Data breaches are one of the worst things that can happen to an organization. In most cases, a lawsuit follows the data breach, also losing customers’ trust ruins the reputation of the organization. The never-ending battle between hackers and cybersecurity experts getting more intense each year and still, thousands of organizations are falling victim to such attacks, reminding us of the importance of cybersecurity.
Before starting our list, we should mention different forms of data breach attacks. Depending on the attackers’ goal, data breach attacks can have different effects on organizations. The most common method is contacting the organization after stealing the data to extort money. Hackers threaten organizations to leak stolen data if their demands are not met. However, hackers can still leak the data even if the company pays the requested amount. In some cases, if hackers aim to ruin the organization’s reputation, they can leak the data in a criminal forum for free. Hackers can also sell stolen data to other hacker groups or other partners. The stolen data can be used in phishing attacks.
Another common method is called a double extort ransomware attack. It is a combination of data breaches and ransomware. In double extort attacks, hackers not only encrypt the organization’s data, leaving the organization inoperable but also steal the data. Even if the organization can restore the encrypted data, hackers can threaten it by leaking the stolen data.
Impacted: 3 billion
Stolen data: Names, phone numbers, security questions and answers, password recovery emails, cryptographic values unique to each account
Yahoo! was one of the most popular websites on the web in the internet’s early years. However, it lost its popularity during the last decade. One of the main reasons for this downfall is an incident that was revealed in 2016.
In September 2016, Yahoo! announced that in a state-sponsored hacking incident, more than 500 million users’ information had been breached in 2014. A few months later, the company had to admit another data breach incident that took place in August 2013, and estimated that 1 billion users were affected by the incident. It was already the biggest data breach incident until that date, but it became worse. FBI got involved in the investigation and revealed that 3 billion Yahoo! accounts had been compromised.
The hackers behind the incident were Latvian Alexey Belan and Canadian Karim Baratov, hired by Russia’s Federal Security Service. Their main targets were Russian journalists, Russian cybersecurity company employees, and other Russian officials. The duo managed to gain access to the networks by sending a series of spear-phishing emails with a download link to Yahoo! employees. By creating a back door on the server they could easily download another copy of the entire database in 2014.
As a result, the company has agreed to create a fund worth $117,500,000 to compensate users. Baratov was sentenced to 5 years in prison, along with a $2.25 million fine. Belan could never be captured or faced trial.
Impacted: 1.1 billion
Stolen data: Names, addresses, photos, phone numbers, emails, biometric data, unique bank accounts connected with the 12-digit ID number
Aadhar, the world’s largest ID database, the data breach was one of the biggest cybersecurity incidents that affected the entire population of one of the world’s biggest countries. Aadhaar, established by the Unique Identification Authority of India in 2009, was created to contain information of over 1.1 billion Indians, which includes a 12-digit unique identity number and biometric data, such as fingerprints, iris scans along with name, gender, and contact information.
Although an Aadhaar card wasn’t mandatory, it was required for many bureaucratic processes, including buying a SIM card or creating a bank account. In January 2018, the first news about the data breach of Aadhar was published. Reports revealed that hackers managed to infiltrate the system by using the website of Indane, a state-owned utility company. Investigations revealed that Indane API, which is connected to the government database directly, had no access controls. The flaw was discovered by Karan Saini, a New Delhi-based security researcher, who notified the organization. However, Aadhar denied the allegations. The Indian government also denied storing bank information but the data breach revealed that citizens’ bank accounts connected to their unique 12-digit ID numbers were stored.
As a result, all citizens faced the threat of becoming a victim of identity theft. For a long time after the incident, hackers sold citizens’ personal information on Whatsapp groups or other platforms for $7 per person. Some hackers also offer to print fake Aadhaar cards with stolen information.
First American Financial Corporation
Impacted: 885 million
Stolen data: Social security numbers, driver’s license images, bank account numbers and statements, mortgage and tax documents, wire transaction receipts
Financial organizations are on top of the hackers list when it comes to breach data. One of the U.S.’ largest title insurance providers, First American Financial Corporation was also targeted by attackers hackers and it even didn’t require any technical expertise to gather the data from the company’s website.
The flaw was discovered and announced by Brian Kerbs, an independent security journalist. A real estate developer noticed that the company’s website was leaking records and anyone who know the URL of a document on the website could view it by only changing a digit in the link. The developer tried to contact the company but didn’t get any response and then decided to contact Krebs. Krebs wrote a blog post about the situation and as expected it went viral.
Shortly after the company took down some parts of its website and made an announcement about the incident. The company described the flaw as “a design defect in the web application that may or may not have had an effect on the security of customer information.” However, New York’s Department of Financial Services took it more seriously and started an investigation into the security flaw. The U.S. Securities and Exchange Commission is also investigating the situation but no results are published yet. Customers accused the company of failing to implement even rudimentary security measures and filed class-action lawsuits.
