A Modern History of Large-Scale Data Breaches

Companies experience data breaches all the time, and honestly, they’re so widespread that it’s hard to keep track of them all. But sometimes these data breaches are so small they’re hardly worth mentioning. In fact, it usually only makes news when a lot of information or a lot of people are affected.

But what about the data breaches that don’t make the news? They can be just as dangerous, and unless you’re covered by one of the top identity theft protection services, you might not even know your financial and personal security is at risk.

In an effort to help keep you informed and your private info secure, we’ve gathered up a list of 18 of the biggest and most significant data breaches of modern history, compiled in order by the risk they posed for the account holders, users, insurers, and companies involved.

Although the following twenty-first-century data breaches didn’t always impact a large number of people, they still created a considerable amount of potential danger and big headaches for everyone involved. Which is part of the reason why it’s so important to stay in the know about the security breakdowns of the companies you do business with each day.

biggest data breaches

1. Yahoo Data Breach

In 2013 and 2014, 3 billion Yahoo user accounts were compromised. How do we know? Well, they admitted it. Two years later. That’s right. In the fall of 2016, Yahoo finally let the cat out of the bag in negotiations to have itself acquired by Verizon. It was the victim of possibly the most significant data breach in history, and no one knew.

The 2014 attack compromised the real names, dates of birth, email addresses, and telephone numbers of over 500 million users. Using the robust “bcrypt algorithm,” someone posing as a “state-sponsored actor” hashed passwords to gain access to these accounts.

As if that wasn’t enough, in December of 2016, just a couple months later, Yahoo was found to have buried a record stating that in an earlier breach in 2013, a different group of hackers gained access to 1 billion accounts.

Not only did those hackers gain access to names, dates of birth, passwords, and email addresses, but they also acquired answers to security questions. Finally, in October of 2017, almost a full year later, Yahoo revised that number to state 3 billion user accounts were compromised instead of the original 1 billion reported.

These breaches brought Yahoo’s sale price down almost $350 million. Once valued at over $100 billion, Yahoo’s core internet business finally sold to Verizon at only $4.48 billion. The companies agreed to share legal and regulatory liabilities for both data breach cases.

Verizon’s purchase price of $4.48 billion did not include a reported $41.3 billion investment in one Alibaba Group Holding or a $9.3 billion ownership interest in Yahoo Japan. Yahoo was founded in 1994, and after the sale of its internet business to Verizon, changed its name to Altaba, Inc.

2. Marriott International Data Breach

Marriott had hackers accessing their computer systems for four straight years before they realized it. How is that possible? From 2014 to 2018, cyber thieves stole 500 million customer’s data.

It all started on Starwood hotel brand systems in 2014, and the attackers were still in the system when Marriott acquired the Starwood brand in 2016. They stayed there until they were discovered in September of 2018. Marriott came out with more information on the breach this past November.

For some victims, it was merely a name and contact information that was accessed. For others, it was passport numbers, travel information, and Starwood Preferred Guest numbers. More than 100 million other customers had their credit card numbers compromised. Marriott never was able to tell whether the attackers decrypted the numbers or not, but they certainly had access to them.

Eventually, the attack was pinned on an intelligence group out of China that was looking for information on U.S. citizens. While it’s still unclear whether this is true or not, it would be the largest breach of personal data to date conducted by a nation-state.

3. Adult Friend Finder Data Breach

Look, we’re not judging you for online dating. In fact, online dating has become so popular that we no longer blink an eye when our friends say they met their spouse on a dating or social media site. It works for some people, and that’s great. Except when your information is stolen.

What you do with your time is none of our business, but if you are engaging in some unsavory activities online, the last thing you want is for someone to find out about it. But that’s precisely what happened in October of 2016. FriendFinder Network owns adult content and casual hookup websites like Penthouse.com, AdultFriendFinder, iCams.com, Cams.com, and Stripshow.com.

