Cybersecurity failures have become an unfortunate reality of the digital age. While technological advances have improved over the years, the rise of hackers and digital malware continues to threaten consumer data security.
In recent years, cybersecurity breaches have risen in both number of occurrences and scope of individuals affected. A look at the 10 most epic cybersecurity failures in history can keep consumers informed of the types of security breaches that can impact their personal data.
1. Yahoo
For years, Yahoo reigned as one of the top internet service providers in the world. Unfortunately, the vast service also experienced the largest company data breach recorded in history. In September 2016, Yahoo announced that malicious hackers exposed the real names, birth dates, email addresses, and telephone numbers of 500 million accounts in 2014.
While Yahoo account holders may have found themselves reeling from the news, the worst was yet to come. In December 2016, the company revealed that different hackers compromised the data of 1 billion users in 2013. Finally, the worst news of all came in October 2017 when Yahoo revised its estimate to confirm that the breach impacted all 3 billion user accounts created on Yahoo, Flickr, and Tumblr platforms.
Although the Department of Justice indicted four Russian men in connection with the second breach, Yahoo has never reached a definitive conclusion regarding the number of individuals involved in the attack or how hackers planned to use the compromised data.
Yahoo ultimately agreed to a class-action lawsuit settlement of over $117 million and agreed to boost security protections for its users. Because company value also nosedived, analysts estimate that the breach cost Yahoo approximately $350 million in potential resale value once Verizon closed on its purchase of the company in 2017.
2. Equifax
As one of the three major credit bureaus of the United States, Equifax is a credit reporting agency that houses that data of millions of consumers from around the world. Unfortunately, hackers exploited weaknesses in the company’s digital infrastructure and breached Equifax servers between May and July 2017.
Equifax discovered the breach in July 29 and noted that it compromised the personal data of 143 million consumers. In addition, the breach exposed the credit card information of 209,000 people. Equifax reported the breach to the public on September 7, 2017 and updated the number of personal-data leaks to 147.9 million consumers in October 2017.
In response to the breach, Equifax agreed to a class-action lawsuit settlement and offered free credit monitoring to affected individuals. Nevertheless, the company received criticism for failing to update its servers’ third-party software with a security patch, creating the perfect storm for hackers to plunder sensitive data and steal trade secrets. In February 2020, the Department of Justice indicted members of China’s People’s Liberation Army as the perpetrators behind the attack.
3. eBay
Home to one of the oldest e-commerce platforms on the web, eBay fell victim to a major security breach in 2014. In a statement, the company revealed that hackers had used the login credentials of three employees to access the encrypted passwords of entire database of 145 million users. Moreover, these hackers had unrestricted access to user data for 229 days, making this security lapse one of the longest known data breaches in history.
In response to the breach, eBay notified all users with alerts to immediately change their passwords. The company also emphasized that because it stores financial information separately, hackers did not have access to data like credit card numbers. Many analysts criticized the company’s response as “too little, too late,” and revelations of the attack caused eBay’s share price to crash during intra-day trading.
4. LinkedIn
As a central database of professional histories, LinkedIn is a hub for boosting career connections. Unfortunately, the company has also been an attractive target for data attacks. LinkedIn fell victim to computer hacking on June 5, 2012.
During the attack, cyber criminals accessed the passwords of 6.5 million user accounts. Nearly four years later in May 2016, LinkedIn discovered that hackers had compromised an additional 100 million emails and passwords during the same security breach.
In response to the breach, LinkedIn immediately notified users to change their passwords. The company also enlisted the FBI to help track down the offenders. In October 2016, Prague police arrested hacker Yevgeniy Nikulin in connection with the breach. After his extradition to the United States in 2018 and conviction in 2020, Nikulin received a sentence of 88 months in prison for the breach and related crimes.
5. Twitter
As a microblogging and social media giant, Twitter offers a platform for real-time status updates of over 320 million active users around the world. Unfortunately, a weakness in the company’s data infrastructure compromised the passwords of nearly all users in 2018.
Ordinarily, Twitter conceals passwords via a hashing process using a mechanism known as bcrypt in order to validate login credentials without exposing the real password. However, a software defect caused the system to record passwords within an internal log prior to encryption. In other words, the system stored user passwords in plain text, leaving numerous accounts open to theft or misuse.
In response to the error, Twitter advised all 321 million users to update their passwords. Ireland’s Data Protection Commission (DPC) fined Twitter $547,000 violating Europe’s data protection laws by failing to promptly report and document the incident. The lapse in password security also increased calls for a dedicated cybersecurity regulator of large social media companies.
6. Uber
As painful as it is to deal with security breaches, history has proven that companies can make matters even worse by failing to properly handle the incident at all. One prominent example is the ride-sharing service Uber.
In February 2015, company officials revealed that Uber had suffered a data leak nearly nine months prior. Uber discovered the leak in September 2014 but waited over five months to notify the 50,000 individuals whose names and license plate information had been compromised.
