Data breaches happen daily, in too many places at once to keep count. But what constitutes a huge breach versus a small one? CSO compiled a list of 18 of the biggest or most significant breaches of the 21stcentury.
This list is based not necessarily on the number of records compromised, but on how much risk or damage the breach caused for companies, insurers and users or account holders. In some cases, passwords and other information were well protected by encryption, so a password reset eliminated the bulk of the risk.
Impact: 3 billion user accounts
Details: In September 2016, the once dominant Internet giant, while in negotiations to sell itself to Verizon, announced it had been the victim of the biggest data breach in history, likely by “a state-sponsored actor,” in 2014. The attack compromised the real names, email addresses, dates of birth and telephone numbers of 500 million users. The company said the “vast majority” of the passwords involved had been hashed using the robust bcrypt algorithm.
A couple of months later, in December, it buried that earlier record with the disclosure that a breach in 2013, by a different group of hackers had compromised 1 billion accounts. Besides names, dates of birth, email addresses and passwords that were not as well protected as those involved in 2014, security questions and answers were also compromised. In October of 2017, Yahoo revised that estimate, saying that, in fact, all 3 billion user accounts had been compromised.
The breaches knocked an estimated $350 million off Yahoo’s sale price. Verizon eventually paid $4.48 billion for Yahoo’s core Internet business. The agreement called for the two companies to share regulatory and legal liabilities from the breaches. The sale did not include a reported investment in Alibaba Group Holding of $41.3 billion and an ownership interest in Yahoo Japan of $9.3 billion.
Yahoo, founded in 1994, had once been valued at $100 billion. After the sale, the company changed its name to Altaba, Inc.
2. Marriott International
Impact: 500 million customers
Details: In November 2018, Marriott International announced that cyber thieves had stolen data on approximately 500 million customers. The breach actually occurred on systems supporting Starwood hotel brands starting in 2014. The attackers remained in the system after Marriott acquired Starwood in 2016 and were not discovered until September 2018.
For some of the victims, only name and contact information were compromised. The attackers were able to take some combination of contact info, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. Marriott believes that credit card numbers and expiration dates of more than 100 million customers were stolen, although the company is uncertain whether the attackers were able to decrypt the credit card numbers.
The breach was eventually attributed to a Chinese intelligence group seeking to gather data on US citizens, according to a New York Times article. If true, this would be the largest known breach of personal data conducted by a nation-state.
3. Adult Friend Finder
Date: October 2016
Impact: More than 412.2 million accounts
Details: The FriendFinder Network, which included casual hookup and adult content websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com, was breached sometime in mid-October 2016. Hackers collected 20 years of data on six databases that included names, email addresses and passwords.
Most of the passwords were protected only by the weak SHA-1 hashing algorithm, which meant that 99 percent of them had been cracked by the time LeakedSource.com published its analysis of the entire data set on November 14.
CSO Online’s Steve Ragan reported at the time that, “a researcher who goes by 1×0123 on Twitter and by Revolver in other circles posted screenshots taken on Adult Friend Finder (that) show a Local File Inclusion vulnerability (LFI) being triggered.” He said the vulnerability, discovered in a module on the production servers used by Adult Friend Finder, “was being exploited.”
AFF Vice President Diana Ballou issued a statement saying, “We did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.”
Date: May 2014
Impact: 145 million users compromised
Details: The online auction giant reported a cyberattack in May 2014 that it said exposed names, addresses, dates of birth and encrypted passwords of all of its 145 million users. The company said hackers got into the company network using the credentials of three corporate employees, and had complete inside access for 229 days, during which time they were able to make their way to the user database.
It asked its customers to change their passwords, but said financial information, such as credit card numbers, was stored separately and was not compromised. The company was criticized at the time for a lack of communication informing its users and poor implementation of the password-renewal process.
CEO John Donahue said the breach resulted in a decline in user activity, but had little impact on the bottom line – its Q2 revenue was up 13 percent and earnings up 6 percent, in line with analyst expectations.
Date: July 29 2017
Impact: Personal information (including Social Security Numbers, birth dates, addresses, and in some cases drivers’ license numbers) of 143 million consumers; 209,000 consumers also had their credit card data exposed.
