This past decade has arguably been the biggest for digital advancements of all kinds, particularly cybersecurity. So why is it that we saw some of the biggest cybersecurity fails and data breaches? Let’s go to the source.
Data is the new oil
Data’s value is rocketing. So much so that in 2017 some experts believed it surpassed oil as one of the most valuable commodities across the world. It’s no surprise then to know that in the first half of 2019, according to a survey by Kaspersky, nearly one million users’ devices were attacked by malware designed to harvest data, in comparison to just under 600,000 users over the same time period the year before.
But why is data so valuable? Because it can be sold in almost every form. For example, passport details can be sold to make fake passports, credit card numbers fetch upwards of $100, and if a hacker wants to make more from stolen information, they can sell full data sets. Referred to as ‘fullz’ (slang for full information), they typically contain an individual’s name, birthdate, credit card number and social security number. The rounder, more plump the fullz, the more it’s worth.
You’d think that businesses would go over and above to protect their customers’ data. Well yes, in the most part. But, there were times when professionals took their eye of the ball and things went a bit wrong. Let’s take a look at 10 of the biggest data breaches this decade and what situation led up to this epic #FAIL in data security. Some resulted from lazy practices by the business, others from more sinister outside forces. (Disclaimer: they’re in no particular order.)
1. Tesco Bank – many mistakes in store
Date: 2016
Fail level: $3 million stolen from 9,000 Tesco Bank customer accounts
Country: UK
What was the cyber-fail?
According to the UK’s Financial Conduct Authority, Brazilian cyberattackers generated their own Tesco Bank debit card numbers and, using those virtual cards, made thousands of unauthorized transactions from current customers. But when the bank’s systems identified the threat, the team responsible sent an email to the wrong address instead of picking up the phone and explaining. So they only responded a cool 24 hours after the breach. But, instead of blocking the transactions in Brazilian real currency, they blocked the euro. As a result, the number of attacks rose even further.
What were the consequences?
Customers lost hard-earned cash and Tesco got fined nearly $20 million.
2. Yahoo! – the largest data breach of personal data. Ever.
Date: 2013
Breach level: Personal data of three billion accounts breached
Country: USA
What was the cyber-fail?
After digital thieves hacked Yahoo!’s servers, they cleaned up with a big bounty of personal data. Originally Yahoo! reported that the breach had affected one billion users, but after further investigations it later revised the estimate to say all three billion users were probably affected.
What were the consequences?
At the time, Verizon were locked in for the acquisition of Yahoo! for nearly $5 billion… this ‘little’ data breach knocked $350 million of its sale price.
3. Marriot Group and Starwood – housing hackers for years
Date: 2014-8
Breach level: Personal data of 500 million guests leaked
Country: USA
What was the cyber-fail?
The cause of this one isn’t so clear, although the New York Times have mused that it may have been a Chinese state cyberattack designed to gather intelligence. The fail is a little clearer: the breach actually occurred in 2014…but was only detected in 2018. Scary, really, considering their systems had alerted them to a potential breach when it first happened. Maybe their acquisition of Starwood around that time consumed most of their attention? What we do know is that leaving hackers to play in your system for four years is more than a little unfortunate.
What were the consequences?
Marriot Group was fined over $120 million.
4. Ashley Maddison – the wrong kind of indiscretion
Date: 2016
Breach level: Personal data of 32 million cheating spouses leaked
Country: USA
What was the cyber fail?
Some say that wherever there’s sex, there’s technology innovation. These next two examples show innovation – in cybercrime. For those not familiar, Ashley Maddison – owned by Avid Life Media (ALM) – was a dating website for married men and women looking to play away. That was until hackers, who go by the name of The Impact Team, gave them an ultimatum: take down the website or we’ll expose every one of your users – personal details, log-ins and more. This wasn’t an empty threat, as a statement of intent The Impact Team published a teaser: employee salaries and confidential internal business documents. Fair warning. Unfortunately, ALM ignored the threats and assured millions of users that their identities were secure. They were, in fact, not. Shortly afterwards, the inevitable happened.
What were the consequences?
Account details, log-ins and seven years’ worth of credit card and other payment details leaked. Reported suicides from around the world as cheating spouses were exposed. As for Ashley Maddison, they agreed to pay a $1.6m fine for “lax security.”
5. Adult Friend Finder Networks – a not-so-sexy data breach
Date: 2016
Breach level: Personal data of 412 million accounts leaked
Country: USA
What was the cyber fail?
