What is a Data Breach?
A data breach is a security incident in which information is accessed without authorization. Data breaches can hurt businesses and consumers in a variety of ways. They are a costly expense that can damage lives and reputations and take a significant amount of time to repair.
It may seem like stories of massive data breaches pop up in the news frequently these days. But it shouldn’t be all that surprising. As technology progresses, more and more of our information has been moving to the digital world. As a result, cyberattacks have become increasingly more common and extremely costly.
Corporations and businesses are extremely attractive targets to cybercriminals, simply due to the large amount of data that can be nabbed in one fell swoop.
Why Do Data Breaches Happen?
Cybercrime is a profitable industry for attackers and continues to grow. Hackers seek personally identifiable information to steal money, compromise identities, or sell over the dark web. Data breaches can occur for a number of reasons, including accidentally, but targeted attacks are typically carried out in these four ways:
- Exploiting system vulnerabilities. Out-of-date software can create a hole that allows an attacker to sneak malware onto a computer and steal data.
- Weak passwords. Weak and insecure user passwords are easier for hackers to guess, especially if a password contains whole words or phrases. That’s why experts advise against simple passwords, and in favor of unique, complex passwords.
- Drive-by downloads. You could unintentionally download a virus or malware by simply visiting a compromised web page. A drive-by download will typically take advantage of a browser, application, or operating system that is out of date or has a security flaw.
- Targeted malware attacks. Attackers use spam and phishing email tactics to try to trick the user into revealing user credentials, downloading malware attachments, or directing users to vulnerable websites. Email is a common way for malware to end up on your computer. Avoid opening any links or attachments in an email from an unfamiliar source. Doing so can infect your computer with malware. And keep in mind that an email can be made to look like it comes from a trusted source, even when it’s not.
How can I help protect my personal information in the event of a data breach?
To help protect your identity, it’s important to take steps to help protect yourself and your personal information. These steps can include:
- Use strong, secure passwords. Use a complex and unique password for each of your online accounts. Keeping track of all those passwords can be difficult, but there are products, such as *Dashlane, that can help make this task easier to manage.
- Monitor your bank and other financial accounts. Check your accounts on a regular basis for unfamiliar activity. And if the companies offer activity alerts via text or email, it may make sense for you to sign up for them.
- Check your credit report. Do that on a regular basis to see if a thief has attempted to open a new credit card or another account in your name. You’re entitled by law to a free credit report from each of the three major credit reporting agencies every 12 months. Visit annualcreditreport.com for more information.
- Take action quickly. If you see suspicious activity, contact the financial institution involved immediately. If your information was stolen in a data breach, let them know that as well.
- Secure your cell phone. If your phone doesn’t have a password, give it one. Although entering a password every time you use your phone is tedious, it provides a line of defense if your device is lost or stolen. Think about all the information a criminal could access with your unprotected phone.
- Use only secure URLs on the Internet. Reputable sites begin with https://. The “s” is key. This is especially important when entering credit card or other personal information.
- Use high-quality security software. Install and use a software suite that includes malware and virus protection — and always keep it updated. *Avast is one such solution.
- Back up your files and ensure their safety. There are many companies that offer PC backups in the cloud, along with other security features. You can also back up your files nightly to a separate hard drive.
- Wipe your hard drive. If you are recycling your old computer, make sure that you clear your hard drive prior to disposal. The same goes for your smartphones and tablets. There are programs you can install on your computer to accomplish this.
- Avoid oversharing on social media. Never post anything pertaining to sensitive information, and adjust your settings to make your profiles private. While you’re at it, hold off sharing vacation pics on social media while you’re still on vacation. That tells everyone your house may be sitting empty, a perfect target for burglary.
What are companies doing about data breaches?
Many companies are tightening security measures and reassessing their procedures to better protect the consumer data they use and store.
Laws and regulations are in place that require companies to take specific steps in the event of a data breach or other security incident. Most states require companies to send data breach notifications to consumers when their personally identifiable information may have been compromised.
Still, you should never rely solely on others to keep your information secure. It’s always important to take preventative measures and keep an eye on your information.
Data breaches are likely here to stay, and the best defense against them is a good offense. Educate yourself and be diligent about monitoring your online life. Become a YourPrivacyRights.org Member and help us change the laws to remove your personal data from the Internet and websites!
The 18 biggest data breaches of the 21st century
Date: 2013 - 2014
Impact: 3 Billion User Accounts
Details: In September 2016, the once dominant Internet giant, while in negotiations to sell itself to Verizon, announced it had been the victim of the biggest data breach in history, likely by “a state-sponsored actor,” in 2014. The attack compromised the real names, email addresses, dates of birth and telephone numbers of 500 million users. The company said the "vast majority" of the passwords involved had been hashed using the robust bcrypt algorithm.