Impacted: 800 million
Stolen data: Names, email addresses, social media data, addresses, phone numbers, gender, birth dates, company names, company’s annual revenue figures, company website, company’s industry identifiers, fax numbers
Another big data breach that took place in 2019 was the Verifications.io data breach, a big data email verification platform. The service allows marketing companies to verify email addresses that are used in advertising campaigns. Due to the nature of its business, the company had a huge database of email addresses and users.
Luckily for the company, the leak was discovered by two white-hat cybersecurity researchers, Bob Diachenko, and Vinny Troia. The duo discovered an unprotected MongoDB including 150 GB of data completely open to the public internet. Researchers notified the company shortly after the discovery and the database was taken down immediately and the company deactivated its website.
Shortly after the incident, a free breach notification service, Have I Been Pwned started warning impacted users about the breach. Diachenko stated that a large number of records were very detailed. The company claimed that they could secure the database quickly and said “Goes to show, even with 12 years of experience you can’t let your guard down.” The website remained offline since the incident occurred. Although the database didn’t include any credit card information, social security numbers, or passwords, it is believed that leaked information was used to launch phishing attacks.
Impacted: 605 million
Stolen data: Name, date of birth, social security number, address, gender, phone number, driver’s license number, email address, taxpayer ID, driver’s license, passport photo, credit card information
The Equifax data breach was one of the biggest ones in terms of both the sensitive information that got leaked and the number of people it affected. Also, the company’s slow approach made it worse. It took six weeks for Equifax to make a public announcement after realizing the breach. During the incident, Equifax executives sold lots of company stock, which caused suspicions.
In March 2017, a forensic analysis revealed that hackers exploited a vulnerability in the customer complaint module of the website, which was patched three days before the incident. Equifax’s staff’s slow response to patching the system led to one of the biggest data breaches in internet history. Interestingly, the IT staff ran multiple scans to discover vulnerabilities and unpatched software but somehow scans couldn’t find the problems. In May 2017, the attackers moved from the compromised servers to the entire network, enabling them to steal data by using another flaw. Analysis showed that the company was 10 months late renewing the public key certificate to decrypt, analyze, and re-encrypt data pulled from the internal network. Thus, hackers managed to steal terabytes of data unnoticed. The company became aware of the incident in July 2017 and finally, the company informed the public in September.
It resulted in the theft of 605 million records that belongs to 147 million U.S. citizens. A study claimed that 40% of the population’s information was exposed. 200,000 individuals among them also suffered a credit card breach. Affected individuals filed class action lawsuits and the company had to pay a total of $700 million to damaged parties.
Impacted: 540 million
Stolen data: Likes, comments, reactions, account names, Facebook IDs, photos, check-ins, events, unencrypted passwords
For more than a decade, Facebook managed to be one of the most popular social media platforms on the internet. It still has billions of active monthly users and gathers and stores huge amounts of data from its users. Also, it is not the first time Facebook experiences a data breach. In an unrelated incident in 2012, another breach revealed that Facebook left millions of passwords unencrypted on the servers, which were accessible to 20,000 employees.
Facebook’s 2019 data breach was also caused by the company’s lack of security measures. Cybersecurity experts from UpGuard discovered two databases on Amazon’s cloud service. One of the publicly accessible and available to download databases belonged to a company named Cultura Colectiva, and the other one belonged to a Facebook-integrated app, At the Pool. Investigators contacted Cultura Colectiva and At the Pool. Cultura Colectiva didn’t respond to the researchers’ emails and the team contacted AWS to inform them about the situation. The database belonging to At the Pool was taken down during the team investigation.
The information that was available to the public can be used by other hackers in social engineering attacks. Although Facebook has been sued on multiple occasions due to user privacy violations, no legal action has been taken about the data breach that took place in 2019.
Impacted: 500 million
Stolen data: Names, gender, email addresses, phone number, addresses, passport numbers, credit card information
The Marriott data breach, one of the world’s largest chains of hotels, shows that cybersecurity should be a priority for all organizations in various fields. The lack of necessary security measures also increased the impact of the incident. Although the hackers behind the attack are still unknown, since Marriott is the main provider for U.S. government and military officials, many believe that Chinese state-sponsored actors might be behind the attack.
The data breach was discovered in late 2018 when someone made a suspicious attempt to access the guest reservation system. Within days, the company hired third-party investigators and implemented containment measures. Shortly after, investigators managed to discover the cause of the data breach. Attackers used a trojan, along with Mimikatz, which attempts to find combinations of usernames and passwords. By using the credentials of a system administrator, hackers made a suspicious database query, which is caught by Accenture. The database also included encrypted credit card numbers, however, the encryption keys were stored on the same server. Also, some of the passport numbers were encrypted while some were not.
The stolen information didn’t appear on the dark web for sale so far, thus investigators believe that the main purpose of attackers was gathering information about U.S. officials. The expenses of the incident were borne by the insurance company mostly. The incident cost $72 million to Marriott and the insurance policy covered $71 million of it. However, the company was issued a $120 million fine by the UK Information Commissioner’s office, but it has yet to pay. Also affected guests filed class action lawsuits that didn’t resolve yet.