“Trust takes a long time to create, but only a moment to destroy”
None of the organization has a foolproof security mechanism. There is always a window for a Zero-day or even an unnoticed vulnerability which can be exploited by a threat. The most important point here is the learning which a company takes and the steps it incorporates to prevent a reoccurrence.
Here are the top 7 most infamous data breaches which took place in the 21st century.
Impact: 3 Billion user accounts
Details: The Internet Service Company reported 2 major data breaches of user accounts while it was in negotiations to sell itself to Verizon in 2016. It had affected every user availing its service. The data breaches included name, email address, hashed passwords, birthdays, phone numbers, and, in some cases, “encrypted or unencrypted security questions and answers”. Yahoo did confirm that hackers did not obtain bank or credit card details or any other financial information which was tied up to the yahoo accounts.
Verizon later reduced its bid to $350 Million from $4.48 Billion (which it has previously bid) due to the severity of data breach. The sale agreement required both the parties to share the legal liabilities arising from the breaches
2.Adult Friend Finder
Date: October 2016
Impact: More than 412.2 million accounts
Details: FriendFinder network parent company of Adult Friend Finder, Penthouse.com, Cams.com, iCams.com, and Stripshow.com was in the attack of data breaches in mid-October2016. Hackers managed to collect 20 years of data from 6 different databases that included name, email addresses & password.
FriendFinder network was reportedly hacked via Local File Inclusion Vulnerability (LFI). Most of the passwords were either stored in plain text or with a weak SHA-1 hashing algorithm, which led to 99% data breach by the time Leakedsource.com published its analysis in Nov’16.
AFF Vice President Diana Ballou later issued a statement saying, “We did identify and fix a vulnerability that was related to the ability to access source code through injection vulnerability.”
Impact: 165 Million user’s data compromised
Details: LinkedIn which suffered major data breaches 6 years ago, warned its user as soon as it came to know about the breach and asked them to reset their password. LinkedIn never disclosed its actual number, but it’s estimated that about 165 million users information including password which was hashed using SHA-1 but lacked the salting feature.
LinkedIn now hashes & salts all its passwords post the breach.
The social networking site also urged all its users to change their password and enable two-step verification as a precaution.
Date: May 2014
Impact:145 Million users compromised
Details: E-commerce giant reported data breaches in 2014 that there had been a massive customer data breaches including names, date of birth & encrypted password of all its 145 million users. The company revealed the hackers got into the company network using the credentials of three of its key employees, the hackers had complete access to company systems for 230 odd days, during which they conducted the breach.
They notified all their customers to change their passwords,
The company reported data breaches that include financial information, such as credit card, Paypal details were stored separately and hence were not compromised.
The breach resulted in the decline of user activity.
Date: 29 July’17
Impact: Personal information such as Social Security Number (SSN), birth dates, drivers license number of 143 million users were compromised; 2,09,000 also had their credit card exposed.
Details: The data breaches happened due to a flaw in a tool designed to build web applications, Equifax confirmed that it was aware of the breach 2 months before the hackers got first access to the system. US-CERT a cybersecurity arm had identified the flaw and reported it in Mar’17 post which actions were taken to patch the vulnerability.
Yet, the hackers were able to exploit it.
This tool called Apache Structsis widely used across many government organizations. Equifax was using it to support its online disputes, the flaw allowed the hackers to take control of the website.
Equifax also identified unauthorized access for certain UK & Canadian residents (they are working with the regulatory body of the respective country to take appropriate steps.)
They have also launched a website (www.equifaxsecurity2017.com) for those potentially impacted and also offering credit monitoring to all its US consumers.
6.Heartland Payment Systems
Date: March 20082008-2009
Impact: 134 million credit cards exposed through SQL injection to install spyware on Heartland’s data systems.
Details: In early 2009, Heartland Payment System announced the largest data breaches ever to affect an American company. Heartland’s breach exposed information from approximately 130 million credit and debit cards to cybercriminals.
A malware planted on Heartland’s network recorded card data as it was received from retailers. As the company processed payments for more than 250,000 businesses across the country, the impact was humongous.
The company was deemed out of compliance with PCI-DSS (Payment Card Industry Data Security Standard) and was not allowed to process payments of all major credit card providers until May’09.
The company also paid $145 million as compensation for fraudulent payments.
In 2010, Albert Gonzalez mastermind behind the attack was sentenced to imprisonment of 20 years in prison.
Date: December 2013
Impact: Credit/debit card information and/or contact information of up to 110 million people compromised.
Details: The retail giant announced that the hackers had gained access through a third party vendor’s point of sale (POS) payment card readers (during thanksgiving shopping surge) and had collected as many as 40 million credit &debit card numbers.
Also, Personally Identifiable Information (PII) of 70 million like names, addresses, email addresses and telephone numbers were compromised.
The company estimated the cost of a data breaches to be $162 million.