A couple of months later, in December, it buried that earlier record with the disclosure that a breach in 2013, by a different group of hackers had compromised 1 billion accounts. Besides names, dates of birth, email addresses and passwords that were not as well protected as those involved in 2014, security questions and answers were also compromised. In October of 2017, Yahoo revised that estimate, saying that, in fact, all 3 billion user accounts had been compromised.
- Marriott International
Date: 2014 - 2018
Impact: 500 Million Customers
Details: In November 2018, Marriott International announced that cyber thieves had stolen data on approximately 500 million customers. The breach actually occurred on systems supporting Starwood hotel brands starting in 2014. The attackers remained in the system after Marriott acquired Starwood in 2016 and were not discovered until September 2018.
For some of the victims, only name and contact information were compromised. The attackers were able to take some combination of contact info, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. Marriott believes that credit card numbers and expiration dates of more than 100 million customers were stolen, although the company is uncertain whether the attackers were able to decrypt the credit card numbers.
The breach was eventually attributed to a Chinese intelligence group seeking to gather data on US citizens, according to a New York Times article. If true, this would be the largest known breach of personal data conducted by a nation-state.
- Adult Friend Finder
Date: October 2016
Impact: Over 412.2 million accounts
Details: The FriendFinder Network, which included casual hookup and adult content websites, was breached sometime in mid-October 2016. Hackers collected 20 years of data on six databases that included names, email addresses and passwords.
Most of the passwords were protected only by the weak SHA-1 hashing algorithm, which meant that 99 percent of them had been cracked by the time LeakedSource.com published its analysis of the entire data set on November 14.
Date: May 2014
Impact: 145 million users compromised
Details: The online auction giant reported a cyberattack in May 2014 that it said exposed names, addresses, dates of birth and encrypted passwords of all of its 145 million users. The company said hackers got into the company network using the credentials of three corporate employees, and had complete inside access for 229 days, during which time they were able to make their way to the user database.
It asked its customers to change their passwords, but said financial information, such as credit card numbers, was stored separately and was not compromised. The company was criticized at the time for a lack of communication informing its users and poor implementation of the password-renewal process.
Date: July 29 2017
Impact: Personal information (including Social Security Numbers, birth dates, addresses, and in some cases drivers' license numbers) of 143 million consumers; 209,000 consumers also had their credit card data exposed.
Details: Equifax, one of the largest credit bureaus in the U.S., said on Sept. 7, 2017 that an application vulnerability on one of their websites led to a data breach that exposed about 147.9 million consumers. The breach was discovered on July 29, but the company says that it likely started in mid-May.
- Heartland Payment Systems
Date: March 2008
Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.
Details: At the time of the breach, Heartland was processing 100 million payment card transactions per month for 175,000 merchants – most small- to mid-sized retailers. It wasn’t discovered until January 2009, when Visa and MasterCard notified Heartland of suspicious transactions from accounts it had processed.
Among the consequences were that Heartland was deemed out of compliance with the Payment Card Industry Data Security Standard (PCI DSS) and was not allowed to process the payments of major credit card providers until May 2009. The company also paid out an estimated $145 million in compensation for fraudulent payments.
A federal grand jury indicted Albert Gonzalez and two unnamed Russian accomplices in 2009. Gonzalez, a Cuban-American, was alleged to have masterminded the international operation that stole the credit and debit cards. In March 2010 he was sentenced to 20 years in federal prison. The vulnerability to SQL injection was well understood and security analysts had warned retailers about it for several years. Yet, the continuing vulnerability of many Web-facing applications made SQL injection the most common form of attack against Web sites at the time.
- Target Stores
Date: December 2013
Impact: Credit/debit card information and/or contact information of up to 110 million people compromised.
Details: The breach actually began before Thanksgiving, but was not discovered until several weeks later. The retail giant initially announced that hackers had gained access through a third-party HVAC vender to its point-of-sale (POS) payment card readers, and had collected about 40 million credit and debit card numbers.
By January 2014, however, the company upped that estimate, reporting that personally identifiable information (PII) of 70 million of its customers had been compromised. That included full names, addresses, email addresses and telephone numbers. The final estimate is that the breach affected as many as 110 million customers.
Target’s CIO resigned in March 2014, and its CEO resigned in May. The company recently estimated the cost of the breach at $162 million.
The company was credited with making significant security improvements.
- TJX Companies, Inc.
Date: December 2006
Impact: 94 million credit cards exposed.
Details: There are conflicting accounts about how this happened. One supposes that a group of hackers took advantage of a weak data encryption system and stole credit card data during a wireless transfer between two Marshall's stores in Miami, Fla. The other has them breaking into the TJX network through in-store kiosks that allowed people to apply for jobs electronically.
