The Great Data Breaches: Tales of Cybersecurity Misadventures
Data breaches are a nightmare of the digital age that have plagued companies and organizations around the world in recent years. With cybercriminals constantly evolving their tactics, no one is safe from the threat of a data breach. While this list can go on and on we’ve narrowed it down to some of the most well known breaches to date.
Let’s take a look at some of the most notable data breaches that have occurred in the past decade, and the lessons we can learn from them!
Equifax: The One That Got Away
In 2017, Equifax, one of the largest credit reporting agencies, suffered a breach that exposed the personal information of 147 million people, including names, birthdates, Social Security numbers, and other sensitive data. Equifax system administrators discovered that attackers had gained unauthorized access via the Internet to the online dispute portal that maintained documents used to resolve consumer disputes. In a statement released, Equifax writes, “The attack vector used in this incident occurred through a vulnerability in Apache Struts (CVE-2017-5638), an open-source application framework that supports the Equifax online dispute portal web application. Based on the company’s investigation, Equifax believes the unauthorized accesses to certain files containing personal information occurred from May 13 through July 30, 2017.”
This was a huge blow for the credit industry, as it exposed flaws in the system that allowed unauthorized access to sensitive personal information. It also highlighted the need for companies to invest in cybersecurity measures to protect their customers’ data.
Yahoo: Twice Bitten, Thrice Shy
In 2013 and 2014, Yahoo experienced two separate data breaches and every user who had a Yahoo account was likely affected by its massive hack. The stolen information included names, email addresses, phone numbers, dates of birth, and security questions and answers. The sheer scale of this breach was unprecedented, and many companies lack the ability to collect and store all network activity that could be used to trace a hacker’s steps, making it difficult to investigate data breaches. This was highlighted by the Yahoo breach in 2013 and 2014, where investigators struggled to follow the hackers’ tracks due to a lack of network activity data.
Marriott: A Wake Up Call
In 2018, Marriott International, one of the world’s largest hotel chains, suffered a data breach that exposed the personal information of 500 million customers. In a company statement, Marriott explains that they “learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.” The breach at Marriott International exposed the personal information of approximately 500 million customers who made a reservation at a Starwood property. The stolen information included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Some guests’ payment card numbers and expiration dates were also compromised, but they were encrypted using AES-128. This breach was a wake-up call for the hospitality industry, which has traditionally lagged behind other sectors in cybersecurity. It highlighted the importance of designing security measures into products and services from the outset, rather than bolting them on as an afterthought.
Target: The Target of Cybercrime
In 2013, Target, a major U.S. retailer, experienced a breach that affected 110 million customers. This was one of the earliest and most widely publicized data breaches. Prior to this event, cybersecurity was not given the same level of attention as it is today. The professional practices that many businesses implemented in response to this event likely prevented numerous data breaches from occurring. The breach began when a third-party contractor for Target, Fazio Mechanical Services, fell victim to a spear phishing attack. The hackers then used the stolen credentials to access Target’s corporate network and install malware on Target’s POS devices. Target’s security team received a notice for a generic threat but did not act on the warning. The breach wasn’t detected until three days later, and the US Department of Justice uncovered the scope of the danger on December 12th. The hackers gained access to data including full names, phone numbers, email addresses, payment card numbers, and credit card verification codes. This breach was a turning point in the battle against cybercrime, as it demonstrated that even the biggest companies were vulnerable to attack. It also highlighted the need for companies to invest in cybersecurity measures and to take a proactive approach to threat detection and response.
Capital One: A Capital Mistake
In 2019, Capital One experienced a breach after an outside individual obtained unauthorized access to personal information of about 100 million US customers and 6 million Canadian customers. Capital One explained that they discovered this security incident after the configuration vulnerability was reported to Capital One by an external security researcher through their Responsible Disclosure Program on July 17, 2019. The accessed information included personal information collected from credit card applications, such as names, addresses, and self-reported income, as well as customer status data, credit scores, and transaction data from 23 days in 2016-2018. Additionally, the individual obtained about 140,000 Social Security numbers and 80,000 linked bank account numbers of secured credit card customers. This incident underscores the importance of securing sensitive financial data and having strong cybersecurity policies, including employee training and regular security audits.
eBay: Buy and Beware
In 2014, eBay experienced a massive data breach that affected all 145 million users at that time. The hackers were able to access encrypted passwords and personal details of customers, including names, email addresses, phone numbers, and physical addresses. As a result, eBay was forced to ask all of its users to change their passwords in a surprising turn of events. In many instances, hackers may unscramble encrypted passwords and then use automated softwares that logs into thousands of popular social media sites and banking accounts. At the time, eBay faced extreme criticism for its slow response and poor communication with affected customers following the massive data breach. This incident highlights the importance of swift action and proactive communication with customers in the aftermath of a data breach. Even more importantly, it was a lesson in the importance of password hygiene and the need for companies to implement strong password policies, such as two-factor authentication.
Anthem: The Healthcare Hack
In 2015, Anthem, one of the largest health insurance companies in the U.S., announced that it suffered a breach that exposed the personal information of 80 million customers, including names, birthdates, Social Security numbers, and other sensitive data. How did it happen? According to the investigative report, the Anthem data breach began in February 2014 when a user in one of the company’s subsidiaries opened a phishing email containing harmful content. This led to the download of malicious files and remote access to the user’s computer, as well as dozens of other systems within the Anthem enterprise, including the company’s data warehouse. The attacker was able to move laterally across Anthem systems and escalate privileges, ultimately compromising at least 50 accounts and 90 systems. This resulted in access to approximately 78.8 million unique user records after querying the data warehouse. This breach was a stark reminder of the importance of securing sensitive healthcare data, which is highly sought after by cybercriminals. It also highlighted the need for companies to invest in cybersecurity measures and to take a proactive approach to threat detection and response.
Microsoft Exchange: The Latest Threat
In 2021, Microsoft Exchange email servers were attacked, affecting 60,000 companies worldwide. The hackers were able to exploit four zero-day vulnerabilities, which allowed them to gain unauthorized access to emails from small businesses to local governments. They took advantage of a few coding errors over three months to take control of vulnerable systems. Once they gained access, they could request data, deploy malware, use backdoors to gain access to other systems, and ultimately take over the servers. Many people assumed that the requests were legitimate because they looked like they came from the Exchange servers themselves. Although Microsoft was able to patch the vulnerabilities, owners of individual servers that didn’t update their systems would still be vulnerable to the exploit. Because the systems weren’t on the cloud, Microsoft couldn’t immediately push a patch to fix the issues. In July 2021, the Biden administration, along with the FBI, accused China of the data breach. Microsoft followed suit and named a Chinese state-sponsored hacker group, Hafnium, as the culprit behind the attack.
These are just a few of the largest data breaches in the past decade, and there have been many others affecting a range of industries and types of organizations. The lessons we can learn from these breaches are clear: companies need to take cybersecurity seriously and implement robust security measures to protect their customers’ data. By staying informed and investing in the latest cybersecurity technologies, we can help to prevent the next big data breach.