Top 5 Biggest Data Breaches and Data Leaks

Explore the biggest data breaches and leaks in the 21st century, from CAM4 to Yahoo issues.

Every company is at risk of a data breach or leak. Stealing personal data or sensitive information might be a highly profitable business for hackers and cybercriminals and a problem for companies.

Over the years, data breaches and leaks have increased exponentially. The number of exposed records in Q1 2020 was 273% higher than in 2019.

People seem to have become desensitized when faced with the news of millions or billions of pieces of stolen data. There is a general data breach fatigue for cybersecurity failures.

• Why have we become so unbothered by it?

• How do data breaches and leaks happen, and how extensive can their impact be?
  
  

Let’s find that out by exploring our list of the top 5 data breaches and leaks over the last few years.

How do data breaches and leaks happen?

You may be used to seeing the news about data breaches and leaks, but you must understand how they happen. Therefore, we must see that data is one of the most valuable assets for companies.

According to experts, data is the new oil because data is equivalent to knowledge, which is crucial to informed decision-making.

Sometimes the terms data breach and data leak are used interchangeably, but they refer to different things.

Data Breach

A data breach occurs when an external actor gains access to restricted information, for example, through social engineering attempts. It is a deliberate attack to steal data.

Data Leak

Data leakage occurs when a company or organization fails to implement adequate security practices and leaves data exposed. This exposure can be accidental or intentional.

Example: Facebook and Cambridge Analytica’s data scandal, where the employees intentionally leaked the information to bring outside attention.

What are the consequences of data breaches and leaks?

The outcomes of a data breach or leak can include:

• Leaking of confidential information

• Destruction of databases

• Intellectual property theft

• Breach of compliance with regulations

• Heavy legal requirements, depending on the jurisdiction and type of data involved.
  

The consequences for businesses that go through a data breach are increasing and becoming more severe as regulations are developed.

Companies are no longer just required to announce that their systems have been breached.

To decide if there will be an administrative fine imposed and the amount of said fine according to the General Data Protection Regulation (GDPR) Art.83 (2), the following aspects must be considered:

1. “The nature, gravity, and duration of the infringement, taking into account the nature, scope, or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them.”.
   
   

2. “The intentional or negligent character of the infringement.”.
   
   

3. “Any action taken by the controller or processor to mitigate the damage suffered by data subjects.”.
   

According to GDPR Art. 83 (5), for more severe violations:

1. “Infringements of the following provisions shall, by paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher”.
   

Such heavy penalties exacerbate the fact that companies must prevent these incidents from happening. When they happen, companies must take adequate measures to prevent further losses.

One of the most common burdens for companies, specifically those that operate internationally, is to consider where their customers reside to determine which regulatory authority has jurisdiction. Then, they notify their customers, likely having to comply with requirements according to the specific jurisdictions.

The regulations define the type of data for which notification is required after a breach, who must be notified, how it is carried out, and whether specific authorities are notified.

The resulting costs of the notification process, along with legal penalties, possible compensation for damages, and even any resulting lawsuits, can be enough to lead companies to bankruptcy if it hadn’t already happened due to the nature of the attack, as was the case with Code Spaces.

A data breach or leak can expose your business model and strategies to competitors who might be able to steal any unique advantage you have. Also, consider the impact of data scandals on the company’s reputation, which can affect deals like the purchase of Yahoo by Verizon.

Even though end-users aren’t typically the direct target of cybercriminals who want to steal sensitive information (given some exceptions like ransomware), they can be affected when their data records are caught in a breach or leak.

So, even though there isn’t much that end-users can do to avoid getting caught in a data incident, they can still take some cautionary steps:

• With financial data involved, notify their bank, verify account details, and change any PIN codes or passwords.
  
  

• Be extra careful with incoming emails since cybercriminals can pose as real entities. Plus, they should not click on anything coming from unknown sources.
  
  

• Check if the company has assistance programs for fraud or identity theft victims.
  
  

• Be attentive to any class-action lawsuits against the breached company and check whether they are qualified for compensation.
  

Now that we have gone over the key concepts regarding a data breach, it’s time to look at our list of the top 5 data breaches and data leaks over the years.

Top 5 data breaches and leaks

1. CAM4: Data leak

In March 2020, the adult video streaming website CAM4 leaked 10.88 billion records. Among the leaked records, there was sensitive information containing full names, email addresses, sexual orientation, chat transcripts, email correspondence transcripts, IP addresses, password hashes, and payment logs.

