With the upcoming GDPR deadline looming, businesses are scrambling to ensure that they are compliant for the biggest shakeup of data and information protection since the inception of the Data Protection Act 1995. With this in mind, we are here to look at 10 of the biggest data breaches, not to be confused with our list of the 10 biggest computer hacks which were major company hacks. This handy post by Kevin Landt at Cygilant tells you the difference between a hack and a breach.
We start off with perhaps the biggest breach on this list, in which it was announced that all three billion user accounts of Yahoo’s services were compromised by attacks that happened between 2013 and 2014. The attacker went on to gather the real names, email addresses, dates of birth and telephone numbers of 500 million users and sell them on the dark web.
Yahoo announced the breach in 2016 while they were in sales negotiations with Verizon. The announcement knocked an estimated $350 million of Yahoo’s sale price and, to add salt to a very gaping and painful wound, it was revealed that Yahoo had botched their response to the breach.
Another entry where every single user account was exposed to a data breach. In May 2014, auction bigwigs eBay reported that attackers had exposed names, addresses, dates of birth and encrypted passwords of every single one of the sites 145 million users.
The company network was compromised using credentials of three company employees, using these credentials to have inside access for 229 days, which allowed them to get into the user database. eBay asked all their customers to change their passwords, but was criticised at the time for poor communication and poor implementation of their password-renewal process.
If you are uncertain; Equifax is a consumer credit reporting agency and holds information on over 800 million consumers and 88 million businesses worldwide, essentially making themselves a hacker’s heaven.
In September 2017, Equifax announced that a weakness in one of their website applications led to a data breach that exposed around 147.9 million consumers, with personal information of 143 million consumers and credit card details of 209,000 consumers. It is expected that the breach happened between May and July of 2017. Since October 2017, hundreds of consumers have sued Equifax for the breach.
Probably the biggest breach of upcoming GDPR, and one the European Courts would be licking their lips at.
In late 2016, two hackers accessed the names, email addresses, and mobile phone numbers of 57 million users of the Uber app and the driver licence numbers of 600,000 Uber drivers. They found access to Uber’s GitHub account where credentials to their AWS account were stored; red flag number one.
Uber didn’t announce the breach publicly until one year later (that’s red flag number two), also attempting to pay the hackers $100,000 to destroy the data, with no way to verify whether the data was destroyed or not. Yes, that’s red flag number three. At the time of the announcement, Uber were in negotiations to sell a stake to Softbank, with analysts estimating that a significant part of their $20 billion valuation drop was down to the breach.
5. JP Morgan Chase
JP Morgan Chase are the biggest bank in America, and in summer 2014, they became victim to a data breach that compromised the data of 76 million households in America and 7 million small businesses, with the data being stolen including names, addresses, phone numbers and email addresses.
Hackers were able to gain privileges to more than 90 of the bank’s servers which meant they could carry out major functions including transfer money and close accounts. In November 2015, four men were charged with the JP Morgan hack facing 23 counts including unauthorised access of computers, identity theft, wire fraud and money laundering that made them an estimated $100 million.
6. Sony’s PlayStation Network
I can’t relate because I’m an Xbox owner, but in 2011, the PlayStation Network was subjected to the worst gaming community data breach of all time. The breach prevented users of the PlayStation 3 and PlayStation Portable consoles from accessing the network and services it offers.
77 million accounts were hacked, with 12 million of those having unencrypted credit card numbers. Sony lost an estimated $171million while the site remained down for a month. They had to repay their members with freebies and discounts on many gaming titles and benefits to soften the blow. Three years later, in 2014, Sony agreed to a preliminary $15 million settlement in a lawsuit over the breach.
7. Home Depot
Home Depot is basically America’s richer and bigger B&Q. In September 2014, that didn’t stop them becoming victim to a data breach that saw the theft of credit/debit card information of 56 million of their customers. The attack was carried out through custom-built malware that revealed card information from Point-of-Sale, self-checkout lanes in America and Canada.
In March 2016, Home Depot paid as much as $179 million to compensate their customers for money losses and 18 months of identity protection services, legal fees and different banks and credit card providers for any damages that were filed along with valid claims.
In October 2013, at least 38 million users of the software giant Adobe had their IDs and encrypted passwords accessed by a data breach which ended up costing Adobe $1.1million in legal fees, with a further reported $1million going to users.
It was revealed that the breach happened through the source code of Adobe’s popular photo editing software, Photoshop, being stolen. A file containing 150 million usernames and hashed passwords appeared online, with 38 million accounts being directly impacted by that incident.
9. Carphone Warehouse
In August 2015, mobile device retailer Carphone Warehouse discovered an attack on its systems believed to have compromised the personal data of 2.4million customers, with 90,000 customer’s encrypted card details also potentially being affected too.
Blame was placed on Carphone Warehouse’s out-of-date software and failed security testing routines. With the Information Commissioner’s Office (ICO) dishing out the previously held maximum fine of £400,000 for the hack, a fine which was maximum until GDPR comes into operation on 25th May.
In March 2018, parent company of the MyFitnessPal app, Under Armour, revealed that personal details including email addresses and passwords of 150million users were stolen, which sent shares of the company down 3%.
It has gone down as the third biggest breach to date, based on the number of records stolen. Under Armour were applauded for how quickly users were notified of the breach, which happened four days after learning of the incident, which I suppose, is some consolation.
e-Careers offer cyber security courses for you to protect you and your organisation from data breaches and hacks. If you're also looking to align requirements of GDPR, our GDPR online course will provide you with the necessary skills and knwoledge to become GDPR compliant.