As technology continues to evolve, so do the tools of hackers. Here are the current Top 5 Cyber Security breaches of all time.
In the words of Frank Abagnale Jr., an American security expert, “hackers do not cause breaches, people do… it always comes down to the human element.”
Some, if not all, of the worst hacks in history can be traced back to someone’s wrongdoing or negligence. Regardless of the specific way in which a mistake is made, hackers look for these vulnerabilities and wait patiently for their opportunity to strike.
A single mistake can, and has, set in motion a series of events that can lead to millions, if not billions, of compromised user accounts. Personal records, passwords, credit card details, and other sensitive information has been broadcast due to these mistakes in the past.
The following are the Top 5 Cyber Security Breaches ranked in terms of risk or damage caused during the past decade.
(2013/2014) – In September and December of 2016, internet service company Yahoo! reported two major data breaches to their system. According to reports, the first breach occurred in late 2013, and was believed to have affected 1 billion of their user accounts.
Later, in 2014, a second attack had apparently compromised an additional 500 million user accounts.
Later investigations by authorities found that, in fact, all 3 billion Yahoo! user accounts had been compromised as a result of these two hacks. This information was disclosed by Yahoo! in a new report, released in October of 2017.
These two are considered the largest discovered breaches in the history of the internet. The stolen user account information included names, telephone numbers, email addresses, hashed passwords (using MD5), dates of birth, and some encrypted or unencrypted security questions and answers.
In an attempt to reassure its users, the company then stated that key sensitive information like passwords in clear text, payment card data, and bank account information was not part of the stolen information. Nevertheless, the lack of disclosure on behalf of Yahoo! and CEO Marissa Mayer was the target of vast criticism from the public.
Mayer’s reluctance to hire a dedicated chief information security officer and her neglect to ask users to change their passwords, even after knowing that some accounts had been compromised, stirred an uproar with the affected users.
Mayer claimed she feared requesting a change in passwords could drive users away from using their service.
(2014-2018) – In an announcement made by the Marriott International hotel chain on November 30th, 2018, they disclosed the findings of an investigation into a data breach attempt that triggered their systems on September 8th, 2018.
The initial investigation found that there had, in fact, been unauthorized accesses of the Starwood network. However, these intrusions dated back to 2014. The unauthorized party had copied and encrypted information from the Starwood guest reservation database.
The database held details from approximately 500 million guests that had made reservations with a Starwood property. Of these, they estimated that about 327 million guest accounts held private details. In a later announcement, made March 4th, 2019, they corrected that figure (based on police findings) to a total of 383 million compromised accounts with sensitive data.
These details included names, passport numbers, phone numbers, mailing addresses, dates of birth, gender, mailing addresses, and other reservation-related information. What was more concerning is that for some of these accounts, the information included payment card numbers and payment card expiration dates.
They further stated that even though the latter data was encrypted, it was entirely possible that the intruder had also acquired the two components needed to decrypt the information. Then, they apologized and informed their guests that a dedicated website and call center had been made available for guests, and that they were working with the authorities to resolve the issue.
In a final announcement, made on July 9th, 2019, the company disclosed that the UK Information Commissioner’s Office (ICO) had communicated an intent to fine Marriott £99,200,396 ($122,301,986) for the incident. A recording of the testimony made by Marriott’s CEO is available here.
To the notice of the fine, President and CEO of Marriott International, Arne Sorenson, stated that he was very disappointed in the decision made by the ICO and that they would contest. He also mentioned that he deeply regretted the incident, that Starwood takes guest privacy and security very seriously, and that the compromised database was no longer used for business operations.
(2016) – In October 2016, adult dating and entertainment company Friend Finder Network was hacked and compromised over 412 million accounts. This also includes 15 million ‘deleted’ accounts that were still in the company’s databases.
Email addresses, passwords, browser information, IP addresses, and dates visited were among the details that were leaked.
The hack was the second for the company. In 2015 over 4 million user accounts were compromised, revealing sensitive information about their accounts. The information leaked included the users’ sexual preferences and whether they were looking for an extramarital affair.
The attack was made possible through a local file inclusion flaw, which made it easy for hackers to gain access and run malicious code on their server. According to further investigations, the company’s poor security practices proved to be the vulnerability that made the breach possible.
Their three largest sites had the users’ information stored in plaintext or scrambled with the low security SHA-1 hash function. This negligence affected 99% of all the passwords on the databases.
Kelly Holland (CEO) and Diana Ballou (Vice President and Senior Counsel) assured their users that the site takes privacy very seriously and would provide further details on their investigation. They also stated that they were working on fixing the vulnerabilities and taking action to strengthen their security protocols.
(2017) – Consumer credit reporting agency Equifax collects and compiles information on over 800 million individual consumers and 88 million businesses worldwide. On September 7th, 2017, Equifax announced a cyber-security breach that had occurred earlier that year (between mid-May and July).
An initial investigation showed that an unauthorized party breached their system and accessed approximately 143 million U.S. consumers’ personal data. The information included names, Social Security Numbers, dates of birth, home addresses, and drivers’ license numbers. Another 209,000 records of credit card credentials were also compromised in the attack.
Chairman and CEO, Richard F. Smith made a public apology following the incident and assured viewers the problem was being handled. He then informed the viewers that a dedicated website had been established to help consumers determine if their information had been affected and to help them sign up for complimentary credit file monitoring and identity theft protection.
On September 15th, 2017, just 8 days after the breach was announced, Equifax published a new statement announcing the Chief Information Officer and Chief Security Officer were retiring from the company. Eleven days after their retirement, on September 26th, Equifax announced their CEO, Richard F. Smith would also be retiring from the company.
A final statement by the company, released on March 1st, 2018, stated that an additional 2.4 million U.S. consumer accounts had been compromised in the breach. This brought the number of affected accounts to 145.4 million. These new numbers were discovered when the company ran a search for not just the users’ Social Security Numbers, but also their driver’s license information.
(2014) – In late March of 2014, multinational e-commerce giant eBay Inc. urged 145 million of its users to change their passwords. They explained the company had fallen victim to a cybersecurity breach and hackers had stolen personal details from user accounts.
The information included email addresses, encrypted passwords, mailing addresses, dates of birth, and other account details that might’ve been on the site. The attack likely took place sometime between February and March of that same year. However, they did reassure the users that no financial information had been compromised.
Their subsidiary, PayPal, reported finding no evidence of unauthorized access to their data, which is encrypted and stored separately from eBay’s. The breach apparently originated when hackers compromised a small number of employee log-in credentials, giving them access to their corporate network.
Security experts were brought in to investigate the matter. Though information was leaked during the attack, eBay stated that, after extensive testing, no evidence of unauthorized activity for eBay’s users was reported. Nevertheless, they urged all users to change their passwords on the platform.
Security is a hot topic today, and given that our lives are being entwined with our devices more each passing day, it concerns everyone.
While companies and organizations remind their customers and users that security starts at the device and the person using it, companies should also set the gold standards for good security.
It can be easy to forget how much information large companies are actually holding onto. Without transparent policies by these companies for their users, we do not know where the next breach is likely to be and who will be affected.