Spectacular examples of data breaches

Many incidents of data protection breaches have been widely publicized around the world, although some of the most notorious have occurred at US-based companies. It's worth noting that while these examples are global, data protection breaches can happen at any organization and can be as simple as improperly sending an email or attachments, or handing over a document that contains a full version history of data.

Yahoo's largest privacy violation to date

The largest violation of user privacy ever occurred at Yahoo. A cyber attack by a Russian hacking team between 2013 and 2016 affected more than 3 billion accounts. Programs that allowed access to databases were used to steal user account records, backups and access cookies were stolen.

Stolen information included names, email addresses, phone numbers, birth dates, passwords, calendar entries and security questions.

Data privacy breach at Microsoft organization

In January 2021, Microsoft experienced a privacy breach that lasted for three months and affected 60,000 companies worldwide, including 30,000 in the United States. The attack focused on Microsoft Exchange email servers.

Four new zero-day vulnerabilities were used in the attack, allowing unauthorized access to company accounts on the servers. In addition, malware was introduced and a "backdoor" was used to gain access to other systems. The US federal government and the Federal Bureau of Investigation have accused a Chinese state-sponsored hacking group of being responsible for the attack.

First American Financial Corp

As a result of First American Financial Corp.'s weak security measures and design, personal data was leaked. In May 2019, the financial services company became the victim of an incident involving some 885 million files. The correct term for this event is data leak, not breach, as no external forces such as hackers were involved. The cause of the leak was insufficient data security and website design.

Private data was accessible without verification or authentication through the website. A link was all that was needed to access confidential documents. In addition, thanks to sequential record numbering, additional customer documents were easily accessed by changing a single digit in the URL.

The data accessed included: driver's license IDs, Social Security numbers, bank account numbers, bank transaction documents, and mortgage payment records and money transfer confirmations.

The Securities and Exchange Commission fined the company $500,000 for its mistakes, which included ignoring warning signs in earlier years.

Sensitive personal data breach at Equifax

In the event of a breach of sensitive personal data at Equifax's credit monitoring and report generation service, usually the affected individuals use the credit reporting agency to monitor any unauthorized activity. However, what happens if the breach involves the credit agency itself? Such a situation occurred with Equifax in 2017 and affected as many as 163 million people worldwide. The public was not notified of the breach for more than a month after the company discovered it.

Because of the highly sensitive information the company handled, it was heavily criticized for poor security practices and negligence. There were a number of breaches through security gaps in internal infrastructure, but even after the first breach was discovered, there was no adequate action to fix them. Inadequate network security and overly broad user access privileges also allowed hackers to move freely between servers and access large amounts of sensitive data.

Equifax reached an agreement with the FTC, other regulators and various jurisdictions and states in 2019. The amount of the agreement was $575 million. The company also invested more than $1.4 billion to clean up the damage and rebuild its data protection infrastructure.

Facebook

Social networking platform Facebook has experienced numerous privacy violations. These incidents occurred in March 2019 (more than 600 million users) and April 2019 (540 million user records were breached), as well as later in 2019 (more than 300 million user accounts were affected).

The biggest scandal was related to Cambridge Analytica in 2018 (50-90 million user records affected) and again in April 2021 (530 million user accounts were compromised).

The breaches involved hackers exploiting vulnerabilities, weak internal security that stored user account information in plain-text files, a third-party developer who failed to password-protect his dataset, hackers who abused Facebook's API, and data theft via a vulnerability in a quiz app.

This data included names, account names and IDs, passwords, phone numbers and more.

It turned out that Facebook was aware of the situation with Cambridge Analytica in 2015, but took no steps until a whistleblower revealed it in 2018. This resulted in the company receiving a record $5 billion fine from the FTC for continued data security breaches and lack of proper data protection practices. The FTC also filed a lawsuit against Cambridge Analytica, resulting in the resignation of the company's CEO.

Marriott International data confidentiality breach

Caused by a lack of adequate data security, the breach affected 500 million users in September 2018, when an unknown third party gained unauthorized access to Starwood's system, which stores reservation information at all of the chain's hotels.

Guest information from the past four years was copied, doubled and encrypted. Data such as names, addresses and email addresses were stolen for some 173 million customers, while data such as names, credit card information, home addresses, email addresses, phone numbers, passport numbers, Starwood account information, dates of birth, gender and booking details were stolen for some 327 million customers.

Marriott was found to have inadequate data protection measures in place, as it had not updated its reservation system for many years, leaving it vulnerable to unauthorized access. The UK Information Commissioner's Office fined Marriott $24 million for failing to maintain cybersecurity standards.

India's most extensive privacy breach in Aadhaar identification database

Aadhaar is the world's largest identification database, which holds the personal and biometric information of more than one billion citizens from India. Accounts in this system are used for bureaucratic matters, such as applying for government or financial support, opening a bank account or registering for public services.

Prior to January 2018, there was a hack of the database. Unknown hackers gained unauthorized access to the database through a website belonging to a public utility that used an API without any access control. Large amounts of personal data, including names, addresses, ID photos, phone numbers, email addresses and biometric data such as fingerprints and iris scans, had been inadequately secured for many years and were publicly accessible. In addition, unique 12-digit identification numbers stored in the database were linked to bank account information, making this incident also a credit security breach.

A security researcher raised the alarm in January about the breach and the risk, but was ignored. Despite the growing number of messages, the vulnerable API was not removed for two months after this story was published for ZDNet readers in the US. (The news service had also previously tried to contact Indian authorities, but to no avail.) The impact of the breach is difficult to assess, as the stolen data is still readily available, making identity theft easy and inexpensive.