Attackers obtained 20 years of data across 6 databases including names, email addresses, and passwords. The passwords were only protected by a not-so-strong SHA-1 hashing algorithm, so by the time they were published at LeakedSource.com, 99 percent of them had already been decrypted. By November 14, the entire data set was on a published list.

A vulnerability discovered on the Adult Friend Finder production servers may have been exploited according to a screenshot showing a Local File Inclusion. Adult Friend Finder’s Vice President Diana Ballou even gave a statement saying that they identified and fixed a vulnerability related to the access source code. Yikes!

4. eBay Data Breach

In 2015, online auction giant, eBay, instructed their customers to change their passwords. They had been the victim of a cyber attack accessing names, dates of birth, addresses, and encrypted passwords. Every one of its 145 million users had been exposed.

The company claimed that their network was hacked using the credentials of three corporate employees and that the hackers had total access for 229 days starting in May of 2014. During that time, the hackers found the user database and acquired the information.

While eBay claimed that financial information like credit cards was stored separately, they were still condemned for poor communication in informing users of the breach and poor instructions on how to reset and renew passwords.

While the breach caused a decline in overall user activity, it had very little impact on eBay’s bottom line. Revenue in the second quarter was up by 13 percent while earnings jumped by 6 percent, meeting company expectations. Sounds like it didn’t end too poorly for eBay, data breach or not.

5. Equifax Data Breach

Equifax is one of the three major credit bureaus alongside Experian and TransUnion. They have mounds of financial and personal data stored on their servers. If there were ever a breach of their system, it would have catastrophic results for all involved. Wait, it happened recently in 2017. Whoops.

On July 29, the personal information of 143 million consumers was exposed, including birth dates, social security numbers, driver’s license numbers, and addresses. In addition, over 209,000 customers had their credit card numbers compromised.

Equifax admitted on September 7, 2017, that one of their websites had an application vulnerability that caused the data breach and exposed a total of 147.9 million consumers. The breach was discovered in July but had likely been going on since May. All in all, not as long as some of the others on the list.

6. Heartland Payment Systems Data Breach

In March of 2008, Heartland Payment Systems was processing roughly 100 million transactions every month for about 175,000 merchants. Most of these were small or mid-sized retailers. What they didn’t know was that they were inadvertently exposing 134 million credit cards to a SQL injection installing spyware on their data systems.

When they finally discovered the breach in January of 2009, they were deemed out of compliance with the Payment Card Industry Data Security Standard (PCI DSS), were prohibited from processing payments until May of 2009, and required to pay out $145 million in compensation for payments made fraudulently using their system.

A federal grand jury indicted Albert Gonzalez, a Cuban-American, and two Russian accomplices in 2009. Gonzalez was thought to have concocted the whole operation on an international scale and was sentenced to 20 years in federal prison in March of 2010.

Security analysts had been warning retailers about the SQL injection and spyware for several years, but it continued to wreak havoc on web-facing applications during this time. Unfortunately for Heartland Payment Systems, they fell victim to the scam.

7. Target Stores Data Breach

It was November of 2013 and moms everywhere were slipping into their comfy pants and oversized sweatshirts for their weekly trip to Target. Escaping, they called it, from the everyday stresses of stay-at-home motherhood. Except they weren’t escaping at all. In fact, they were walking straight into a data breach, Starbucks latte in hand.

Thanksgiving of that year saw the retail giant hacked, compromising what they estimated to be about 40 million debit and credit card numbers. Target announced that the internet criminals got access to its point of sale system via a third-party HVAC vendor.

Unfortunately, by January, Target reassessed these numbers and reported that the personal information of over 70 million customers was accessed, up 30 million from its original estimate. The full names, email addresses, phone numbers, and physical addresses of these customers were at stake.

The final estimate, once all was said and done, included 110 million customers, almost three times what they thought in the beginning. It took a massive toll on Target’s management team. The CIO turned in his resignation in March of 2014, and the CEO resigned in May of that same year. The total cost of the breach reached $162 million.

In the end, Target was given 180 days to make significant security improvements, and they did, but Tom Kellermann, Strategic Cyber Ventures CEO, says it was only a slap on the wrist. Target focused on keeping hackers out of their systems, but never improved their incident response procedures in the event it happens again.