Albert Gonzalez, hacking legend and ringleader of the Heartland breach, was convicted in 2010 of leading the gang of thieves who stole the credit cards, and sentenced to 20 years in prison, while 11 others were arrested. He had been working as a paid informant for the US Secret Service, at a $75,000 salary at the time of the crimes. The government claimed in its sentencing memo that companies, banks and insurers lost close to $200 million.
Date: Late 2016
Impact: Personal information of 57 million Uber users and 600,000 drivers exposed.
Details: The scope of the Uber breach alone warrants its inclusion on this list, and it’s not the worst part of the hack. The way Uber handled the breach once discovered is one big hot mess, and it’s a lesson for other companies on what not to do.
The company learned in late 2016 that two hackers were able to get names, email addresses, and mobile phone numbers of 57 users of the Uber app. They also got the driver license numbers of 600,000 Uber drivers. As far as we know, no other data such as credit card or Social Security numbers were stolen. The hackers were able to access Uber’s GitHub account, where they found username and password credentials to Uber’s AWS account. Those credentials should never have been on GitHub.
Here’s the really bad part: It wasn’t until about a year later that Uber made the breach public. What’s worse, they paid the hackers $100,000 to destroy the data with no way to verify that they did, claiming it was a “bug bounty” fee. Uber fired its CSO because of the breach, effectively placing the blame on him.
- JP Morgan Chase
Date: July 2014
Impact: 76 million households and 7 million small businesses
Details: The largest bank in the nation was the victim of a hack during the summer of 2014 that compromised the data of more than half of all US households – 76 million – plus 7 million small businesses. The data included contact information – names, addresses, phone numbers and email addresses – as well as internal information about the users, according to a filing with the Securities and Exchange Commission.
The bank said no customer money had been stolen and that there was “no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack."
Still, the hackers were reportedly able to gain “root" privileges on more than 90 of the bank’s servers, which meant they could take actions including transferring funds and closing accounts. According to the SANS Institute, JP Morgan spends $250 million on security every year.
- US Office of Personnel Management (OPM)
Date: 2012 - 2014
Impact: Personal information of 22 million current and former federal employees
Details: Hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until March 20, 2014. A second hacker, or group, gained access to OPM through a third-party contractor in May 2014, but was not discovered until nearly a year later. The intruders exfiltrated personal data – including in many cases detailed security clearance information and fingerprint data.
Former FBI director James Comey spoke of the information contained in the so-called SF-86 form, used for conducting background checks for employee security clearances. “My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses,” he said. “So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”
A report, released by the House Committee on Oversight and Government Reform summed up the damage in its title: “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation.”
- Sony's PlayStation Network
Date: April 20, 2011
Impact: 77 million PlayStation Network accounts hacked; estimated losses of $171 million while the site was down for a month.
Details: This is viewed as the worst gaming community data breach of all-time. Of more than 77 million accounts affected, 12 million had unencrypted credit card numbers. Hackers gained access to full names, passwords, e-mails, home addresses, purchase history, credit card numbers and PSN/Qriocity logins and passwords. "It's enough to make every good security person wonder, 'If this is what it's like at Sony, what's it like at every other multi-national company that's sitting on millions of user data records?'" said eIQnetworks' John Linkous. He says it should remind those in IT security to identify and apply security controls consistently across their organizations. For customers, "Be careful whom you give your data to. It may not be worth the price to get access to online games or other virtual assets."
In 2014, Sony agreed to a preliminary $15 million settlement in a class action lawsuit over the breach.
Date: February 2015
Impact: Theft of personal information on up to 78.8 million current and former customers.
Details: The second-largest health insurer in the U.S., formerly known as WellPoint, said a cyberattack had exposed the names, addresses, Social Security numbers, dates of birth and employment histories of current and former customers – everything necessary to steal identity.
Fortune reported that a nationwide investigation concluded that a foreign government likely recruited the hackers who conducted what was said to be the largest data breach in healthcare history. It reportedly began a year before it was announced, when a single user at an Anthem subsidiary clicked on a link in a phishing email. The total cost of the breach is not yet known, but it is expected to exceed $100 million.
Anthem said in 2016 that there was no evidence that members' data have been sold, shared or used fraudulently. Credit card and medical information also allegedly has not been taken.
- RSA Security
Date: March 2011
Impact: Possibly 40 million employee records stolen.
Details: The impact of the cyberattack that stole information on the security giant's SecurID authentication tokens is still being debated. RSA, the security division of EMC, said two separate hacker groups worked in collaboration with a foreign government to launch a series of phishing attacks against RSA employees, posing as people the employees trusted, to penetrate the company's network.
