Data breaches have become the new normal. We’ve all heard about Equifax, but what about Sonic? Whole Foods? Pizza Hut? In a world where not even the fast food industry is immune, it’s hard to keep track of the victims, let alone predict who might be next.
But hey, it could always be worse, right? In light of these recent high-profile cases, let’s turn back the clock and remember some of the most devastating data breaches of all time.
The trouble started just before Thanksgiving, in the middle of the holiday fraud rush. Hackers identified a third-party HVAC vendor that worked with Target. By breaching the vendor’s systems, the hackers were able to access Target’s point-of-sale card readers. When the seasonal fraud rush died down and the candy cane dust settled, Target discovered that the hackers had collected personal information belonging to around 40 million customers. That estimate later rose to 110 million.
Not long after Target discovered the breach, the company’s CIO and CEO resigned, facing a $162 million bill for the damage. But Target learned from its mistakes and immediately implemented top-of-the-line security measures, right? Not so fast. The CEO of Strategic Cyber Ventures says that Target’s post-data breach security improvements have not done much to resolve its key vulnerabilities, and “represent yesterday’s security paradigm.”
4) Heartland Payment Systems
When the Heartland data breach happened, the payment processing provider was processing about 100 million transactions a month for 175,000 merchants. Though the breach occurred in 2008, it wasn’t discovered until a year later, when analysts from Visa and MasterCard noticed suspicious transactions coming from accounts Heartland had processed. Ultimately, hackers stole data from about 134 million credit cards.
The hackers used a technique called SQL injection, one of the oldest and most prevalent web application vulnerabilities. SQL injection occurs when a site prompts the hacker for input, like their username or user ID, and the hacker instead inputs a malicious SQL statement. The Heartland hackers’ nefarious SQL statements allowed them to access credit card information stored in Heartland’s databases. Researchers had warned companies like Heartland about SQL vulnerabilities for years, but reports say Heartland brushed off the concerns.
Fraud analysts who were monitoring site activity on eBay in May 2014 would have seen what appeared to be three corporate employees logging on and off the site. But this activity wasn’t as innocent as it seemed. Unbeknownst to anyone, hackers had stolen these employees’ login credentials. For 229 days, the fraudsters had complete insider access to eBay.
By the time eBay officials realized what happened, the hackers had stolen data from 145 million users: nearly everyone who used the site. This data included names, addresses, dates of birth, and encrypted passwords. eBay later reported that the data breach did little to impact their bottom line, though the site did suffer a decline in user activity.
2) Adult Friend Finder
The FriendFinder Network, which is exactly what it sounds like, had a delicate responsibility. Those who used websites affiliated with the network – including Adult Friend Finder, Penthouse.com, and iCams.com – trusted these sites to keep their information secure from fraudsters and friends alike. But in October 2016, disaster struck. Hackers exploited a Local File Inclusion vulnerability to steal 20 years of data.
As the hackers discovered, sites on the FriendFinder network were severely misconfigured. A loophole allowed users to upload files to the server, regardless of the user’s admin privileges. By uploading malicious files, the hackers stole data from 412.2 million accounts. Though users’ passwords were encrypted, the algorithm was so weak that hackers cracked 99% of them in under a month.
We’ve only recently begun to understand the magnitude of the Yahoo breach. In September 2016, Yahoo announced that it had suffered a data breach at the hands of a “state-sponsored actor” two years prior. The company revealed that hackers had stolen names, email addresses, dates of birth, and phone numbers of 500 million users, but that their passwords were strongly encrypted.
In December, a more shocking story emerged. Yahoo disclosed that in 2013, yet another breach occurred – a more damaging breach that compromised a billion accounts. Unlike the other breach, this data breach had resulted in the theft of passwords and security questions.
But just this month, we experienced a third plot twist. Yahoo revised its estimate for the 2013 data breach, revealing that 3 billion accounts had been compromised: every user who’d ever had a Yahoo account. Researchers, fraud analysts, and ordinary users are still scrambling to make sense of the hack. Despite regulatory and legal liabilities from this unparalleled data breach, Yahoo was able to sell itself to Verizon. Shortly after the sale, part of the company changed its name – and who can blame them?
The bottom line: data breaches happen. Want to learn how you can protect your users from the downstream effect of breaches – ATO? Download our free ebook!