Details: Equifax, one of the largest credit bureaus in the U.S., said on Sept. 7, 2017 that an application vulnerability on one of their websites led to a data breach that exposed about 147.9 million consumers. The breach was discovered on July 29, but the company says that it likely started in mid-May.
6. Heartland Payment Systems
Date: March 2008
Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland’s data systems.
Details: At the time of the breach, Heartland was processing 100 million payment card transactions per month for 175,000 merchants – most small- to mid-sized retailers. It wasn’t discovered until January 2009, when Visa and MasterCard notified Heartland of suspicious transactions from accounts it had processed.
Among the consequences were that Heartland was deemed out of compliance with the Payment Card Industry Data Security Standard (PCI DSS) and was not allowed to process the payments of major credit card providers until May 2009. The company also paid out an estimated $145 million in compensation for fraudulent payments.
A federal grand jury indicted Albert Gonzalez and two unnamed Russian accomplices in 2009. Gonzalez, a Cuban-American, was alleged to have masterminded the international operation that stole the credit and debit cards. In March 2010 he was sentenced to 20 years in federal prison. The vulnerability to SQL injection was well understood and security analysts had warned retailers about it for several years. Yet, the continuing vulnerability of many Web-facing applications made SQL injection the most common form of attack against Web sites at the time.
7. Target Stores
Date: December 2013
Impact: Credit/debit card information and/or contact information of up to 110 million people compromised.
Details: The breach actually began before Thanksgiving, but was not discovered until several weeks later. The retail giant initially announced that hackers had gained access through a third-party HVAC vender to its point-of-sale (POS) payment card readers, and had collected about 40 million credit and debit card numbers.
By January 2014, however, the company upped that estimate, reporting that personally identifiable information (PII) of 70 million of its customers had been compromised. That included full names, addresses, email addresses and telephone numbers. The final estimate is that the breach affected as many as 110 million customers.
Target’s CIO resigned in March 2014, and its CEO resigned in May. The company recently estimated the cost of the breach at $162 million.
The company was credited with making significant security improvements. However, a settlement announced in May 2017 that gave Target 180 days to make specific security improvements was described by Tom Kellermann, CEO of Strategic Cyber Ventures and former CSO of Trend Micro, as a “slap on the wrist.” He also said it, “represents yesterday’s security paradigm,” since the requirements focus on keeping attackers out and not on improving incident response.
8. TJX Companies, Inc.
Date: December 2006
Impact: 94 million credit cards exposed.
Details: There are conflicting accounts about how this happened. One supposes that a group of hackers took advantage of a weak data encryption system and stole credit card data during a wireless transfer between two Marshall’s stores in Miami, Fla. The other has them breaking into the TJX network through in-store kiosks that allowed people to apply for jobs electronically.
Albert Gonzalez, hacking legend and ringleader of the Heartland breach, was convicted in 2010 of leading the gang of thieves who stole the credit cards, and sentenced to 20 years in prison, while 11 others were arrested. He had been working as a paid informant for the US Secret Service, at a $75,000 salary at the time of the crimes. The government claimed in its sentencing memo that companies, banks and insurers lost close to $200 million.
Date: Late 2016
Impact: Personal information of 57 million Uber users and 600,000 drivers exposed.
Details: The scope of the Uber breach alone warrants its inclusion on this list, and it’s not the worst part of the hack. The way Uber handled the breach once discovered is one big hot mess, and it’s a lesson for other companies on what not to do.
The company learned in late 2016 that two hackers were able to get names, email addresses, and mobile phone numbers of 57 users of the Uber app. They also got the driver license numbers of 600,000 Uber drivers. As far as we know, no other data such as credit card or Social Security numbers were stolen. The hackers were able to access Uber’s GitHub account, where they found username and password credentials to Uber’s AWS account. Those credentials should never have been on GitHub.
Here’s the really bad part: It wasn’t until about a year later that Uber made the breach public. What’s worse, they paid the hackers $100,000 to destroy the data with no way to verify that they did, claiming it was a “bug bounty” fee. Uber fired its CSO because of the breach, effectively placing the blame on him.
