With all of the data breach stories in the press, it can seem as if a new data breach happens every week. Data breaches are much more widespread than that; they occur so often that 291 records are compromised every second on average. And, although the majority of these breaches are by definition ‘small,’ there is often a standout breach in any given year, such as the Facebook and Equifax breaches in 2018.
About 2005, when DSW Shoes Warehouse was the victim of a data breach that revealed up to 1.4 million credit card numbers, major data breaches became more frequent. That’s not to say there weren’t any violations prior to that. For example, George Mason University had previously experienced a data breach in January of the same year, but this only affected 32,000 students.
We’re not here to learn about the tiniest security bugs, though they’re important as well. Every year, a new data breach takes the top spot, whether in terms of monetary loss or the amount of data stolen. As a result, we’ll be discussing the 7 Biggest Data Breach in the History of Technology.
1. Yahoo – 3 Billion Users, $118 Million
In July 2016, it was reported that every Yahoo user had been affected by a data breach that occurred in August of 2013. Yes, all three billion users. Even to this day, this is the largest data breach in history. The news came months after Verizon paid $4.48 billion for Yahoo’s internet properties.
Yahoo was ordered to pay $117.5 million in court as a result of this violation. This makes the Yahoo hack not only the world’s biggest (in terms of the number of people affected), but also the most expensive (at the time). While several sources point to “Peace,” a well-known dark web data merchant, the identity of the hacker who carried out the breach is unknown.
2. Marriott – 500 Million Users, $72 Million
Marriott was hit by a data breach in 2014 that has cost the company $72 million so far, with costs projected to rise in future quarterly reports. This occurred after an analyst opened malware in an email, which spread across the network and stole customer details.
Marriott, ironically, was estimated to have received $71 million in insurance reimbursements as a result of the crash, suggesting that they will only lose $1 million.
That also goes to show how important it is to have cybersecurity protection… Despite the fact that their new insurance rate will teach them a lesson!
3. FriendFinder – 412 Million Users, $70 Million
In 2016, the adult web chain FriendFinderNetworks was hacked through a local file inclusion vulnerability, which enabled attackers to remotely execute code and gain access to the site’s database.
A total of 412 million users were impacted through FriendFinderNetworks’ numerous adult websites, costing the organisation an estimated $70 million. They filed for Chapter 11 bankruptcy in September 2013, so it wouldn’t be shocking if they were shut down as a result of this hack.
To make matters worse, according to LeakedSource, “the company either stored user passwords in plaintext, with no security, or hashed them using the notoriously weak SHA1 algorithm.”
This means that FriendFinder didn’t encrypt their customers’ passwords in their database very often, making it extremely possible for hackers to exploit the information once it was stolen. Alternatively, if they did use encryption, they used SHA-1, which has been proved to be unreliable.
Men, don’t keep your passwords in plaintext!
4. MySpace – 360 Million Users, $20 Million
MySpace, a now-defunct social networking platform (at least through popular vote), was the victim of a data breach in which over 360 million users’ data and 427 million passwords were stolen, despite the fact that the data was obsolete when the site relaunched in 2013 with improved protection. This was the biggest data breach that any corporation had ever experienced at the time.
5. LinkedIn – 165 Million Users, $1 Million
LinkedIn announced in June 2012 that it had been the victim of a data breach that resulted in damages of up to $1 million.
The mechanism by which the hackers gained access to the site is unclear, but the harm was magnified because the data they accessed was not properly encrypted. The user passwords were unsalted and hashed with the SHA-1 algorithm, which has recently been proven to be insecure.
6. Equifax – 145 Million Users, $1.4 Billion
Who could ignore the Equifax data breach?
Equifax, a data processing firm that specialises in offering credit scores, was hacked in May 2017, impacting more than 150 million Americans.
Despite the breach’s approximate $1.4 billion price tag, many claim that it could have been avoided altogether, as attackers obtained access to the data through a web application flaw for which a fix had been available since March of that year… two months before the breach.
7. Heartland Payment Systems – 130 Million Users, $140 Million
It would be a crime (pun intended!) not to include the 2009 Heartland Payment Systems data breach on this list, as it was the largest data breach to impact an American company.
Since it came from a payment systems provider, this breach came at a higher price than most others because, in addition to personal data, financial information such as debit or credit cards was also compromised. Over 130 million debit and credit cards were reportedly compromised, resulting in a $140 million loss.
What We’ve Learned: How Do You Defend Your Company From Similar Attacks?
While breaches will still exist in the cyberworld, you may take steps to protect yourself from them. Data breaches can cost companies millions, if not billions of dollars, as seen in the list above. Not only that, but some of these attacks, such as the ones that hit Equifax and LinkedIn, should have been avoided. Here are several steps you can take to minimise the chances of your business being hacked:
- Update the apps with the most recent fixes – Equifax lost $1 billion due to an out-of-date web application.
- Employees can undergo cybersecurity training – Mariott lost $72 million due to the opening of an infected email.
- Encrypt user passwords and data to modern requirements – FriendFinder was fined over $70 million for storing passwords in plaintext and using an obsolete encryption system (SHA-1). If they had used an updated encryption form, such as SHA-2, the number would have been substantially lower.