As another decade comes to a close, now is the perfect time to reflect on some of the top 10 worst data breaches and cyber-security blunders from the last ten years. Over the 2010s, we’ve seen the pace of technological growth rapidly advance. From the development of facial recognition software to the growth of artificial intelligence and quantum computing, the digital age has taken a monumental leap forward.
And while this technology has brought innumerable benefits, the vast quantity of personal information now stored digitally has exposed us to catastrophic privacy violations from even the smallest data breach.
While there have been data breaches as long as data has existed, the danger has never been more apparent. Our entire lives are stored digitally, from personal files like family photos to vital business data like employee records and legal documents. The digital world is inescapable, and millions of users across the web are unknowingly putting their privacy at risk.
Data breaches have become so common that society has become desensitized to the effects, which, ironically, makes it all that more dangerous.
So in case you’ve forgotten just how pervasive data breaches have become, we’ve assembled a list of the ten most damaging breaches of the last decade.
—
10) Facebook
Date: 2017-2019
Impact: 50 Million Users
Starting off our list is the social media powerhouse, Facebook. Although a prominent social platform, Facebook is not 100% bulletproof and has become a victim to hackers and data breaches in the past. Two years ago, Facebook announced the discovery of a bug in their site that resulted in the exposure of over 50 million accounts. By abusing the flaw, hackers were able to obtain account access tokens, which are security keys that enable users to stay logged into a Facebook account without the need to re-enter passwords when returning to the site. The real significance of this data breach was that the access tokens didn’t just allow hackers to spy on users’ private information; the tokens gave hackers full control over the victims’ accounts. The breach forced Facebook to reset the access tokens of the over 50 million affected accounts, in addition to 40 million more accounts out of precaution. (Source)
9) Uber
Date: 2016
Impact: 57 Million Users
Uber, a multi-national ride-sharing company, suffered a major data breach in 2016, which involved at least 7 million drivers and 50 million passengers. The breach compromised all sorts of personal information: names, email addresses, and phone numbers, to name but a few examples. In addition, the breach exposed over 600,000 drivers’ license numbers. What makes this data breach so much worse, is that Uber initially attempted to hide the incident to regulators and users. Instead, Uber tried to pay a $100,000.00 ransom to the hackers, in the hope that they would get rid of the data and keep the breach concealed from the public. Their plan failed, but to Uber’s credit, they did take immediate steps to secure the data and shut down further unauthorized access by the hackers. (Source)
8) JP Morgan Chase
Date: 2014
Impact: 76 Million Users and 7 Million Small Businesses
In 2014, JPMorgan Chase was the victim of a cyber-attack that resulted in the theft of nearly 80 million users’ data. From confidential information like home addresses to business information like corporate banking documents, the breach affected millions of files. Reporters and journalists stated that the hackers likely operated out of Russia or Eastern Europe and that they were able to break into the Chase network by hacking a Chase employee’s personal computer. (Source)
7) Target
Date: 2013
Impact: 110 Million Accounts
The retail giant faced a data breach that resulted in the unauthorized access of almost 110 million accounts. The attackers stole information stored on the magnetic stripe of the back of credit and debit cards swiped in several Target stores. It was incidents like this that contributed to the rise of the EMV chip, now embedded into all new credit and debit cards. Several years later, Target paid out an $18.5-million-dollar settlement, which included a $10,000.00 payment to consumers who provided evidence that they suffered losses resulting from the data breach. (Source)
6) eBay
Date: 2014
Impact: 145 Million Users
In 2014, the online commerce company, eBay, announced that its records had been breached and suggested that almost 145 million users needed to change their passwords. This cyber-attack was carried out by a team of hackers who were able to obtain the credentials of three eBay employees. Names, emails, passwords, and even security questions were all compromised in the hack. Even more concerning was that due to eBay and Paypal being so interconnected, hackers were able to gain access to people’s Paypal accounts too. In the end, eBay did not provide any reimbursement towards the consumers that had their credentials misused or their money stolen. (Source)
5) Equifax
Date: 2017
Impact: 148 Million Users
Equifax, one of the largest consumer credit reporting agencies in the United States, suffered a data breach in September 2017. In addition to the theft of 209,000 credit card numbers, approximately 148 million Americans had their name, phone number, home address, date of birth, driver’s license number, and social security number compromised as well. As more details came to light, a lack of regard for consumer data by many of Equifax’s senior staff became apparent. It was a catastrophe; they even hired a Chief Information Security Officer who’s credentials were entirely made up of not one, but two degrees, in music. Yes, music.