The notoriously vulnerable SHA-1 hashing algorithm… not the most secure on the block. Adult Friend Finder (a sex and swingers website that also owned other sex cam websites) were, unwisely, using it to protect their entire user base until hackers broke through. According to LeakedSource, hackers were able to crack 99 percent of all passwords. Apart from their out-dated security measures, Adult Friend Finder assured users that if they deleted their account, their personal information would be deleted. That wasn’t the case, which led to an additional 15 million ‘deleted’ accounts being purged.
What were the consequences?
With such a sensitive subject, if malicious hackers got their hands on the data it could’ve been used for blackmail or spam campaigns.
6.eBay – shopped for a cyber-fail
Date: 2014
Breach level: Personal data of 145 million users leaked
Country: USA
What was the cyber-fail?
It doesn’t get much better than this: according to eBay, hackers jumped into their system using the credentials of three employees. The best bit? They had access for 229 days, as well as unprecedented access to complete data sets of eBay customers… ouch.
What were the consequences?
A decline in user activity and a somewhat miniscule drop in profits. Not a fine in sight.
7. Sony PlayStation – a (big) glitch in the mainframe
Date: 2011
Breach level: Personal data of 77 million users leaked
Country: UK
What was the cyber-fail?
It’s not rocket science or the last level of Donkey Kong: well-known network vulnerabilities can wreak havoc. When Sony PlayStation had one in their ranks, hackers exploited it and made sure they paid the price.
What were the consequences?
Sony paid out $15 million in compensation – plus a few million dollars of legal fees.
8. Facebook – rigging all over the world
Date: 2018
Breach level: Personal data of 50 million users leaked
Country: USA
What was the cyber-fail?
Chances are you’re already familiar with this one. Facebook changed their third-party rules in 2014, limiting developers to user data only. But Cambridge Analytica took it a bit further. They used quizzes to ‘scrape’ (or harvest, to you and me) data from users’ entire friends lists. They managed to get 50 million complete data sets, which they allegedly used to influence the Clinton v Trump USA election and the Leave or Remain EU ‘Brexit’ vote in the UK. Evidence shows it could’ve started are early as 2015 but was only detected in 2018. Facebook’s role? Well, they didn’t ever ask Cambridge Analytica where they got the data from… so who knows how deep the mismanagement went.
What were the consequences?
Facebook shares plummeted 40 percent in three months after the event, but it gets worse – they’re now staring down the barrel of a $5 billion fine. As for Cambridge Analytica, they’re understandably not trading anymore.
9. British Airways – flying the flag for outdated cybersecurity
Date: 2018
Breach level: Personal data of 500,000 thousand users leaked
Country: UK
What was the cyber-fail?
This one, allegedly, lands on the Magecart cybercrime syndicate – specialists in planting malicious scripts onto websites to steal financial data and sell it on. In this instance, they made light work of British Airways’ outdated cybersecurity defences, setting up a fake site and diverting the airline’s website visitors into their trap.
What were the consequences?
BA were fined a record-breaking $221m (£183m) for not having the right data security measures in place.
10. ExPetr (AKA NotPetya) – the cyberattack that’s bad for business
Date: 2017
Breach level: Estimated $10 billion in damages.
Country: Global
What was the cyber-fail?
Although the previous examples are all about data breaches that affected businesses and their customers, this cyberattack affected the businesses themselves. And it’s arguably the costliest in history.
ExPetr took its name from the resemblance to ransomware Petya, a piece of criminal code that encrypted files and extorted victims to pay for a key to unlock them. Unlike its predecessor, ExPetr irreversibly encrypted computers’ master boot record, which essentially controls the operating system. The twist? Victims couldn’t make payments to free themselves. There wasn’t even a key to unscramble their computers. This attack had one goal: devastation.
After being released into the wild, ExPetr originally targeted Linkos Group (a Ukranian software company) then quickly spread. From hospitals in Pennsylvania to a chocolate factory in Tasmania, the devastating effects were felt globally.
What were the consequences?
More than $10b in total damages (estimated by the White House.) But, aside from the financial blow, a few other things raised eyebrows. Reportedly, the Chernobyl nuclear plant’s radiation-monitoring system went down temporarily.
Protect your innovations from cyber-breaches
In a nutshell: cyber-breaches are costly to businesses. How costly, you ask? Kaspersky have found that the average enterprise cyber-attack costs around $1.41m. The good news: some attacks are preventable.
From money to marital status, your customer’s data is at risk when cybersecurity measures aren’t in place. The solution? Safeguard systems with top notch endpoint products and, perhaps more importantly, train colleagues to spot and know how to react when they see the first signs of a breach.
This article represents the personal opinion of the author.
Article published in 2019.