The breach is believed to have cost Uber dearly in both reputation and money. At the time that the breach was announced, the company was in negotiations to sell a stake to Softbank. Initially, Uber’s valuation was $68 billion. By the time the deal closed in December, its valuation dropped to $48 billion. Not all of the drop is attributable to the breach, but analysts see it being a significant factor.
10. JP Morgan Chase
Date: July 2014
Impact: 76 million households and 7 million small businesses
Details: The largest bank in the nation was the victim of a hack during the summer of 2014 that compromised the data of more than half of all US households – 76 million – plus 7 million small businesses. The data included contact information – names, addresses, phone numbers and email addresses – as well as internal information about the users, according to a filing with the Securities and Exchange Commission.
The bank said no customer money had been stolen and that there was “no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.”
Still, the hackers were reportedly able to gain “root” privileges on more than 90 of the bank’s servers, which meant they could take actions including transferring funds and closing accounts. According to the SANS Institute, JP Morgan spends $250 million on security every year.
In November 2015, federal authorities indicted four men, charging them with the JP Morgan hack plus other financial institutions. Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein faced 23 counts, including unauthorized access of computers, identity theft, securities and wire fraud and money laundering that netted them an estimated $100 million. A fourth hacker who helped them breach the networks was not identified.
Shalon and Orenstein, both Israelis, pleaded not guilty in June 2016. Aaron was arrested at JFK Airport in New York last December.
11. US Office of Personnel Management (OPM)
Impact: Personal information of 22 million current and former federal employees
Details: Hackers, said to be from China, were inside the OPM system starting in 2012, but were not detected until March 20, 2014. A second hacker, or group, gained access to OPM through a third-party contractor in May 2014, but was not discovered until nearly a year later. The intruders exfiltrated personal data – including in many cases detailed security clearance information and fingerprint data.
Last year, former FBI director James Comey spoke of the information contained in the so-called SF-86 form, used for conducting background checks for employee security clearances. “My SF-86 lists every place I’ve ever lived since I was 18, every foreign travel I’ve ever taken, all of my family, their addresses,” he said. “So it’s not just my identity that’s affected. I’ve got siblings. I’ve got five kids. All of that is in there.”
A report, released last fall by the House Committee on Oversight and Government Reform summed up the damage in its title: “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation.”
12. Sony’s PlayStation Network
Date: April 20, 2011
Impact: 77 million PlayStation Network accounts hacked; estimated losses of $171 million while the site was down for a month.
Details: This is viewed as the worst gaming community data breach of all-time. Of more than 77 million accounts affected, 12 million had unencrypted credit card numbers. Hackers gained access to full names, passwords, e-mails, home addresses, purchase history, credit card numbers and PSN/Qriocity logins and passwords. “It’s enough to make every good security person wonder, ‘If this is what it’s like at Sony, what’s it like at every other multi-national company that’s sitting on millions of user data records?'” said eIQnetworks’ John Linkous. He says it should remind those in IT security to identify and apply security controls consistently across their organizations. For customers, “Be careful whom you give your data to. It may not be worth the price to get access to online games or other virtual assets.”
In 2014, Sony agreed to a preliminary $15 million settlement in a class action lawsuit over the breach.
Date: February 2015
Impact: Theft of personal information on up to 78.8 million current and former customers.
Details: The second-largest health insurer in the U.S., formerly known as WellPoint, said a cyberattack had exposed the names, addresses, Social Security numbers, dates of birth and employment histories of current and former customers – everything necessary to steal identity.
Fortune reported in January that a nationwide investigation concluded that a foreign government likely recruited the hackers who conducted what was said to be the largest data breach in healthcare history. It reportedly began a year before it was announced, when a single user at an Anthem subsidiary clicked on a link in a phishing email. The total cost of the breach is not yet known, but it is expected to exceed $100 million.
Anthem said in 2016 that there was no evidence that members’ data have been sold, shared or used fraudulently. Credit card and medical information also allegedly has not been taken.
14. RSA Security
Date: March 2011
Impact: Possibly 40 million employee records stolen.
