Data security breaches have, unfortunately, become a common occurrence during the past decade. Despite innovation in cybersecurity and encryption technology, hackers and sinister software continue to put consumers' personal data at risk.
Jump to the main takeaways:
10. Uber (2016)
9. TJX Companies, Inc. (2006)
8. Target Stores (2013)
7. Heartland Payment Systems (2008)
6. Equifax (2017)
5. eBay (2014)
4. Twitter (2018)
3. FriendFinder Network (2016)
2. Marriott International (2014-2018)
1. Yahoo (2013-2014)
What Have We Learned?
Nowhere is this lack of protection more evident than in the world of corporate IT service management and data security. Contrary to what you may expect or believe, some of the world’s largest tech and media companies have been victimized by the most notorious data-related crimes of the century.
In this blog post, I’m bringing you a Top 10 list (I'm not sure "top" is a great adjective to be using here, but anyways) that sheds some light on these cybersecurity fails. These rankings are based on the severity of the breaches themselves and the sensitivity of the information that allegedly fell into the hands of hackers.
Let’s dive in and reminisce about data security debacles that many tech giants and consumers alike would rather forget.
To kick things off, let's take a look at the very public security lapse from ridesharing behemoth, Uber.
In November 2016, it was revealed that data belonging to 57 million Uber users and at least 600,000 drivers had been exposed. The data was apparently restricted to names, email addresses, phone numbers, and driver’s licenses, so no credit card or social security information was affected.
The main reason that the Uber incident was so cringeworthy lies in how the company publicly dealt with the event. As per this bombshell Bloomberg report, Uber not only tried to bury the hack for more than a year but also paid the attackers $100,000 to delete the stolen data, rather than report the incident.
The best (and, by best, I mean worst) part? The company had no way of verifying that the hackers had honored their end of the deal after paying.
The company’s CSO, Joe Sullivan, was fired following this revelation, as Uber tried to put the blame squarely on his shoulders. Analysts say the brecah also played a significant role a month later when the startup’s valuation dropped from $68 billion down to $48 billion. In 2018, Uber agreed to fork over $148 million in connection with the hack.
As far as credit card security breach cases go, the TJX incident is still one of the most notorious.
The initial data theft took place during the 2006 holiday shopping season. In March 2007, TJX Companies Inc., the conglomerate that owns retail brands like Marshall’s, Home Sense and TJ Maxx, revealed that 46 million customers had their credit card information compromised during the attack.
Unfortunately, things got much worse. In October of that year, court filings indicated that more than 94 million consumers had been affected by the data breach, nearly double the original estimate.
According to the Wall Street Journal, outdated, weak digital security measures left TJX retailers vulnerable to wireless hacking. The report explained that “the $17.4-billion retailer’s wireless network had less security than many people have on their home networks, and for 18 months the company had no idea what was going on”.
Prosecutors eventually got their man, with a jury sending hacker ringleader Albert Gonzalez to prison for 20 years. At the time of the ruling, Gonzalez’s sentence was the harshest punishment ever handed out for hacking or identity theft in the United States.
During the 2013 holiday shopping season, Target, one of the most successful retail brands in the United States, was targeted by hackers who were after their customers' personal information.
According to USA Today, more than 41 million payment accounts were affected by the enormous data breach. Ensuing investigations revealed that the attackers accessed Target's computer gateway using stolen third-party vendor credentials before installing malware on the customer database system.
The virus was able to capture full names, phone numbers, credit card numbers, credit card verification codes, and more. With sensitive data exposed, Target was taken to court and forced to pay a combined $18.5 million to 47 states and the District of Columbia, on top of a reported $202 million in legal fees and expenses associated with the hack.
"Companies across sectors should be taking their data security policies and procedures seriously,” Connecticut Attorney General George Jepsen told USA Today. “Not doing so potentially exposes sensitive client and consumer information to hackers.”
Two years after the TJX incident, Heartland Payments was the victim of a digital security breach that, at the time, was the worst of its kind on record.
Reports say the credit and debit card processing service provider had their system broken into by unknown hackers. The attackers used “sniffer software” to skim and capture payment information, including card numbers and expiration dates, during the miniscule delay period when Heartland sought authorization from lenders and banks.
At the time of the attack, the company processed more than 100 million card transactions per month. No sensitive personal information, like social security and PIN numbers, weren’t exposed by the data breach. Unfortunately for Heartland, that’s where the good news ended.
The company paid dearly for the incident. It took them mere months to accrue over $139 million in expenses related to the breach, including a $60 million settlement with Visa and a $3.5 million settlement with American Express.
The Equifax debacle is definitely one of the more infamous blunders on our list, partly because the story recently reached a conclusion of sorts for consumers.
In 2017, it was reported that a massive data breach of Equifax's system exposed the personal information of an estimated 143 million Americans–more than 40% of the country’s population. Sensitive information, such as names, social security numbers, addresses, and driver’s licenses, were all compromised in the theft.
As an organization who uses an amalgamation of consumer data to report on credit activity to various industry agencies, the ripple effect from the breach even extended north of the U.S. border, with an estimated 100,000 Canadians affected as well.
Closure for consumers came in 2019, when it was announced that Equifax would pay up to $700 million in settlements and legal fees stemming from the attack. Here are the financial details, as per The Associated Press:
“The settlement with the U.S. Consumer Financial Protection Bureau and the Federal Trade Commission, as well as 48 states and the District of Columbia and Puerto Rico, would provide up to $425 million in monetary relief to consumers, a $100 million civil money penalty, and other relief [...] All impacted consumers would be eligible to receive at least 10 years of free credit-monitoring, at least seven years of free identity-restoration services [and] all U.S. consumers may request up to six free copies of their Equifax credit report during any 12-month period.”