8. TJX Companies, Inc. Data Breach

When it comes to the TJX Companies, Inc. breach of 2006, there are two theories as to how 94 million credit card numbers were exposed. One blames a group of hackers who supposedly took advantage of Marshall’s weak data encryption system, stealing credit cards during a wireless transfer between two stores in Miami. The other, slightly more sinister plan, says that they posed as people applying for jobs at in-store kiosks and broke into the TJX network electronically, and in plain sight.

No matter how it went down, we know who did it. Remember Albert Gonzalez, the ringleader, and mastermind behind the Heartland Payment Systems hijinx? One and the same. As we already know, he was convicted in 2010 and sentenced to 20 years in federal prison. Eleven others were also arrested.

At the time of the TJX stunt, Gonzalez was working for the U.S. Secret Service as a paid informant on a $75,000 salary. The entire operation cost banks, companies, and insurers almost $200 million.

9. Uber Data Breach

You either love them, or you hate them, but you have to admit, this transportation giant has revolutionized the way we think about taxis and ride sharing. The size of Uber’s data breach in late 2016 warrants a place on our list, but it’s not even the worst part. The way Uber responded to its discovery of the breach was like a train wreck you can’t look away from, and it’s a great example of what a company shouldn’t do in this situation.

When Uber learned that two hackers acquired names, phone numbers, and email addresses of 57 users on the app plus the driver’s license numbers of 600,000 Uber drivers, they kept it as a secret. And not only that, but they paid the hackers $100,000 to destroy the data they had collected. Oh, yes. They claimed it was a bug bounty fee and then subsequently fired their CSO, blaming the whole thing on him.

No credit card numbers or Social Security numbers were compromised, but the hackers did gain access to Uber’s GitHub account, finding usernames and passwords to Uber’s AWS account. Uber should never have put those credentials on GitHub in the first place.

This heist cost Uber money and its reputation. When they announced the breach, and probably why they attempted to keep it hidden for so long, they were negotiating to sell a portion of the company to Softbank. Their valuation dropped from $68 billion to $48 billion in a matter of months.

10. JP Morgan Chase Data Breach

Imagine a data breach affecting more than half of the U.S. That’s 76 million households. Well, it happened to JP Morgan Chase in July of 2014. Not only that, but 7 million small business were victims as well. The hack of the largest bank in the nation compromised the names, phone numbers, emails, home addresses, and other internal information of all persons and businesses involved.

While no customer money was stolen and there was no evidence that account numbers, user IDs, dates of birth, passwords, or Social Security numbers were compromised, the hackers were still able to obtain root privileges to 90 bank servers. That means they had admin level access to the entire system and could very easily have moved money around or withdrawn and closed accounts.

Despite the fact that JP Morgan reportedly spends $250 million on advanced security every year, they still weren’t able to ward off the Internet demons. Authorities indicted four men in November of 2015 in the JP Morgan case.

Gery Shalon, Ziv Orenstein, and Joshua Samuel Aaron faced 23 counts of identity theft, unauthorized access of computers, wire fraud, and money laundering, netting an estimated $100 million. The fourth hacker was not identified. Shalon and Orenstein both pleaded not guilty (insert eye roll here).

11. U.S. Office of Personnel Management (OPM) Data Breach

A report entitled “The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation” might catch your attention. Hackers from China gained access to the U.S. Office of Personnel Management (OPM) system and were inside undetected from 2012 to 2014.

Yet another hacker gained access via a third-party contractor and went unnoticed for almost a year. They acquired personal information on government employees, including fingerprint data and detailed security clearance information.

Former FBI director James Comey expressed his frustration with the situation and the information contained in his SF86 form by bringing to light the fact that it contained information on his siblings, his children, their addresses, every place he has lived since he was eighteen, and so much more. It wasn’t just the lives of the 22 million current and former federal employees affected – it was also the lives of everyone they knew.

