Top 5 Biggest Data Breaches and Data Leaks

Over the years, we have seen more and more data breaches and leaks. In fact, the number of exposed records in Q1 2020 was 273% higher than the same period in 2019. What used to be something unusual is now becoming far too common.

Nowadays, people seem to have become desensitized when faced with the news of millions or even billions of stolen personal data. There seems to be a general “data breach fatigue”. Why have we become so unbothered by it? How do data breaches and leaks happen, and how extensive can their impact be? Let’s find that out and explore our list of the top 5 biggest data breaches and data leaks over the years.

Maybe you are used to seeing the news about data breaches and data leaks but are still not sure about how they happen in the first place. So, first, it’s important to understand that data is one of the most valuable assets companies can have, experts even say that “data is the new oil”. This is because data is equivalent to knowledge, and knowledge is crucial to informed decision-making.

Another important thing to note is that although sometimes the terms data breach and data leak are used interchangeably, they refer to different things. So, a data breach happens when an external actor becomes successful in gaining access to restricted information, for example through social engineering attempts. Simply put, it is considered a deliberate attack to steal data.

However, when there is no actual attack from an external actor, such an incident is called a data leak. A data leak happens when the company or organization fails to implement adequate security practices and leaves data exposed. This exposure can be either accidental or intentional. Here we have the example of Facebook and Cambridge Analytica’s data scandal, where the company’s employees intentionally leaked the information because they wanted to bring outside attention to the subject in question.

The outcomes of a data breach or data leak can include leaking of confidential information, destruction of databases, intellectual property theft, breach of compliance with regulations, and heavy legal requirements depending on the jurisdiction and type of data involved.

The consequences for businesses that go through a data breach are increasing and becoming more severe as regulations are developed. Companies are no longer just required to announce that their systems have been breached. In order to decide if there will be an administrative fine imposed and the amount of said fine according to the General Data Protection Regulation (GDPR) art.83 (2) the following aspects must be considered: “the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them”; “the intentional or negligent character of the infringement”; “any action taken by the controller or processor to mitigate the damage suffered by data subjects”.

According to the GDPR art. 83 (5), for more severe violations, “Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”. Such heavy penalties only exacerbate the fact that companies must prevent these incidents from happening—and when they do happen, they have to take swift adequate measures to stop further losses.

One of the most common burdens for companies, specifically for those that operate internationally, is having to determine where their customers reside to determine which regulatory authority has jurisdiction. Then, they are required to notify their customers, likely having to comply with a variety of requirements according to the specific jurisdictions. It is also important to note that the regulations define the type of data for which notification is required after a breach, as well as who must be notified, how the notification must be carried out, and whether specific authorities must be notified as well.

The resulting costs of the notification process along with legal penalties, possible compensation for damages, and even any resulting lawsuits can be enough to lead companies to bankruptcy if it hadn’t already happened due to the nature of the attack, as was the case with Code Spaces. Another fact to consider is that a data breach or leak can expose your business model and strategies to competitors who might be able to steal any unique advantage you have. Not to mention the impact any data scandal can have on the company’s reputation, which can in turn also affect deals—like in the case of Verizon purchasing Yahoo (which we’ll explore on our list).

Even though individual end-users aren’t typically the direct target of cybercriminals who want to steal sensitive information (given some exceptions like ransomware), they can be severely affected when their data records are caught in a breach/leak.

So, even though there isn’t much that end-users can do to avoid getting caught in a data incident, they can still take some cautionary steps:

• In case financial data is involved: notify their bank, verify account details, and change any PIN codes or passwords.

• Be extra careful with any incoming emails, since cybercriminals can pose as real entities. Plus, they should not click anything coming from unknown sources.

• Check if the company has any assistance program for fraud or identity theft victims.

• Be attentive to any class-action lawsuits against the breached company and check whether they are qualified for compensation.
  
  

Now that we have gone over the key concepts regarding a data breach, it’s time to take a look at our list of the top 5 biggest data breaches and data leaks over the years.

1. CAM4 — Data leak

In March 2020, the adult video streaming website CAM4 leaked 10.88 billion records. Yes, you read that right—billions of records were exposed. Amongst the leaked records, there was sensitive information containing full names, email addresses, sexual orientation, chat transcripts, email correspondence transcripts, IP addresses, password hashes, and payment logs.

Plus, since many of the exposed email addresses were linked to cloud storage services, if attackers were able to access the exposed data and successfully execute phishing attacks on those users, they could gain further access to personal photos and business information. Overall, due to its nature, this data leak could cause compromised users to be caught up in blackmailing attempts in the future.

