The Most Infamous Data Breaches of the Last Decade
This week (22nd November 2017) it was revealed that Uber failed to disclose a cyberattack that exposed data of 57 million drivers and passengers.
The attack, in October 2016, exposed personal information such as names and email addresses of customers worldwide and some 600,000 drivers.
While this example from Uber is one of many cyberattacks that happen every day, the last 10 years has seen a number of high profile attacks which have led to a significant amount of personal data being compromised.
To highlight these attacks, we have comprised a list of the most infamous and high profile data breaches over the last decade.
There have been a number of data breaches of the Yahoo’s 22 years existing. In September 2016 they reported that a 2013 breach, which they said was carried out by a ‘state sponsored actor’, had compromised the names, phone numbers, email addresses and dates of birth of 500 million users. 500 million was a ‘record’ at the time for the largest ever data breach.
Role on a few months to December where they disclosed that a different breach, in 2013, had compromised information of 1 billion other users. This later was revised to 3 billion in October 2017 – which was every single account that existed in August 2013.
In a statement, Yahoo said "Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected.
"It is important to note that, in connection with Yahoo's December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts.
"The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account."
One of the big four accountancy firms, Deloitte, was hit by an attack in September 2017. The attackers gained details of the firms ‘blue chip’ clients, including; usernames, passwords, confidential emails and personal info.
The attack – which went unnoticed for several months – was carried out by compromising an admin account and accessing restricted areas and information on six unnamed clients. Access was gained through the admin account because 2-factor authentication was not in place, just single password protection.
The Equifax attack mainly affected US consumers, 149 million to be exact. Revealing their social security numbers, dates of birth and addresses. This is data which could be used to open bank accounts and apply for loans in the owner’s name. 200,000 credit card numbers were also compromised in the attack.
UK consumers weren’t totally let off the hook though, the data of 694,000 individuals and financial information of 15,000 were stolen.
The attack was as a result of Equifax not patching a piece of software. As a result, it was relatively simple for the attacker in question to exploit the vulnerability and gain access to the system.
To rub a bit of salt in the wound, Equifax set up a dedicated website to assist victims which had a number of vulnerabilities and was compromised when someone set up a similar phishing site. This phishing site ended up being erroneously promoted by Equifax themselves.
In November 2016 Three revealed an attacker had accessed their upgrade database with an employee’s login details. At the time they announced no financial information was stolen, but names, phone numbers, date of births and home addresses of 133,827 people were. However, in October 2017 they announced that a further 76,373 accounts had been compromised in the attack.
The attackers entered through an employee’s login and triggered phone upgrades in an effort to steal the devices before they reached the customers.
It is worth mentioning that along with a few other attacks we have talked about here, the focus has been on whether financial information has been stolen. However, financial information is arguably the easiest to change if stolen. Names, dates of birth and home addresses are not, and it is this information that is stored, sold and used for financial gain and potential ID theft.
In late 2016 Tesco Bank froze their operations after 20,000 customers had money stolen from their accounts, with 40,000 compromised in total. Tesco didn’t provide details of the attack but did guarantee they would pay back all the money stolen from their customers.
This attack promoted Adrian Davis, Managing director for EMEA (ISC)2, the independent body for infosec professionals, to say "I believe we are at a point where, despite growing awareness of the issues, business leaders are losing control and visibility of core business risk," Davis said. "They have not realised just how much their organisations have changed in the digital age and how this is leaving them vulnerable. They have not treated cyber risk as anything more than an IT problem, and now they, and we, are paying the price."
Announced in Oct 2015, TalkTalk initially couldn’t put a number on the breach but did state the attack was a result of a weakness on the company’s website. Eventually, TalkTalk did reveal that a ‘mere’ 157,000 accounts had been compromised.
One could argue that it is this attack that led to the rising number of breaches reaching the mainstream and becoming a highly political issue, as this was the second (and possibly third) that TalkTalk had suffered within the previous twelve months.
Going down as the first big data breach that affected users all over the world and the largest at the time, 77 million customer records, including a handful of credit card numbers, were stolen in 2011.
According to a company, an intruder hacked into its network and gained access to just about every significant piece of data that subscribers store on the system, including passwords, logins, online IDs and even addresses, birth dates and purchase histories.
Furthermore, the attack took down the company’s PSN system for over 3 weeks, some customers had money stolen and Sony was fined £250,000 by the UK’s ICO.