With all the data breach headlines that dominate the news, you might think that there’s a new data breach every week. In fact, data breaches are even more common than that – they happen so often that on average, 291 records are stolen every second. And although most of these breaches may be considered ‘small’ by definition, there’s always a leading breach for any given year, such as the Facebook and Equifax breaches which both occurred in 2018.
Significant data breaches started to become more common around 2005 when DSW Shoes Warehouse was the victim of a breach that compromised up to 1.4 million credit card numbers. That’s not to say breaches didn’t exist before that. For example, there had already been a previous breach involving George Mason University in January of that same year—although this only affected a reported 32,000 students.
We’re not here to learn about the smallest breaches though, although they are important, too. Year after year, a new breach takes the crown, whether in financial loss or the amount of data stolen. With that being said, we’ll be covering the 7 Biggest Data Breaches in the history of technology.
The sites are ranked from most to least expensive, after considering financial loss as well as users impacted.
1. Yahoo – 3 Billion Users, $118 Million
In July 2016, it was revealed that a data breach that had occurred in August of 2013 impacted every user of Yahoo. That’s right, all 3 billion users. This is the biggest data breach in history, even to date. The revelation came months after Verizon purchased Yahoo’s internet assets for $4.48 billion.
As a result of this breach, Yahoo was ordered in court to pay the sum of $117.5 million. This makes the Yahoo breach not only the largest breach (in terms of how many people it affected) but also the costliest in the world (at the time). The identity of the hacker who executed the breach is unknown, although multiple sources point to “Peace”, a well-known data merchant in the dark web.
2. Marriott – 500 Million Users, $72 Million
Marriott suffered a breach in 2014 which has reportedly cost them $72 million so far—and the costs are expected to increase in future quarterly reports. This happened after an analyst opened malware in his email and it spread throughout the network, stealing customers’ data.
Ironically, it was also reported that Marriott has collected $71 million in insurance reimbursements related to the incident, meaning they’d only suffer a $1 million loss.
That goes to show the importance of having cybersecurity insurance… although their new insurance rate will be teaching them a lesson!
3. FriendFinder – 412 Million Users, $70 Million
FriendFinderNetworks, an adult site chain, was breached in 2016 through a local file inclusion vulnerability, which allowed the attackers to execute code remotely to gain access to the site’s database.
An estimated 412 million users were affected in the various adult websites that FriendFinderNetworks owns, costing them an estimated $70 million. They had already filed for Chapter 11 bankruptcy in September 2013, so it wouldn’t be surprising to see them shut down after this breach.
Adding insult to injury, LeakedSource reported that “the company either stored user passwords in plaintext, without any protection, or hashed them using the notoriously weak SHA1 algorithm”.
This means that FriendFinder was rarely encrypting their customers’ passwords in their database, making it incredibly easy for hackers to make use of the data once they had stolen it. Or, in the case that they did use encryption, they used SHA-1, an algorithm that has been proven insecure.
Don’t store your passwords in plaintext, folks!
4. MySpace – 360 Million Users, $20 Million
MySpace, a now-defunct social media site (by popularity vote, at least) was a victim to a data breach in which over 360 million users’ data and 427 million passwords were compromised, although the data was seen to be outdated as the site relaunched their site with added security in 2013. At the time, this was the largest breach that any company had suffered.
5. LinkedIn – 165 Million Users, $1 Million
In June of 2012, LinkedIn revealed that it had been the victim of a breach, causing losses of up to $1 Million.
The method they used to breach the site is unknown, but the damage was increased because the data the hackers obtained was not correctly encrypted. The user passwords were unsalted and used the SHA-1 hashing function, which was recently proven to be unsafe.
6. Equifax – 145 Million Users, $1.4 Billion
Of course, who could forget the Equifax breach?
In May 2017, Equifax, a data analytics company which specializes in providing credit scores, was breached—causing more than 150 million U.S consumers to be impacted.
Regardless of its’ estimated $1.4 billion price tag, many argue that the breach could have been entirely preventable, as attackers gained access to the data through a web application vulnerability which had a patch available since March of that same year… two months before the breach occurred.
7. Heartland Payment Systems – 130 Million Users, $140 Million
As the largest data breach to affect an American company, it would be a crime (pun intended!) to not include the 2009 Heartland Payment Systems breach in this list.
This breach came at a greater cost than most others as it emerged from a payment systems company, which means that aside from personal data, financial information such as debit or credit cards were also compromised. In all, it is estimated that over 130 million debit and credit cards were compromised—totaling a whopping $140 million.
Lessons Learned: How You Can Protect Your Company Against Similar Attacks
Although breaches will always be a part of the cyberworld, that doesn’t mean you can’t protect yourself from them. As shown in the aforementioned list, data breaches can cost businesses millions, even billions of dollars. Not only this, but some of these breaches could’ve been prevented, such as the ones that Equifax and LinkedIn suffered. Here are a few things you can do to reduce the probability of your company being breached:
- Update your software with the latest patches – the lack of an updated web application cost Equifax $1 billion
- Provide cybersecurity training to employees – the opening of an infected email cost Mariott $72 million
- Encrypt user passwords & data to current standards – because FriendFinder stored passwords in plaintext and an outdated encryption method (SHA-1), they suffered over $70 million in damages. This number would’ve been significantly lower had they used an updated encryption method, such as SHA-2.