Fast forward to July 2019, Equifax announced a $675 million consumer settlement. They offered people who were affected by the breach a choice of 4-years of free credit monitoring services or a $125 cash payment. (Source)
4) Adult Friend Finder
Date: 2016
Impact: 400 Million Users
Almost half a billion users had their data compromised from a litany of websites across the FriendFinder network. Over 20 years of data, including names, email addresses, and passwords were all exposed. Even more worrying, is that this wasn’t FriendFinder’s first rodeo…
In May 2015, it was revealed that around 4 million FriendFinder accounts were stolen. The good news is that FriendFinder was transparent and updated the public as soon as they became aware of the attack. The breadth of this data breach is still under investigation; however, FriendFinder Networks suggests that all users reset their passwords. (Source)
3) Marriot International
Date: 2018
Impact: 500 Million Customers
In November 2018, Marriot International announced that a data breach had occurred within their system. However, the incident initially began in 2014. The breach originated in the Starwood Hotel guest reservation database, where hackers laid dormant in the system for several years before Marriott acquired the company. With that time, the attackers were able to steal passport and credit card information from hundreds of millions of people. (Source)
2) First American
Date: 2019
Impact: 885 Million Customers
Not only is First American second on this list because of volume, but they are here due to their carelessness. Data from at least 885 million people was easily accessible on the First American’s site by inputting a specific set of URLs. These URL’s had a sequential system, meaning you could simply plug and play with different numbers to find confidential information. This sort of reckless behavior regarding data security seems like it would be a story from the 1990’s. What makes it so sad though… is this is the most recent data breach on this list, occurring in 2019. (Source)
1) Yahoo!
Date: 2013-2014
Impact: Over 3 Billion Users
Yahoo takes the number one spot for the largest data breach of the decade due to the pure volume of records stolen. The internet giant that was once the face of the internet had names, email addresses, passwords, and security questions compromised due to outdated and easy-to-crack encryption. Also, Yahoo failed to correctly pinpoint the number of users affected and released several revisions on the estimate. In 2016, Yahoo announced that 500 million users had their data compromised in a 2014 data breach. That announcement was later amended with information that there was another 2013 data breach that affected approximately 1 billion users. After drastically increasing the estimate with each subsequent announcement, the final estimate was that over 3 billion people were affected. In the spirit of schadenfreude, though, you can find some solace in knowing that Yahoo did pay. When the breach was announced, Yahoo was in the process of selling the company to Verizon. The data breaches ended up chopping off approximately $350 million off Yahoo’s sale price and the two companies agreed to share regulatory and legal liabilities from the incident. (Source)
On the plus side, a class-action lawsuit was filed against Yahoo and people who’ve had a Yahoo account since 2012 are entitled to up to $358.80 of compensation. You can learn more on YahooDataBreachSettlement.com. Don’t let these Yahoo’s get off cheap for exposing your data.
—
Based on big tech’s terrible track record with data protection, it is safe to say that our data is not safe. Cybersecurity, which should be at the forefront of any company’s mind -especially when you hold the private information of millions of people- is looked at as an expense to be mitigated.
And what may be the most disheartening part is that it’s not a super team of elite hackers cracking into databases. It’s pure and simple negligence in many cases, from not updating security software, to leaving private information exposed on a public database with no password.
But finally, the decade is coming to an end, and hopefully, data breaches are ending with it. But with how little is being done to prevent them… it might be best to start keeping your data to yourself.
