What Can You Do to Avoid Data Breaches?
If you have read some of the most recent IT security news, whether in Australia or in any other parts of the world, you might have seen the number of data breach occurrences during the first half of 2019 alone. In fact, from January to July of this year, there has been a total of 1.6 billion records compromised due to the lack of proper IT security protocols. That’s a daily average of 7.6 million records in a span of 7 months
What Is a Data Breach and Its Examples?
A data breach occurs when secure, confidential information is released to an untrusted environment, either intentionally or unintentionally. It’s also considered a data breach if protected data is copied, viewed, transmitted, used or stolen by someone without proper authorisation. It can involve a variety of data, including:
- personally identifiable information or PII (e.g., social security number, phone number and email address)
- personal health information (PHI)
- bank or financial information (credit card or bank account number)
- intellectual property or business trade secrets
Have you seen These 15 Large-Scale Data Breaches Since 2004?
Statistics has shown that 42% of all data breach occurrences were caused by hackers and cybercriminals, while 29% of them occurred due to system glitches. And these cybercriminals do not discriminate! They attack various types of businesses, no matter the size of the organization, from social media companies and other online platforms to financial and healthcare institutions. This is why it is important for any business operator to have a strong information technology security in place protecting all of the crucial information that they are carrying. Because even a small mistake can cause a company’s reputation. If you want to get a better picture of how hard hitting a data breach can be to any company, here are 15 of the largest data breaches that happened in the last 15 years.
1. America Online (AOL)
In 2004, 92 million AOL screen names and email addresses were compromised after a former software engineer from AOL stole the said information and sold them to an online marketer. The software engineer used another employee’s ID to assemble a complete list of AOL customers’ screen names and email addresses. The said marketer then sent around 7 billion unsolicited spam emails. This breach cost AOL from $400,000 to a few millions of dollars. The engineer and the online marketer involved in this cybercrime were both charged with conspiracy and faced a maximum sentence of 5 years in prison and fines of up to $250,000.
After a series of separate attacks from 2012 to 2014, about 3 billion Yahoo accounts were compromised. This data breach was viewed as a threat to Verizon’s $4.8 billion deal to buy Yahoo. Because of the hacking, an estimated $350 million was knocked off the price. The names of users, along with email addresses, passwords, birthdates, telephone numbers and security questions and answers, were all compromised. This breach may have been because security has taken a backseat at Yahoo. According to critics, the company was slow to adopt aggressive security measures, even after a breach of over 450,000 accounts in 2012.
About 40 million payment credentials and 70 million contact information from Target customer accounts were compromised. Target had to work with law enforcement and financial institutions to resolve the issue. Investigators believed that the hacker got all the information through a software installed on POS machines at Target stores. Because of this data breach, names, addresses, telephone numbers and email addresses were compromised.
Hackers from Syrian Electronic Army accessed personal data of all 145 million eBay users in 2014. The cybercriminals gained access to Ebay’s systems through login credentials obtained from a small number of employees. The company has come under fire due to the way it handled this cyberattack. The attack allegedly happened sometime between late February and early March, but the breach was detected only in May 2014. The hackers had full access to eBay’s servers for 229 days. During this time, they accessed eBay’s database and copied information, including names, email addresses, phone numbers, encrypted passwords, registered addresses, and birthdates.
5. Anthem Inc
Anthem’s database that contained as many as 80 million records of current and former customers as well as employees was hacked in January 2015. This data breach affected a large number of Anthem branches. The compromised information included customers’ names, social security numbers, membership numbers, medical IDs, addresses, birthdays, email addresses and employment information, including income data. The hack was done after the attackers sent phishing emails to five employees who were tricked to download a Trojan software with keylogger. This made it possible for the hackers to obtain passwords for accessing encrypted data.
A total of 80 million company records owned by LinkedIn were hacked in January 2015 by Russian cybercriminals that call themselves ‘Peace’. Apart from the company records, the cybercriminals also got their hands on 117 million email addresses and password combinations, which they sold on the dark web. They started off by stealing 6.5 million encrypted passwords and posted them on a Russian hacker forum, camouflaged with a common cryptographic code called SHA-1 hash. It’s a format that’s considered weak if added precautions aren’t taken. Within 72 hours, about 90% of those passwords were cracked.
MySpace had a data breach in May 2016, which compromised a total of 360 million accounts. Both the hacker known as Peace and one of the operators of LeakedSource, a paid hacked data search engine, claimed to have the credentials. Each record in the hacked dataset contained an email address, a username, one password and in some cases, a second password. The passwords were stored as unsalted SHA-1 hashes, which is known to be weak and easy to crack. ‘Salting’ the passwords could have made them harder to be cracked because a series of random bytes will be added to the end of passwords before hashing them.