EMC reported that it had spent at least $66 million on remediation. According to RSA executives, no customers' networks were breached. John Linkous, vice president, chief security and compliance officer of eIQnetworks, Inc. doesn't buy it. "RSA didn't help the matter by initially being vague about both the attack vector, and (more importantly) the data that was stolen," he says. "It was only a matter of time before subsequent attacks on Lockheed-Martin, L3 and others occurred, all of which are believed to be partially enabled by the RSA breach." Beyond that was psychological damage. Among the lessons, he said, are that even good security companies like RSA are not immune to being hacked.
Jennifer Bayuk, an independent information security consultant and professor at Stevens Institute of Technology, told SearchSecurity in 2012 that the breach was, “a huge blow to the security product industry because RSA was such an icon. They’re the quintessential security vendor. For them to be a point of vulnerability was a real shocker. I don’t think anyone’s gotten over that,” she said.
Date: Sometime in 2010, but origins date to 2005
Impact: Meant to attack Iran's nuclear power program, but will also serve as a template for real-world intrusion and service disruption of power grids, water supplies or public transportation systems.
Details: The immediate effects of the malicious Stuxnet worm were minimal – at least in the United States – but numerous experts rank it among the top large-scale breaches because it was a cyberattack that yielded physical results.
Its malware, designed to target only Siemens SCADA systems, damaged Iran’s nuclear program by destroying an estimated 984 uranium enrichment centrifuges. The attack has been attributed to a joint effort by the US and Israel, although never officially acknowledged as such.
Date: Throughout 2010
Impact: Undisclosed information stolen
Details: Security experts are unanimous in saying that the most troubling thing about the VeriSign breach, or breaches, in which hackers gained access to privileged systems and information, is the way the company handled it – poorly. VeriSign never announced the attacks. The incidents did not become public until 2011, and then only through a new SEC-mandated filing.
As PCWorld put it, “VeriSign buried the information in a quarterly Securities and Exchange Commission (SEC) filing as if it was just another mundane tidbit.”
VeriSign said no critical systems such as the DNS servers or the certificate servers were compromised, but did say that, "access was gained to information on a small portion of our computers and servers." It has yet to report what the information stolen was and what impact it could have on the company or its customers.
- Home Depot
Date: September 2014
Impact: Theft of credit/debit card information of 56 million customers.
Details: The hardware and building supply retailer announced in September 2014 what had been suspected for some weeks – that beginning in April or May, its POS systems had been infected with malware. The company later said an investigation concluded that a “unique, custom-built” malware had been used, which posed as anti-virus software.
In March 2016, the company agreed to pay at least $19.5 million to compensate US consumers through a $13 million fund to reimburse shoppers for out-of-pocket losses, and to spend at least $6.5 million to fund 1 1/2 years of cardholder identity protection services.
The settlement covers about 40 million people who had payment card data stolen, and more than 52 million people who had email addresses stolen. There was some overlap between the groups. The company estimated $161 million of pre-tax expenses for the breach, including the consumer settlement and expected insurance proceeds.
Date: October 2013
Impact: Theft of credit/debit card information of 56 million customers.
Details: Originally reported in early October by security blogger Brian Krebs, it took weeks to figure out the scale of the breach and what it included. The company originally reported that hackers had stolen nearly 3 million encrypted customer credit card records, plus login data for an undetermined number of user accounts.
Later in the month, Adobe said the attackers had accessed IDs and encrypted passwords for 38 million “active users.” But Krebs reported that a file posted just days earlier, “appears to include more than 150 million username and hashed password pairs taken from Adobe.” After weeks of research, it eventually turned out, as well as the source code of several Adobe products, the hack had also exposed customer names, IDs, passwords and debit and credit card information.
In August 2015, an agreement called for Adobe to pay a $1.1 million in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In November 2016, the amount paid to customers was reported at $1 million.
Data breaches happen daily, in too many places at once to keep count. But what constitutes a huge breach versus a small one? The above list constitutes some of the biggest or most significant breaches of the 21st century.
The list is based not necessarily on the number of records compromised, but on how much risk or damage the breach caused for companies, insurers and users or account holders. In some cases, passwords and other information were well protected by encryption, so a password reset eliminated the bulk of the risk.
When you become a member of YourPrivacyRights.org, you are joining a group of millions of Americans who believe their personal data should be confidential and not posted on the Internet without consent. As a united group of members of YourPrivacyRights.org we can affect positive changes in the federal privacy laws that will enforce strict guidelines on corporations and entities that are publishing personal and confidential data on the Internet.
Become a member and gain access to our members only section which includes a members only forum, fraud & scam alerts, proposed changes to the federal privacy laws, tips on protecting your privacy and how to remove your personal information from the Internet and more.