The 10 Largest Data Breaches In History
The increasing reliance on digital data storage has made many companies vulnerable to attackers who want to steal this information. Data breaches often affect millions of individuals and have devastating consequences for the companies that suffer them.
Using data security measures, organizations of all sizes face the challenge of protecting customer data while ensuring usability. While guidelines such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) and Europe’s GDPR (General Data Protection Regulation) offer best practices for storing sensitive information, they are not infallible, and major data breaches still occur regularly.
The Biggest Data Breaches Of The Century
The 10 biggest data breaches offer insight into what can go wrong and how attackers can gain unauthorized access to some of the most secure systems in the world. While the dark web will constantly find new ways to gain access to sensitive information, understanding these data breach examples and vulnerabilities can improve your organization’s security.
Yahoo
The record for the biggest data breach to date is Yahoo’s 2013 breach, when hackers gained access to Yahoo’s email accounts and user accounts of associated services, including Tumblr, Flickr, Yahoo Finance, and Yahoo Fantasy Sports. The data leak affected over 3 billion user accounts, making it one of the biggest data breaches of all time.
Exposed records and stolen data included usernames, dates of birth, phone numbers, user passwords, security question answers, and other personal details.
While Yahoo has not revealed the cause of the breach, organizations can avoid this type of breach by:
- Implementing continuous monitoring of network security
- Performing regular vulnerability testing to reveal vulnerabilities
Aadhar
Aadhar is India’s government ID database that contains the personal information of citizens seeking government assistance. In 2018, the database leak exposed 1.1 billion people’s names, email addresses, postal codes, email addresses, and telephone numbers.
Further investigation showed that former Aadhar employees were responsible for the breach through an unsecured application programming interface (API) that the state used to verify customer identities.
Preventative measures to prevent this type of major data breach include:
- Following API security best practices
- Implementing identity and access management protocols
- Developing strategies to minimize insider threats
First American Financial
First American Financial suffered a massive data breach in 2019 affecting 885 million user accounts, exposing bank account numbers, driver’s license numbers, Social Security numbers, tax documents, and mortgage records.
As the victim of the biggest financial data breach in history, First American Financial conducted a thorough investigation that revealed a simple flaw when a user created a “secure link.”
Preventative measures could have included:
- Following API security best practices that kept insecure direct object reference identifiers in mind.
Onliner Spambot
Not all famous data breaches happen to large organizations. In 2020, a spam server known as Onliner collected information from 711 million users, including email addresses and passwords.
Preventative measures include:
- Enforcing a company-wide password policy that includes encrypted passwords
- Working with a managed service provider in San Francisco to conduct vulnerability testing and implement password best practices
Facebook disclosed a 2021 database leak that stole information from 533 million affected users, including their phone numbers, IP addresses, names, birth dates, and other personal data. According to Facebook, the security breach was not a break into Facebook’s system but instead relied on a scraping strategy that allowed bots to pull data from publicly available websites.
Other preventative measures include:
- Implementing a DevSecOps strategy
- Making scraping more difficult for bots and users
Yahoo (again)
Yahoo holds the record for making our list of two of the biggest recent data breaches in history. The smaller of the two affected 500 million users in 2014, when a Russian state-sponsored attack on the site revealed information, including passwords, names, email addresses, dates of birth, and phone numbers.
The breach occurred due to spear-phishing emails that targeted specific “individuals of interest.”
Mitigation strategies to prevent this type of attack include:
- Cybersecurity awareness training
- Implementing best practices to prepare for and mitigate phishing attacks
FriendFinder Networks
FriendFinder is an adult dating company that leaked 412 million user accounts dating back 20 years. The breach included the usernames and passwords of many active accounts and 15 million deleted accounts.
According to the subsequent investigation, the leak happened due to an injection vulnerability that provided access to the site’s source code and production environment.
Prevention measures include:
- Penetration testing for web app and injection vulnerabilities
Marriott International
In 2018, Marriott disclosed a break in its recently acquired reservation system, Starwood. The breach exposed 383 million records. The database contained information about usernames, passport numbers, credit card information, addresses, and bank account details.
Marriott is uncertain how the breach happened. The corporation took over two years to migrate away from Starwood’s legacy infrastructure.
Prevention measures include:
- Updating old IT infrastructure
- Involving CISOs in merger planning to ensure compliance with security strategies.
Sometimes, a data breach occurs due to a system glitch instead of malicious action. In 2018, 330 million Twitter users had to change their passwords due to a bug that allowed the system to store passwords as plain-text files.
Preventative measures could include:
- Better quality control, such as a bug-bounty program
Microsoft
In 2020, Microsoft revealed a leak that contained 250 million customers’ service and support records. While the company redacted personal information, the records exposed email and location addresses.
Microsoft says the leak was not due to malicious activity but a misconfiguration of internal security rules. It may have been able to prevent the leak by:
- Adopting a zero-trust model
We Can Help Protect Your Sensitive Data From Data Breaches
How many breaches and exorbitant legal fees does it take to convince companies to take action? Whether you want to learn how to secure your computer and network at home or need protection for a corporate credit card or other payment card data, it’s vital to work with a reputable service provider.
Call us at Renascence IT Consulting at (510) 552-6896 for a security consultation today.