2. Aadhaar — Data Breach and Data leak

According to World Economic Forum's (WEF's) Global Risks Report 2019, Aadhaar suffered multiple breaches that potentially compromised the data of 1.1 billion people—more specifically, of 1.1 billion Indian citizens. The personal information of the affected citizens stored on the world’s largest biometric database was even up for sale online. Cybercriminals were selling access to the database for 10 minutes at a price of 500 rupees. Furthermore, in March of 2018 there was a leak on a system run by a state-owned utility company involving more data. Overall, the incidents exposed information such as Aadhaar holders’ names, unique 12-digit identity numbers, bank details, photographs, thumbprints, retina scans, and other identifying details.

Aadhaar was developed with the goal of reducing bureaucracy and fraud—but due to its security faults, it ended up threatening the individual privacy of its users. It is the perfect example to show that you don’t just need a new solution for a problem, you need to adequately develop a threat model for that solution and adopt the required security controls to prevent data breaches and keep users’ data secure.

3. Yahoo — Data Breach

This incident is still one of the biggest ones we have seen. It happened between 2013 and 2014, although it was only in 2016 that Yahoo made the announcement. First, it was believed that the attackers had gotten data from 500 million users; then, that number grew to 1 billion users, and eventually, in 2017, Yahoo revised the estimate and changed it to 3 billion users. Amongst the stolen data there were real names, email addresses, dates of birth, and telephone numbers.

Although no plain text passwords or financial information were stolen, this is still one of the most significant breaches to date. The announcement of the breach also happened during a time that Yahoo was in the process of being acquired by Verizon, which ended up benefiting from the $350 million drop in the value of the company.

4. First American Financial Corporation — Data leak

In May 2019, First American Financial Corporation reported that there was a leak compromising 885 million users. This leak included user’s sensitive data like banking account records, social security numbers, transactions, mortgage paperwork, and others. Plus, all the information dated back to over 16 years and there was no authentication required to read the documents. This goes to show that even old records can be compromised if companies do not take preventative measures to secure data.

The company has stated that the data leak originated from a "design defect" on its website. However, the problem with these types of situations is that it’s hard to pinpoint their exact effects because there is no evidence of an actual external attacker accessing the files, which doesn’t mean it did not happen. Due to the nature of exposed data, since the disclosure of the incident, the company has found itself drawn into a variety of lawsuits including a class action lawsuit.

5. Marriott International — Data Breach

The incident was reported by Marriott International in 2018 and it was stated that hackers had stolen data of around 500 million Starwood hotel customers. Marriott International acquired Starwood in 2016 but apparently the attackers had gained access to the then Starwood’s system back in 2014.

The compromised data included names, contact information, passport numbers, travel information, and other personal data. Marriott also believes that the credit card numbers and expiration dates of more than 1000 million customers were stolen. However, they are uncertain as to whether the attackers were able to decrypt the information or not. Eventually, this breach was attributed to a Chinese intelligence group looking to gather information on US citizens. Since the breach happened before the UK left the EU, the ICO investigated on behalf of all EU authorities as the lead supervisory authority under the GDPR requirements. The ICO ended up fining Marriot £18.4 million for failing to keep their customers’ data safe.

Honorable mention — British Airways (Data Breach)

Lastly, we couldn’t finish this list without having an honorable mention of the British Airways Magecart data breach. This attack happened in 2018 and was undetected for more than two months allowing the attacker to have potentially accessed the personal data of around 429,612 customers and staff. Amongst this data, there were names, addresses, payment card numbers, and CVV numbers.

The execution of this attack was led by the web skimming cybercriminal collective known as Magecart. Their activities typically involve covertly injecting the web skimmer into the target website through a third-party service such as a chatbot—a strategy known as a web supply chain attack. ICO ended up fining British Airways £20m in October 2020 for this event and the process is still ongoing as of 2021.

Magecart web skimming attacks are still mostly unaddressed, as companies are still only now beginning to understand how to address them. To make this process a lot simpler, and because timing is key when it comes to stopping web skimming, Jscrambler is offering 3 months of free Magecart Detection.

There were many other data breaches that could have made our list but nonetheless, we hope this provided a useful overview of what is a growing global problem. The rapid digital transformation in business will only continue to magnify these incidents, and without a robust approach to cybersecurity, businesses will continue to fall victim to cyber-attacks.

With regulations advancing and becoming stricter when it comes to user protection, companies need to act now. Gaining visibility and control is crucial when it comes to being compliant and keeping their users safe. One key step to consider if your company develops or distributes web and mobile applications is protecting the source code of these apps. Start protecting your code with a Jscrambler free trial.