Online retail and auction giant eBay was the target of a major cyberattack in May 2014 that forced them to urge their users to reset their passwords.
Though there was no evidence of unauthorized use of eBay user accounts or exposed payment information, the data breach compromised a database that, according to reports, contained encrypted passwords and other personal, non-financial data.
Hackers also stole password information from a handful of eBay employees, allowing them to gain access to the company's corporate network. All told, the breach affected around 145 million users, with later accounts revealing that the attack went unnoticed for a month.
eBay also spent several weeks investigating internally before disclosing details publicly.
Despite the absence of the overt stealing of financial information, the attack can still enable any perpetrators to commit fraud. "Lots of attack scenarios can be devised when you know the email address number and home address for 145 million people,” security analyst Tyler Shields told BankInfo Security.
This list item may not sound as serious at first but, as one of the most-used social networking platforms in the world, Twitter's password snafu ranks among one of the scariest data security moments of the decade.
Twitter explained how events unfolded on their blog as follows:
“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password [...] Due to a bug, passwords were written to an internal log before completing the hashing process [...]”
Just to be clear: When they say internal log, we’re talking plain text files that were stored without any real security provisions.
As per The Verge, the company didn’t reveal how many passwords were exposed as part of the bug. Instead, they resorted to a response similar to eBay’s and advised their 330 million users that they should change their login credentials. It's further proof that major data breaches can happen anywhere, even without any hacker activity.
The online adult and dating site parent company, with over 49,000 websites in their network, was the target of one of the largest data breaches in history, with 412 million user accounts affected.
Sites that fell victim to this hack make up what is considered to be the biggest online sex community in the world, including brands like AdultFriendFinder, Cams.com and Penthouse. By comparison, the messy Ashley Madison data scandal affected just over 32 million users.
Reported by Leaked Source, the FriendFinder data breach was carried out through a local file inclusion exploit, which allowed the hackers to gain access to an huge bounty of user data.
Interestingly enough, FriendFinder Network was notified of weaknesses in their security infrastructure just a couple of days before the leak took place and allegedly did nothing about it.
The screw-up also exposed several unseemly practices that the company was guilty of at the time, including retaining user data for at least one site that they no longer owned , storing passwords in vulnerable files such as plain text, and keeping the email addresses of over 15 million users who had deleted their accounts.
In 2018, Marriott International, one of the world's most visible hotel brands, revealed that there had not only been unauthorized access to their Starwood guest reservation database but that this activity had been going on for several years.
According to Forbes, the corporation had consulted with security experts and determined that hackers had copied and encrypted information from that database, compromising the personal data of an astonishing 500 million guests. The exposed data included names, addresses, and passport numbers.
The fallout, as you'd expect, was vicious. The resulting class-action lawsuit led to their share price dipping nearly 6%. Democratic Senators Chuck Schumer and Elizabeth Warren publicly laced into the company for failing to take consumer data protection seriously. The corporation was also hit with a $124 million fine by UK GDPR regulators.
As for how and why it took Marriott four years to isolate the unauthorized activity, there doesn’t seem to be a good answer. "With all the resources they have," said intelligence researcher Andrei Barysevich, "they should have been able to isolate hackers back in 2015."
Finally, we come to the lowest of all modern data security horror stories–the Yahoo breach
The 2013 cyberattack, which was first disclosed in 2016, affected every single Yahoo account, including those belonging to other company properties like Flickr and Tumblr. That’s 3 billion user accounts in total. Names, email addresses, and passwords were among the data exposed, though no financial information was stolen.
This theft incident was followed by another breach in 2014, one that affected another 500 million users. The Department of Justice indicted four Russian men in connection with the latter attack in 2017; however, the company said it may never know what exactly was affected by the 2013 breach.
Yahoo recently reached a class-action lawsuit settlement totaling more the $117 million after being previously rebuffed by a California judge when they first offered $50 million. Apart from the settlement fund, the company agreed to make a “significant financial investment” in improvement to their security infrastructure.
Most notably, the 2013 and 2014 breaches stalled negotiations that had been ongoing between Verizon and Yahoo brass on a purchase deal. The original $4.8 billion dollar price tag was whittled down to $4.48 billion after the cyberattacks were made public. In other words, lackadaisical security measures cost Yahoo a reported $350 million.
I’m not going to lie to you. Serious data breaches happen on the regular. In fact, as I was writing this piece, it was reported (by Yahoo, because irony is great) that the latest cybersecurity scandal in the news involving Capital One could cost them $125 million, user data exposure notwithstanding.
What’s the moral of the story? Well, for businesses, it’s to invest a proper amount of resources into security measures and data protection. It doesn’t matter what industry you’re operating in or the amount of user information you’re storing–big data is the most valuable money making asset in the world, and therefore very attractive to thieves.
You don’t want to put yourself in a vulnerable position.
For consumers, it’s taking adequate measures to protect your data and limit opportunities for unintentional exposure and identity theft. Use password best practices and multi-factor identification options that are offered by the majority of online service providers, and educate yourself on which corporations are taking steps to protect your personal data and which are not.
With security firms being in high demand these days, there’s hope that some legacy digital systems and those using them can be brought up to speed in our increasingly volatile online world. That said, you can never be too careful. Just as Yahoo. Or anyone else we mentioned.
At Riada, we take data privacy and security very seriously. To find out more about how we protect your personal data as a customer and user of our Insight app for Jira, click the link below.
Originally published Aug 1, 2019 12:00:00 PM