Which are the biggest Data Breaches? (Part I)
━━━━━━━━━━━━━
It’s the top ten countdown no one wants to be on. Here’s our list of the 10 biggest data breaches of all time. You may be able to guess many of the companies featured on this list, but there might be a few surprises as well.
10. LinkedIn | 117 million
Cybercriminals absconded with email addresses and encrypted passwords for 117 million LinkedIn users in this 2012 data breach. The passwords were encrypted, right? No big deal. Unfortunately, LinkedIn used that darn SHA1 encryption we talked about earlier.
And if you have any doubts that your stolen passwords are being decrypted, Malwarebytes Labs reported on hacked LinkedIn accounts being used in an InMail phishing campaign. These InMail messages contained malicious URLs that linked to a website spoofed to look like a Google Docs login page by which cybercriminals harvested Google usernames and passwords.
Still better than that temp-to-perm ditch-digging job recruiters keep sending you.
9. eBay | 145 million
In early 2014, cybercriminals clicked “Steal It Now” when they broke into the network of the popular online auction site and pinched the passwords, email addresses, birth dates, and physical addresses for 145 million users.
One positive takeaway, financial information from sister site PayPal was stored separately from user information in a practice known as network segmentation (more on that later). This had the effect of limiting the attack and prevented criminals from getting to the really sensitive payment info.
8. Equifax | 145.5 million
The credit reporting company Equifax took a hard hit to their own “credit” score, at least in the eyes of American consumers, when the company announced they had experienced a data breach back in 2017. All of this could have been avoided if Equifax just kept their software up-to-date.
Instead, hackers were able to take advantage of a well-known software bug and hack into the underlying software supporting the Equifax website. What makes the Equifax data breach so awful is not the size, though considerable; rather, it’s the value of the information stolen. The perpetrators made off with the names, birthdates, Social Security numbers, addresses, and drivers license numbers for 145.5 million Americans.
Add to that approximately 200,000 credit card numbers and you get one of the worst data breaches in terms of sensitivity of the compromised data.
7. Under Armour | 150 million
Sports apparel company Under Armour’s slogan is “Protect This House.” Apparently, they didn’t take their own advice when their diet and exercise app MyFitnessPal was hacked in February of 2018. In the attack, cybercriminals managed to steal the usernames, emails and encrypted passwords for 150 million users.
Under Armour did well to announce the data breach within a week of its discovery. On the flip side, the company used weak SHA1 encryption on some of the stolen passwords, meaning criminals could crack the passwords and reuse them on other popular websites.
Which are the biggest Data Breaches? (Part II)
━━━━━━━━━━━━━
1. Yahoo—again | 3 billion
Yahoo has the embarrassing distinction of being the only company to make our list of biggest data breaches twice. To add insult to injury, Yahoo also takes the top spot. In August of 2013, cybercriminals stole data on every Yahoo user in the world—all three billion of them. The sheer size of the data breach is difficult to fathom.
Over one-third of the world’s population was affected. When the attack was first revealed in 2016, Yahoo claimed only one billion of its users were affected by the data breach, later changing the figure to “all Yahoo user accounts” less than a year later.
The timing couldn’t have been worse. At the time Yahoo revealed the updated data breach numbers, the company was in negotiations to be acquired by Verizon. News of the data breach allowed Verizon to scoop up Yahoo at a fire sale price. Yahoo was acquired by Verizon in 2017.
Data Breach Laws
━━━━━━━━━━━━━
It seems like we’re reading about another data breach with every news cycle. Are data breaches increasing in frequency or is something else going on?
One possible reason for the increase in data breaches (at least the appearance of an increase) is growing regulation around how we communicate data breaches.
Since the start of the millennium, governments all over the world have put laws into place that require companies and organizations to make some sort of disclosure after experiencing a data breach.
Whereas in years past compromised parties could sit on the knowledge of a data breach for as long as they wanted to.
In the United States there is no national law overseeing data breach disclosures. However, as of 2018, all 50 US states have data breach laws on the books.
Those laws vary from one state to the next, but there are some commonalities. Namely, any organization at the center of a data breach must take the following steps:
• Let the people affected by the data breach know what happened as soon as possible.
• Let the government know as soon as possible, usually that means notifying the state’s attorney general.
• Pay some sort of fine.
As an example, California was the first state to regulate data breach disclosures in 2003. Persons or businesses at the center of a data breach must notify those affected “without reasonable delay” and “immediately following discovery.”
Victims can sue for up to $750 while the state’s attorney general can impose fines of up to $7,500 for each victim. Similar laws have been enacted in the European Union and throughout the Asia Pacific region.
Facebook is the first large tech company to allegedly run afoul of the EU’s General Data Protection Regulation (GDPR) after it announced a software bug gave app developers unauthorized access to user photos for 6.8 million users
Facebook didn’t report the breach for two months—about 57 days too late, as far as the GDPR is concerned. As a result, the company may have to pay up to $1.6 billion in fines.