Even worse, a separate security breach in 2016 disclosed the personal information of over 600,000 drivers and 57 million Uber customers. During the incident, hackers used employee usernames and passwords from previous breaches to gain access to millions of account records.
Instead of notifying the public immediately, Uber attempted to conceal the breach and agreed to pay hackers a ransom of $100,000 to delete the stolen data. Even after paying the ransom, however, the company had no way of verifying whether the hackers kept their promise to delete all data.
In response to the mishandling, the company’s startup valuation dropped from $68 billion down to $48 billion. Moreover, the Department of Justice announced criminal charges against CSO Joe Sullivan for obstruction of justice in relation to the coverup. Finally, Uber also agreed to pay a fine of $148 million to the Federal Trade Commission for failing to provide reasonable security over consumer data.
7. Target
Successful data protection requires companies to increase security measures during surges of activity such the holiday season. Retail giant Target learned this lesson the hard way due to a massive data breach during the peak of its 2013 holiday sale.
Prior to the attack, hackers used third-party credential software to install malware into Target’s internal servers and access consumer information. The hackers then stole sensitive information like names, credit card numbers, and card verification codes.
As a result of the breach, Target swiftly faced a multi-state legal battle. The company agreed to a settlement of $18.5 million in addition to $202 million in legal fees and expenses required to resolve the attack. Analysts estimate that it took Target nearly half a decade to recover its reputation and consumer perception following this cyber security blunder.
8. Marriott International
The Marriott International cybersecurity scandal proves that internet transactions are not the only targets for hackers seeking customer information. In November 2018, the corporation announced that hackers had infiltrated the reservation database of its Starwood division and stolen the data of nearly 200 million customers.
While hackers initially conducted the attack against the Starwood brand in 2014, the security weakness remained in the system long after Marriott acquired the Starwood hotel chain in 2016. Marriott International claims that the corporation did not discover the breach until 2016.
Sensitive data exposed during the breach included up to five million passport numbers as well as the personal records of up to 383 million guests. The Information Commissioner’s Office (ICO) fined the company $123 million for failing to provide adequate consumer protection under European data laws. Unfortunately, the embattled hotel chain continued to face other security lapses over years, including a breach announced in April 2020 that impacted approximately 5.2 million hotel guests.
9. Heartland Payment Systems
Impacting 100 million credit cards and more than 650 financial services companies, the Heartland Payment System breach represented the biggest card breach on record at the time of its occurrence in 2008. To complete the breach, thieves stole digital information encoded onto the magnetic stripe located on the backs of credit and debit cards. The idea behind the thief was that criminals could then create counterfeit cards by imprinting the stolen data onto fake credit cards.
Although hackers were unable to retrieve personal information like social security numbers or debit pin numbers, many analysts believe that the processing company’s industry reputation suffered irrevocably after the breach.
Legal expenses associated with the breach reached up to $140 million, including a $60 million settlement with Visa, a $41.1 million settlement with MasterCard, and a $3.5 million settlement with American Express. In addition, numerous insurance companies sued Heartland Payment Systems, solidifying the incident as one of the most costly cyber security fails of the decade.
While the company suffered financially from the fallout, the corporation did see several criminals held responsible for the breach. In March 2010, hacker Albert Gonzalez received a 20-year prison sentence for his role in the hacking network that compromised consumer data. Eight years later in February 2018, the Department of Justice sentenced two more Russian hackers in association with the breach.
10. Adult Friend Finder
Adult Friend Finder’s reputation for discretion took a major hit when the company fell victim to one of the largest cyber security failures in history. In November 2016, privacy watchdog LeakedSource announced that hackers had infiltrated six databases associated with parent company FriendFinder Networks Inc. The database attack resulted in the exposure of over 412 million personal accounts in the overall adult network.
To put it into perspective, the Adult Friend Finder network is home to over 49,000 websites and close to 1 billion unique users. Nearly half of these users saw personal information exposed in the data breach. In comparison, the infamous Ashley Madison breach affected around 32 million users in 2015 – a fraction of the number of users exposed in the FriendFinder breach in 2016.
Although the leak may have come as a surprise to account holders, LeakedSource reports that an industry researcher warned Adult Friend Finder about local file inclusion (LFI) vulnerabilities in its web application and production server prior to the incident.
The data leak also exposed other unsavory practices on the corporate side of the brand, including the policy of storing passwords in unencrypted plain text and retaining email addresses of users who had requested the deletion of their accounts.
The Legacy of History’s Most Epic Cybersecurity Failures
In the past, cybersecurity failures affecting a few million individuals would have easily made headline news. But with cybersecurity failures on the rise, data breaches involving tens of millions of people can seem commonplace.
Consequences of the increased frequency of security breaches include the rise of class-action lawsuits and oversight agencies that enforce rules such as the European General Data Protection Regulation (GDPR).
In addition, cybersecurity consulting services such as Kroll Inc. have experienced increased popularity as businesses and individuals seek to protect themselves in the digital world.