Details: The impact of the cyberattack that stole information on the security giant’s SecurID authentication tokens is still being debated. RSA, the security division of EMC, said two separate hacker groups worked in collaboration with a foreign government to launch a series of phishing attacks against RSA employees, posing as people the employees trusted, to penetrate the company’s network.
EMC reported last July that it had spent at least $66 million on remediation. According to RSA executives, no customers’ networks were breached. John Linkous, vice president, chief security and compliance officer of eIQnetworks, Inc. doesn’t buy it. “RSA didn’t help the matter by initially being vague about both the attack vector, and (more importantly) the data that was stolen,” he says. “It was only a matter of time before subsequent attacks on Lockheed-Martin, L3 and others occurred, all of which are believed to be partially enabled by the RSA breach.” Beyond that was psychological damage. Among the lessons, he said, are that even good security companies like RSA are not immune to being hacked.
Jennifer Bayuk, an independent information security consultant and professor at Stevens Institute of Technology, told SearchSecurity in 2012 that the breach was, “a huge blow to the security product industry because RSA was such an icon. They’re the quintessential security vendor. For them to be a point of vulnerability was a real shocker. I don’t think anyone’s gotten over that,” she said.
Date: Sometime in 2010, but origins date to 2005
Impact: Meant to attack Iran’s nuclear power program, but will also serve as a template for real-world intrusion and service disruption of power grids, water supplies or public transportation systems.
Details: The immediate effects of the malicious Stuxnet worm were minimal – at least in the United States – but numerous experts rank it among the top large-scale breaches because it was a cyberattack that yielded physical results.
Its malware, designed to target only Siemens SCADA systems, damaged Iran’s nuclear program by destroying an estimated 984 uranium enrichment centrifuges. The attack has been attributed to a joint effort by the US and Israel, although never officially acknowledged as such.
Date: Throughout 2010
Impact: Undisclosed information stolen
Details: Security experts are unanimous in saying that the most troubling thing about the VeriSign breach, or breaches, in which hackers gained access to privileged systems and information, is the way the company handled it – poorly. VeriSign never announced the attacks. The incidents did not become public until 2011, and then only through a new SEC-mandated filing.
As PCWorld put it, “VeriSign buried the information in a quarterly Securities and Exchange Commission (SEC) filing as if it was just another mundane tidbit.”
VeriSign said no critical systems such as the DNS servers or the certificate servers were compromised, but did say that, “access was gained to information on a small portion of our computers and servers.” It has yet to report what the information stolen was and what impact it could have on the company or its customers.
17. Home Depot
Date: September 2014
Impact: Theft of credit/debit card information of 56 million customers.
Details: The hardware and building supply retailer announced in September what had been suspected for some weeks – that beginning in April or May, its POS systems had been infected with malware. The company later said an investigation concluded that a “unique, custom-built” malware had been used, which posed as anti-virus software.
In March 2016, the company agreed to pay at least $19.5 million to compensate US consumers through a $13 million fund to reimburse shoppers for out-of-pocket losses, and to spend at least $6.5 million to fund 1 1/2 years of cardholder identity protection services.
The settlement covers about 40 million people who had payment card data stolen, and more than 52 million people who had email addresses stolen. There was some overlap between the groups. The company estimated $161 million of pre-tax expenses for the breach, including the consumer settlement and expected insurance proceeds.
Date: October 2013
Impact: 38 million user records
Details: Originally reported in early October by security blogger Brian Krebs, it took weeks to figure out the scale of the breach and what it included. The company originally reported that hackers had stolen nearly 3 million encrypted customer credit card records, plus login data for an undetermined number of user accounts.
Later in the month, Adobe said the attackers had accessed IDs and encrypted passwords for 38 million “active users.” But Krebs reported that a file posted just days earlier, “appears to include more than 150 million username and hashed password pairs taken from Adobe.” After weeks of research, it eventually turned out, as well as the source code of several Adobe products, the hack had also exposed customer names, IDs, passwords and debit and credit card information.
In August 2015, an agreement called for Adobe to pay a $1.1 million in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In November 2016, the amount paid to customers was reported at $1 million.