In November 2016, 133,827 customer accounts were exposed after the hackers had access to this set of information. The hacker then upgraded the accounts before intercepting new phones. Because of the hacking, the name, address, date of birth, handset type, contract start and end date, upgrade eligibility date, payment method, tariff, billing date and mobile number of Three customers were compromised. Three immediately took action to block the activity and placed additional layers of security on the upgrade system and applied additional security on all customer accounts as a precaution.
The personal information (names, addresses, birthdates, social security and driver’s license numbers) of 143 million Equifax customers were compromised, with 209,000 consumer credit cards put at risk. The hackers also stole dispute documents with PII of about 182,000 people. They gained access to Equifax’s server by taking advantage of the vulnerability in Apache Struts, the open-source software that Equifax was using. The company’s CEO, Richard Smith, testified before congress in October 2017. During the first of the four hearings that he attended, he repeatedly blamed the data breach on one employee who failed to update the software on one server.
The transport company Uber had to pay $100,000 for hackers to delete stolen personal data of 57 million customers and drivers. Uber kept this data breach under wraps for more than a year. However, in November 2017, the company decided to fire its chief security officer and one of his IT security deputies for their roles in concealing the hack, which included the $100,000 payment to the attackers. The compromised data included names, phone numbers and email addresses of 50 million Uber riders around the world. At the same time, the personal information of about 7 million drivers, including 600,000 U.S. driver’s license numbers, was accessed.
11. Marriott International
An unauthorized party copied information that belongs to about 500 million customers from Marriott’s Starwood reservations system. Specifically, 5.25 million unique encrypted passport numbers and around 18.5 million encrypted passport numbers were exposed. The assault started as far back as 2014, and the data breach hit customers who made reservations for the Marriott-owned Starwood hotel brands from 2014 to 2018. The properties include Sheraton, W Hotels, Four Points, Westin, Aloft, Element, Le Méridien, Design Hotels, Tribute, St. Regis and the Luxury Collection. The names, addresses, phone numbers, birth dates, mailing and email addresses and encrypted credit card details of hotel customers were stolen. The travel histories and passport numbers of a smaller group of guests were also taken.
12. Cathay Pacific
With 9.4 million compromised user accounts, Cathay Pacific Airways has come under fire for waiting 6 months before notifying the victims that their data had been copied illegally from the airline’s servers. The airline got more intense cyberattacks in March, April and May 2018, but this continued thereafter. These ongoing attacks meant that Cathay’s internal and external IT security resources had to remain vigilant in containing and avoiding any further breaches. The exposed information includes 860,000 password numbers, 245,000 Hong Kong identity card numbers and 430 credit card numbers, along with birthdates, home and email addresses, travel information and nationalities of customers.
Hackers exploited a vulnerability in Facebook’s ‘View As’ code to steal access tokens and use them to take over 50 million user accounts in September 2018. The access tokens are like digital keys, which keep people logged into Facebook, so they don’t need to re-enter their password every time they use the app. Due to this data breach, 50 million user profile data, along with their preferences and interests, were accessed. The harvested data was used to build a powerful software program to predict and influence choices of voters. The whistleblower has revealed how Cambridge Analytica built a system that could profile individual US voters and how this personal information taken without authorisation in early 2014 was used to target users with personalised political advertisements. The discovery of the data harvesting and its purpose raised urgent questions about the role that Facebook played in targeting voters in the US presidential election.
The data of 100 million users were exposed due to a malicious third party’s unauthorized access to Quora’s systems. Due to this data breach, names, encrypted passwords, public and non-public content and actions (comments, questions, answers and upvotes), email addresses and data imported from linked networks authorized by users were accessed. However, Quora noted that because the site does not collect sensitive information such as credit card or social security numbers, the incident was unlikely to result in identity theft.
15. Blank Media Games
Black Media Games’ browser-based game ‘Town of Salem’ suffered data breach, which exposed 7.6 million user details. The hack was discovered after a mysterious person sent a copy of the stolen data to DeHashed, a commercial data breach indexing service. Names, email addresses, birthdates, passwords, phone numbers and security questions and answers were compromised. DeHashed indicated that it spent days, from Christmas of 2018 to New Year of 2019, trying to contact and alert Black Media Games of the hack and its still-compromised server. The hacked servers were finally secured and ‘multiple backdoors’ were removed in the first week of January 2019.
The Final Word
No matter how big or small your company is, cybercriminals can take advantage of any weaknesses that your IT security may have. Not paying attention to data security is a huge risk that you cannot afford to take, especially if you want to stay in the business world and create a reputable brand that customers will trust. This is why it’s essential for businesses to take advantage of IT consulting solutions that can help paint a better picture of how crucial system security is. With the continuing growth of the world of information technology, there is a wide selection of tools and services that you can use to avoid any data breach occurrences. Sign up for IT audit services or book an IT security consultation.