Here at B2B International we take data protection very seriously, so it’s been hard to miss the news stories about data breaches that have been appearing over the past few weeks and months. In this article I will take a brief look at six of the biggest and most impactful data breaches of recent history, some you will have seen a lot in the news and some you may not.
British Airways: Customers Diverted to A Fake Website
When it Happened: June 2018.
Types of Data Exposed: Customer transaction data including credit card details names and addresses.
Number of Records: 500,000.
Why It Matters: This breach is tiny compared to the others on our list, but the fine British Airways incurred on the back of it was not. The company was fined £183m in a landmark case that demonstrates the new, tougher approach taken to enforcing data privacy in Europe. Under GDPR rules fines are no longer limited to fixed numbers but are instead assessed against the revenue of the company involved, making huge fines like this one likely to become more common going forward.
Equifax: Equifax Website Hacked
When it Happened: May 2017.
Types of Data Exposed: A wealth of personal information including bank details, credit history, drivers’ licences, credit card numbers, home addresses, social security numbers and much more.
Number of Records: About 147,000,000.
Why It Matters: The size of the breach, the comprehensive nature of the sensitive information that was compromised and the delay in Equifax reporting discovery of what happened all combine to make this data breach potentially the most damaging of all time. The $700m settlement Equifax has agreed to pay out is only part of the picture too as the company’s image has been severely damaged by the incident.
Facebook: The Cambridge Analytica Scandal
When it Happened: 2015-2016.
Types of Data Exposed: Everything in people’s Facebook accounts including private messages and content only shared with friends.
Number of Records: About 50,000,000 Facebook accounts were scraped for every scrap of data they could get.
Why It Matters: While the Equifax breach represents the exposure of hundreds of millions of individuals to potential identity theft, the fallout from Cambridge Analytica’s actions appears to have altered the fate of nations. The data they scraped from Facebook allowed them to profile and model the entire population of the UK and US, helping to target propaganda and misinformation in an effort to manipulate election outcomes.
The recent $5bn settlement agreed by Facebook, while record breaking in size is only about a month’s revenue for the internet giant and is considered by some to be too light (including the FTC who only agreed the deal 3-2). It also ensures the company’s senior execs are protected from prosecution for all past data crimes including any we don’t yet know about, which (given the three other major data breaches they have identified just in the past year) could end up making this a very good deal for Mark Zuckerberg.
Yahoo: 2013 Data Breach
When it Happened: August 2013.
Types of Data Exposed: Yahoo account details including names, dates of birth security questions and answers etc.
Number of Records: All 3,000,000,000 Yahoo accounts worldwide.
Why It Matters: The sheer scale of this breach wins it a place on the list. This is to date the largest single data-breach in history. The breach was also only identified and reported in December 2016, by which time the details had been repeatedly sold to bad actors making those affected vulnerable to fishing attacks. Verizon who purchased Yahoo in 2017 have only recently settled the class action lawsuits related to the breach and can consider the agreed $117m price tag a bargain compared to the huge numbers in the Equifax and Facebook cases. This will be cold comfort though as the damage to the Yahoo brand has already seen Verizon write off almost all of the $4.5bn valuation that the company had when they purchased it.
Marriott: Chinese Intelligence-Gathering
When it Happened: September 2018.
Types of Data Exposed: Personal details including transaction and payment card information.
Number of Records: About 383,000,000.
Why It Matters: According to the US investigation into the attack, this was part of a larger coordinated effort by the Chinese government that also targeted health insurance and security clearance information for millions of US citizens. It highlights the very real threat posed by state sponsored cybercrime even to businesses which might not consider themselves targets.
The financial consequences of this breach have not yet been established, but it almost certainly falls under GDPR meaning that Marriott could face astronomical fines of up to 4% of their annual global turnover (about $800m). Class action lawsuits are also likely, which will add to the sting. Other businesses can watch this case with interest as we will get to see if enforcement bodies treat state sponsored attacks differently than other breaches; do all big businesses need to be geared up to keep the Chinese government out?
First American Corporation: Website Business Logic Flaw
When it Happened: Discovered May 2019.
Types of Data Exposed: Mortgage transaction data including social security numbers and financial details.
Number of Records: 885,000,000.
Why It Matters: First American had by all accounts made considerable efforts to make the data they were safeguarding secure but were caught out by one of the trickier types of security vulnerability. The application on their website contained a business logic flaw which made it possible to convince the software to pass you any records stored on the server without having supplied any authentication. The fact that the type of vulnerability identified is one that most businesses do not properly address and that all that we know is that the data was accessible (so far there is no evidence that it was ever accessed by criminals) make this an interesting test case of how harshly organisations will be judged in these sorts of cases. A class action lawsuit is already being brought against the company.