Plus, since many of the exposed email addresses were linked to cloud storage services, if attackers were able to access the exposed data and successfully execute phishing attacks on those users, they could gain further access to personal photos and business information.

Overall, due to its nature, this data leak could cause compromised users to be caught up in blackmail attempts in the future.

2. Aadhaar: Data breach and leak

According to the World Economic Forum's (WEF's) Global Risks Report 2019, Aadhaar suffered multiple breaches that potentially compromised the data of 1.1 billion people.

The personal information of the affected citizens stored on the world’s largest biometric database was even up for sale online.

Cybercriminals were selling access to the database for 10 minutes for 500 rupees. Furthermore, in March 2018, there was a leak on a system run by a state-owned utility company involving more data.

The incidents exposed information such as unique 12-digit identity numbers, bank details, photographs, thumbprints, retina scans, and other identifying details.

Aadhaar was developed with the goal of reducing bureaucracy and fraud, but due to its security faults, it ended up threatening the individual privacy of its users. It is the perfect example to show that you don’t just need a new solution for a problem; you also need to adequately develop a threat model for that solution and adopt the required security controls to prevent data breaches and keep users’ data secure.

3. Yahoo: Data breach

This incident is still one of the biggest we have seen. It happened between 2013 and 2014, although it was only in 2016 that Yahoo made the announcement.

First, it was believed that the attackers had gotten data from 500 million users; then, that number grew to 1 billion users, and eventually, in 2017, Yahoo revised the estimate and changed it to 3 billion users. Among the stolen data were names, email addresses, dates of birth, and telephone numbers.

Although no plain-text passwords or financial information were stolen, this is one of the most significant breaches to date.

The announcement of the breach happened at a time when Yahoo was in the process of being acquired by Verizon. This ended up benefiting from the $350 million drop in the value of the company.

4. First American Financial Corporation: Data leak

In May 2019, First American Financial Corporation reported that there was a leak compromising 885 million users.

This leak included sensitive user data like banking account records, social security numbers, transactions, mortgage paperwork, and others. All the information dates back over 16 years, and there was no authentication required to read the documents. This goes to show that even old records can be compromised if companies do not take preventative measures to secure data.

The company has stated that the data leak originated from a "design defect" on its website. However, the problem with these types of situations is that it’s hard to pinpoint their exact effects because there is no evidence of an actual external attacker accessing the files, which doesn’t mean it didn't happen.

Due to the nature of the exposed data, since the disclosure of the incident, the company has found itself drawn into a variety of lawsuits including a class action lawsuit.

5. Marriott International: Data breach

The incident was reported in 2018. The company stated that hackers had stolen the data of around 500 million Starwood hotel customers. Marriott International acquired Starwood in 2016, but the attackers had gained access to Starwood’s system back in 2014.

The compromised data included names, contact information, passport numbers, travel information, and other personal data.

Marriott also believes that the credit card numbers and expiration dates of more than 1,000 million customers were stolen. However, they are uncertain as to whether the attackers were able to decrypt the information or not.

Eventually, this breach was attributed to a Chinese intelligence group looking to gather information on US citizens. Since the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as the lead supervisory authority under the GDPR requirements.

The ICO ended up fining Marriot £18.4 million for failing to keep their customers’ data safe.

Honorable mention: British Airways (Data Breach)

We couldn’t finish this list without making an honorable mention of the British Airways Magecart data breach.

This attack happened in 2018 and was undetected for more than two months, allowing the attacker to potentially access the personal data of around 429,612 customers and staff.

Amongst this data were names, addresses, payment card numbers, and CVV numbers.

The web-skimming cybercriminal collective known as Magecart led the execution of this attack. Their activities typically involve covertly injecting the web skimmer into the target website through a third-party service such as a chatbot. A strategy that is known as a web supply chain attack.

The ICO ended up fining British Airways £20 million in October 2020 for this event, and the process is still ongoing as of 2021.

Magecart web skimming attacks are still mostly unaddressed, as companies are only now beginning to understand how to address them.

Conclusion

There were many other data breaches that could have made our list, but nonetheless, we hope this provided a useful overview of what is a growing global problem.

The rapid digital transformation in business will only continue to magnify these incidents, and without a robust approach to cybersecurity, businesses will continue to fall victim to cyberattacks.

With regulations advancing and becoming stricter when it comes to user protection, companies need to act now.

Gaining visibility and control is crucial when it comes to being compliant and keeping their users safe.

One key step to consider if your company develops or distributes web and mobile applications is protecting the source code of these apps. Start protecting your code with a Jscrambler free trial.