12. Sony’s PlayStation Data Breach

PlayStation earns the award for the worst gaming community data branch of all-time. In April of 2011, 77 million PlayStation accounts were affected, and of those, 12 million had credit cards stored in the system. The hackers got access to names, emails, passwords, addresses, credit card numbers, purchase history, and PSN/Qriocity login information.

If it could happen at Sony, it could happen with any gaming community, and the incident made gamers stop and rethink where they share their information and which online gaming communities they want to be a part of in the first place. In a 2014 settlement, Sony paid $15 million in a class action lawsuit regarding the breach.

13. Anthem Health Insurance Data Breach

Anthem, formerly WellPoint, is the second largest provider of health insurance in the U.S. In February of 2015, a cyber attack claimed the names, Social Security numbers, dates of birth, addresses, and employment records of 78.8 million former and current customers, although they didn’t take medical information or credit card numbers.

The hacking began one year before it was announced when a user at a subsidiary of Anthem followed a link in a phishing email. A nationwide investigation found in January of the following year that a foreign government was responsible for recruiting hackers who carried out the largest data breach in healthcare history.

The breach cost over $100 million, although Anthem Health Insurance reported that the data of their members was never sold, used fraudulently, or shared. So, that’s something. We guess.

14. RSA Security Data Breach

No one quite knows the impact of the cyber attack that saw 40 million employee records stolen from the RSA Security authentication token, SecurID. It didn’t help that in the beginning, RSA was very vague about the information that was stolen and about the attack itself. The security giant claimed that two different groups of hackers worked together with a foreign government in 2011 to pose as people whom the employees trusted in order to penetrate RSA’s network.

RSA’s parent company, EMC, reported that they spent more than $66 million on remediation after the attacks, but that no customer networks were ever breached. The vice president and chief of security and compliance officer of eIQnetworks, Inc. said he doesn’t believe it. Based on RSA’s secretive nature and reluctance to provide information, the attack had to have been much bigger than we think.

Once the RSA Security icon fell, it wasn’t long before other attacks on other large companies in the industry started to happen. Lockheed-Martin, L3, and some others could have been enabled or encouraged by the breach on RSA. If you can hack RSA, one of the biggest, you can surely hack into the others. The whole thing proved that not even the best security companies are immune.

While there wasn’t a lot of publicity surrounding this event outside of the security world and it didn’t seem like the impact was as widespread as some of the others on this list, it was a massive blow to the industry. RSA’s vulnerability shocked everyone.

15. Stuxnet Data Breach

The Stuxnet computer worm was a malicious virus meant to attack Iran’s nuclear power program. It was discovered in 2010, but it had been infesting the system since its origin date, which was sometime in 2005. An American/Israeli team is suspected to have developed it, and it gives us a real-world idea of just how vulnerable our physical assets like power grids, water supplies, and public transportation systems are.

While the attackers didn’t steal personal records and the effect in the United States was minimal, they did damage Iran’s nuclear program. Stuxnet destroyed 984 uranium enrichment centrifuges on the Siemens SCADA system.

The impact of this is enormous because Siemens develops SCADA systems for many organizations worldwide. Stuxnet initially spread via the Windows operating system, but it’s programming allowed it to multiply quickly once inside. In simple terms, this all means that the potential for it to impact other systems powering the first-world amenities we enjoy in other parts of the world is very real.

16. VeriSign Data Breach

Throughout 2010, hackers gained access to undisclosed VeriSign systems and information through a single breach. Or perhaps multiple breaches. Actually, we’re not really sure. VeriSign decided to bury the disclosure of the event in another quarterly Securities and Exchange Commission (SEC) update.

Instead of owning up to the attacks, VeriSign chose not to admit they were hacked until almost a year later. And they only reported it because of a new SEC-mandate requiring them to do so. Buried in the midst of the filing was information about VeriSign’s vulnerability as if it wasn’t a big deal. We still don’t even know what information was stolen.

