Data loss is one such area of concern for the organizations across the globe. Data is considered as the backbone of any business entity and millions of dollars are being spent to safeguard the same data to protect business and personal interests which are crucial to the survival of entities.
About 3.5 billion people saw their personal data stolen in the top two of 15 biggest breaches of this century alone. The smallest incident on this list involved the data of a mere 134 million people. Twitter, for example, left the passwords of its 330 million users unmasked in a log, but there was no evidence of any misuse. So, Twitter did not make this list.
Without further ado, here, listed in alphabetical order, are the 15 biggest data breaches in recent history, including who was affected, who was responsible, and how the companies responded.
Biggest data breaches which have shook the world:
2. Adult Friend Finder
7. Heartland Payment Systems
9. Marriott International
10. My Fitness Pal
13. Sina Weibo
Below we give you the case studies of few of the most renowned brands where massive data breaches have happened.
Impacted 153 million user records in early October of 2013 by security blogger Brian Krebs, Adobe originally reported that hackers had stolen nearly 3 million encrypted customer credit card records, plus login data for an undetermined number of user accounts.
Later that month, Adobe raised that estimate to include IDs and encrypted passwords for 38 million “active users.” Krebs reported that a file posted just days earlier “appears to include more than 150 million username and hashed password pairs taken from Adobe.” Weeks of research showed that the hack had also exposed customer names, IDs, passwords and debit and credit card information.
An agreement in August 2015 called for Adobe to pay a $1.1 million in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In November 2016, the amount paid to customers was reported at $1 million.
Adult Friend Finder
In October 2016, 412.2 million accounts were hacked. This breach was particularly sensitive for account holders because of the services the site offered. The Friend Finder Network, which included casual hookup and adult content websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com, was breached in mid-October 2016. The stolen data spanned 20 years on six databases and included names, email addresses and passwords.
The weak SHA-1 hashing algorithm protected most of those passwords. An estimated 99% of them had been cracked by the time LeakedSource.com published its analysis of the data set on November 14, 2016.
“A researcher who goes by 1x0123 on Twitter and by Revolver in other circles posted screenshots taken on Adult Friend Finder (that) show a Local File Inclusion vulnerability (LFI) being triggered.” He said the vulnerability, discovered in a module on the production servers used by Adult Friend Finder, “was being exploited.”
In May 2019 Australian graphic design tool website Canva suffered an attack that exposed email addresses, usernames, names, cities of residence, and salted and hashed with bcrypt passwords (for users not using social logins — around 61 million) of 137 million users. Canva says the hackers managed to view, but not steal, files with partial credit card and payment data.
The suspected culprit(s) — known as Gnosticplayers — contacted ZDNet to boast about the incident, saying that Canva had detected their attack and closed their data breach server. The attacker also claimed to have gained QAuth login tokens for users who signed in via Google.
The company confirmed the incident and subsequently notified users, prompted them to change passwords, and reset OAuth tokens. However, according to a later post by Canva, a list of approximately 4 million Canva accounts containing stolen user passwords was later decrypted and shared online, leading the company to invalidate unchanged passwords and notify users with unencrypted passwords in the list.
eBay reported that an attack exposed its entire list of 145 million users in May 2014, including names, addresses, dates of birth and encrypted passwords. The online auction giant said hackers used the credentials of three corporate employees to access its network and had complete access for 229 days—more than enough time to compromise the user database.
The company asked customers to change their passwords. Financial information, such as credit card numbers, was stored separately and was not compromised. The company was criticized at the time for a lack of communication with its users and poor implementation of the password-renewal process.
As the major social network for business professionals, LinkedIn has become an attractive proposition for attackers looking to conduct social engineering attacks. However, it has also fallen victim to leaking user data in the past.
In 2012 the company announced that 6.5 million unassociated passwords (unsalted SHA-1 hashes) were stolen by attackers and posted onto a Russian hacker forum. However, it wasn’t until 2016 that the full extent of the incident was revealed. The same hacker selling MySpace’s data was found to be offering the email addresses and passwords of around 165 million LinkedIn users for just 5 bitcoins (around $2,000 at the time). LinkedIn acknowledged that it had been made aware of the breach, and said it had reset the passwords of affected accounts.
Marriott International announced in November 2018 that attackers had stolen on approximately 500 million customers. The breach initially occurred on systems supporting Starwood hotel brands starting in 2014. The attackers remained in the system after Marriott acquired Starwood in 2016 and were not discovered until September 2018.
The attackers were able to take some combination of contact information, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. The credit card numbers and expiration dates of more than 100 million customers were believed to be stolen, but Marriott is uncertain whether the attackers were able to decrypt the credit card numbers. The breach was eventually attributed to a Chinese intelligence group seeking to gather data on US citizens, according to an investigative news.
With over 500 million users, Sina Weibo is China’s answer to Twitter. However, in March 2020 it was reported that the real names, site usernames, gender, location, and -- for 172 million users -- phone numbers had been posted for sale on dark web markets. Passwords were not included, which may indicate why the data was available for just ¥1,799 ($250).
Weibo acknowledged the data for sale was from the company, but claimed the data was obtained by matching contacts against its address book API. It also said that since doesn't store passwords in plaintext, users should have nothing to worry about. This, however, doesn’t tally as some of the information being offered such as location data, isn’t available via the API. The social media giant said it had notified authorities about the incident and China’s Cyber Security Administration of the Ministry of Industry and Information Technology said it is investigating.
