breach were never identified, even after lengthy congressional inquiries.
The inquiries did discover, however, that a vulnerability within the Equifax website had been exploited for months by those responsible for the breach. Other inadequate measures, such as the lack of database system segmentation, made the attacks even easier to carry out.
8. Facebook (2019)
Facebook was already facing a public relations nightmare in 2019 over its less-than-adequate data protection practices when news of the 2019 breach broke. It was, and remains, the most significant breach in the company's history, affecting up to 540 million users globally. The perpetrators were never identified or caught, but it did reveal just how vulnerable Facebook's databases were.
How did it happen? Facebook had failed to adequately protect its global databases with the appropriate levels of encryption, and these databases were easily searchable online as a result. Users' phone numbers, genders and geolocation in the United Kingdom, United States and Vietnam databases were particularly vulnerable. This is precisely why it proved impossible to identify the perpetrators, since the databases were literally available via a simple Google search with no appropriate security measures to protect them.
9. eBay (2014)
The eBay breach came a few months after the Yahoo breach, with similar cases of compromised user data. While the 145 affected users (by some estimates) comes nowhere near Yahoo's numbers, the impact was not any less severe. Internal investigations revealed three of eBay's employees had been socially engineered, and their compromised credentials were used to gain access to the main eBay database. (Also read: Insider Threat Awareness: Avoiding Internal Security Breaches.)
The company informed all affected users and advised them to change their passwords, since attackers had accessed encrypted passwords as well. This led to New York's Attorney General calling on eBay to provide free credit monitoring services to users, which the company refused, citing a lack of financial fraud.
10. SolarWinds (2020)
One of the most recent major data breaches, what makes the SolarWinds data breach so notorious is that there still isn't a reliable number of how many records may have been compromised. However, more than 18,000 organizations and government agencies globally are said to have been affected. The United States Attorney General at the time stated that the attack may have been Russian-backed.
The attackers got insider access to SolarWinds update packages and placed malware into the next scheduled update. These updates contained the necessary e-signatures, so whichever networks accepted the updates were compromised. The hidden malware spread throughout the entire SolarWinds supply chain, with at least 50 United States government agencies facing a "grave impact" since the attackers gained a foothold within their networks.
Data Breach Prevention: Five Best Practices
Here are five some steps most organizations can undertake to do so:
1. Implement Access Governance
By far, the most fundamental measure an organization can take to minimize the risk of a data breach is to limit the number of people who have access to the data in the first place -- which is known as access governance. There’s no shortage of effective solutions that can help organizations address this issue.
For example, Securiti’s access intelligence via its Unified Data Controls allows organizations to identify which employees need access to what data and grant it to them on a strictly "needs-based" basis while also keeping detailed records to help with future assessments if necessary.
2. Conduct Awareness Trainings
This may seem rather obvious, but many organizations make the mistake of not appropriately training their employees about just how easily hackers may gain access to the company's databases by exploiting careless employee behavior online.
Regular workshops and training can educate your team on best practices to ensure they follow adequate security protocols online. This could also include anti-phishing training on adequately securing their footprint online via cybersecurity tools such as anti-virus software, VPNs or proxies like IPRoyal and Avast. (Also read: VPNs vs Proxies: What's Best for Business.)
3. Update Regularly
Yet another example of a relatively minor mistake that can lead to significant damage: Far too often, hackers exploit glitches in the software.
If an organization does not update its software regularly, the glitch will likely be present for that entire duration and can be exploited more easily.
4. Have a Proactive Response Plan
Often, organizations are too rattled and disorganized if they do find themselves victims of a data breach. It's worth mentioning that, if proper measures are taken in the immediate aftermath of a data breach, the impact of the breach can be drastically reduced.
You should have protocols in place that can give real-time insights into exactly what data was compromised, how the damage can be limited and the remedial measures most necessary.
5. Encrypt, Encrypt, Encrypt
Last, but probably the most important, is to know precisely how to leverage encryption to your benefit. Organizations that have an old-fashioned approach to encryption fail to maximize the security encryption has to offer.
With lattice-based encryption and quantum computing now gathering steam, organizations can afford to ensure the best possible protection for all their data. Doing so guarantees that, if all else fails, your data is so well-protected that hackers gain nothing by breaking into the company's internal database.
Data breaches can happen to anyone -- even the largest, most well-established organizations. And often, they're the result of simple, easily solvable data management mistakes. By implementing proper data breach prevention practices beforehand, you can drastically reduce the likelihood of your organization suffering a data breach and recover more efficiently in the worst-case scenario. (Also read: What Is an Air Gap Backup and Why Do You Need One?)