VeriSign claims that no critical systems like DNS servers or certificate servers were accessed. However, they admit that the hackers did gain access to what they call “a small portion” of their computers and servers. This leaves the rest of us in the dark with no concept of the impact on the company itself or its customers.

17. Home Depot Data Breach

The good thing about the 2014 Home Depot data breach is that they found it relatively quickly. Finding the malware infecting Home Depot’s system only took a matter of months. However, that didn’t stop thieves from stealing the debit and credit card information of more than 56 million customers first.

Beginning in the spring of 2014, a unique piece of malware, custom-built for Home Depot’s point of sale system, began to infect the computers, posing as antivirus software. Home Depot discovered it in September of that year after a thorough investigation. They also owned up to the attack only weeks after they found it, assuaging customer’s concerns and handling it in a way that showed dignity and concern for its customers’ welfare.

The company also willingly paid more than $19.5 million in March of 2016 to compensate its U.S. customers. They established a $13 million fund to reimburse customers for any out-of-pocket losses they incurred as a result of the breach. On top of that, Home Depot provided $6.5 million in identity protection services to those affected.

This settlement covered the 52 million people who had their email addresses stolen and the 40 million people whose credit card data was compromised. Home Depot spent an estimated $161 million in their pre-tax expenses to pay out consumer settlements and insurance proceeds.

The impact on their business was short-lived, as evidenced by their large size to date, and we feel like this is primarily due to the way they handled the situation. They warrant a spot on our list, but they’re toward the bottom because it could have been much worse. Good job, Home Depot!

18. Adobe Data Breach

It was reported in early October of 2013 that software giant, Adobe, had been a victim of a security breach involving 38 million user records including credit cards and login details. How long it had been going on before that, we don’t know.

While it took weeks to determine how substantial the breach actually was, Adobe originally stated that only 3 million credit cards were affected along with an undisclosed number of user accounts. It wasn’t until later in the month they admitted to the true scale of the event, involving the 38 million active users involved.

However, a few days before Adobe’s statement, a file was leaked displaying more than 150 million usernames and hashed passwords. Eventually, Adobe discovered that not only were customer names, emails, passwords, IDs, and credit and debit cards stolen, but part of Adobe’s source code was also taken.

August of 2015 saw an agreement requiring Adobe to pay almost $1.1 million in legal fees. They paid even more to users, settling their violation of the Customer Records Act and in retribution for unfair business practices. In November of 2016, they paid $1 million to customers involved in the breach.

The Bottom Line on Data Breaches

So, what’s the moral of this story? Simply put, don’t get hacked! Set up your security right the first time, and make sure processes are in place to detect suspicious activity right away. You should also seriously consider signing up for a top-rated identity theft protection service to monitor the security of your personal information 24/7 and give yourself serious peace of mind.

Because we ranked our results in order of impact, we don’t like to see companies take cues from those at the top of the list. Yahoo is a perfect example of what not to do. Don’t ignore it, don’t bury it, don’t hide it, and definitely don’t do any of those things while in negotiations with a significant acquisition partner.

Even eBay was condemned for their poor communication. They implemented a very confusing password recovery processes after they were hacked. And Heartland Payment Systems were to blame for violating payment processing codes that left them exposed.

equifax data breach 2017

Buried in the middle of our list are some unfortunate souls. Companies like Target Stores, TJX Companies, Inc., and JP Morgan Chase were simply victims of circumstance. Target handled their data breach well despite the scope of information compromised. TJX Companies, Inc. fell victim to a notorious ringleader in the cyber attack space, which was just bad luck. JP Morgan Chase already had the correct securities in place but fell victim despite their impressive efforts.

The ones at the bottom of the list, like Adobe and Home Depot, are the examples we like to see companies follow. They find the attack, dig in, report the impact accurately, and then fix it. They dole out millions of dollars in restitution fees to their customers and often go above and beyond to protect them from future attacks.

A data breach usually costs a company millions of dollars, but the impact doesn’t stop there. If they don’t handle the situation well, they could lose even more in the long run, including current customers and new business. Whether the company is at fault or not, the best course of action is to admit it and fix it right away.