Yahoo announced in September 2016 that in 2014 it had been the victim of what would be the biggest data breach in history. The attackers, which the company believed we “state-sponsored actors,” compromised the real names, email addresses, dates of birth and telephone numbers of 500 million users. Yahoo claimed that most of the compromised passwords were hashed.
Then in December 2016, Yahoo disclosed another breach from 2013 by a different attacker that compromised the names, dates of birth, email addresses and passwords, and security questions and answers of 1 billion user accounts. Yahoo revised that estimate in October 2017 to include all of its 3 billion user accounts.
The timing of the original breach announcement was bad, as Yahoo was in the process of being acquired by Verizon, which eventually paid $4.48 billion for Yahoo’s core internet business. The breaches knocked an estimated $350 million off the value of the company.
Data is one of your business’s most crucial assets, and you must implement security measures to protect you from potential hacks and data loss. You need sufficient data security and insurance, especially if your business holds customers’ personal data.
Hackers seek to steal personal information for fraudulent use. Bank account information, customer data, social security numbers, and credit card information are appealing targets for cybercriminals.
When this vital data is breached, you will face liability claims against your company by your users, and your business’s reputation will be at serious risk.
Every business today needs data loss insurance and protection.
Data Loss Insurance – what is it, and what does it entail?
Data loss insurance is a policy created to protect and support a company if it falls victim to a cyber-attack. The insurance policy provides detailed cover in the event of a claim that relates to a malicious breach of data or cyber-attack.
Data loss insurance policies offer protection if a hacker holds your business to ransom. The insurer can cover the ransom that you are forced to pay the hacker and help you manage the entire situation.
This insurance also offers practical support for when a cyberattack happens to your business. The policy should provide legal advice and forensic investigations while also sending notifications to clients and regulators and support to affected users, including credit card monitoring.
When a cyber attack targets a business’s systems, effectively preventing the company from earning revenue, the business might experience a significant income loss. Data loss insurance should provide compensation for such loss and damage to the business’s reputation.
Here are 10 Actionable Tips for Data Protection
1. Keep your software updated.
2. Set up passwords for all of your computer networks.
3. Encrypt your data.
4. Use antivirus software.
5. Only transact with accredited online stores.
6. Implement a VPN or Virtual Private Network.
7. Use Wi-Fi Protected Access 2 or WPA2
8. Invest in premium software for storing and distributing files.
9. Hire an IT team to implement security measures.
10. Acquire data loss insurance & legal help.
Keep your software updated:-
Your operating system update not only improves your computer’s functions and removes bugs, but it installs critical security updates and vulnerability patches that protect you from malware and viruses.
Set up passwords for all of your computer networks:-
Every computer in your office must have unique passwords that you must update at least once a month. Switching can slow down hackers who are trying to decrypt your passwords to breach your network.
Encrypt your data:-
There are many available encryption tools that can ensure that your data will remain unreadable and safe. If hackers access your data, they won’t be able to use the information because of encryption.
Use antivirus software:-
Viruses protect your computer from malware, viruses, and cybercrime. Antivirus software runs diagnostics on your data, including filer, web pages, software, and others that travel over the network to your device.
Antivirus software searches for threats and monitors the behavior of all programs. When it senses suspicious behavior, it flags the element in question.
Antivirus software is your baseline protection from cybercrime and data loss.
Only transact with accredited online stores:-
Do not transact with stores or services that are not verified by online security providers. Ensure that you are sending information only over to websites accredited by Norton, McAfee, TRUSTe, and others.
Implement a VPN or Virtual Private Network:-
With a Virtual Private Network, you will have an off-shore IP address, and it will be hard for hackers to track your digital footprint. Use tools like NordVPN, SurfShark, ExpressVPN, and others.
There are excellent options for trusted VPNs.
Use Wi-Fi Protected Access 2 or WPA2:-
Using WPA2 ensures that only authorized users can access your wireless networks.
Invest in premium software for storing and distributing files:-
Use paid and premium cloud software or SaaS like Dropbox, JustCloud, pCloud, SpiderOak, IDrive, etc. Use the most trusted software platforms for data storage.
Hire an IT team to implement security measures:-
Hire information technology experts that you can trust so that your company can have its own IT department. Your IT team will give your business active defense strategies that will significantly reduce your likelihood of experiencing data loss.
Acquire data loss insurance & legal help:-
Place the ultimate contingency of insurance for data loss protection. The best way to obtain insurance that will guarantee excellent service when you claim for data loss is by hiring an expert insurance litigation lawyer’s assistance.
While insurance companies promise massively, they could deliver otherwise. Delivering your claims means a loss for them, and so they will try to lessen or deny what they owe you.
An insurance attorney who knows how insurers play technical to disservice you will prevent loopholes from being planted in your policy. When you need to claim, a lawyer can help you push through and receive your entitled insurance.
Data is gold in our digital world. Businesses and even individuals have to place protective measures to keep what is theirs safe.
All of your company’s intellectual property, trade secrets, inventions, and creations, in addition to sensitive customer information, are represented in data. If this information is breached, you are in for a massive loss.
Follow LexTalk World for more news and updated from International Legal Industry