Major website security breaches are, sadly, more common than most users might imagine. Here are a few of them that you might not have heard about!
Data breaches are a common concern in this day and age. Depending on how prominent your business is on the Internet, odds are good that some malicious elements would love to breach your security and extract as much sensitive data as possible! Particularly so if you host customer data for millions of users - which isn't nearly as uncommon of a thing as it used to be.
Some of the largest data breaches in history have become massively publicized, too. The ones that manage to enter the general zeitgeist, however, aren't always also the worst. Indeed, there's a whole slew of major data breaches that the average layperson would never have heard about. That, in fact, is precisely what we'll be discussing in this here article.
If you, too, are concerned about sensitive data breach instances, and if you'd like to learn about some of the biggest data breaches that weren't publicized by the wider Internet community, this is the article to read.
The Basics: What Constitutes a Data Breach?
The notion of a "data breach" is rather self-explanatory. Consider it a security violation of some sort wherein sensitive data (e. g. user passwords, batches of email addresses, credit card information...) is viewed, extracted, and/or outright used by a malicious third party. The world's biggest data breaches oftentimes include over a million user accounts affected, making them incredibly dangerous for a huge number of people all at once.
Depending on the target of a given data breach, the malicious element may be seeking out encrypted passwords to access other personal data on entirely different platforms. Login data alone is a ridiculously important quantity, as an average data breach will typically go after this type of personal data, in particular.
Having gained unauthorized access to the affected customers' login credentials, the cyber attack perpetrators can then proceed to compromise a huge variety of other security systems the users may have signed up for. After all - most Internet denizens use the same password across the board. This makes each and every data breach a potentially catastrophic occurrence: doubly so if it leads to leaking bank account numbers and other related information.
Aren't most data breaches well-covered by now, then?
Indeed, almost every relevant data breach will, inevitably, be covered by the industry media, which may lead to said data breach getting featured in the mainstream media in due time, too. This, however, only really happens with the biggest data breaches, such as the legendarily problematic Yahoo data breach of 2016.
It goes without saying, however, that it doesn't take an unprecedentedly big data breach for affected and/or stolen data to be problematic. The contemporary Internet has grown massively over the past decade, and many, many services number over a million users at this point. From email addresses to encrypted passwords, these users' key information could very well end up being affected by a future data breach, if it hadn't already been subjected to it as part of the previous famous data breaches.
Could the biggest data breaches have been prevented?
Virtually any contemporary data breach could technically have been prevented. The issue, however, lies in hindsight: knowing how to prevent a data breach is easy after said data breach had already taken place.
It's important to understand that data security is an incredibly complex and layered issue. Almost every massive data breach has had a different avenue of attack. In some cases, it might be an actual feature implementation problem, whereas a company's IT team couldn't prevent the malicious elements from accessing user accounts. Sometimes, it might be that there are exposed data that allow for a data breach to take place. Further still, a data breach can also take place on the basis of social engineering alone.
Covering all of the security bases on a given domain is no small feat, yet, keeping a million users safe from a security breach is a given: something that's commonplace and normal. Down below, we've singled out some of the biggest data breaches that you may not have heard about up until now, and it's worth keeping an eye out for just how varied and flexible the malicious third parties can get.
The Largest Data Breaches The Average Person Needs to Know About
The three biggest data breaches in history are common knowledge by now, so we'll go over these in short order to set the stage.
By far the largest of all data breaches is, without competition, the 2013 Yahoo data breach. With roughly 3 billion affected users, the malicious elements engaging in this particular data breach got the data from just under half of the world's entire population, which is downright comical. It included user names, email addresses, phone numbers, hashed passwords, and security questions, though thankfully no banking data got compromised.
The second most substantial data breach was 2017's Equifax data breach, affecting just over 146 million users in total. The vast majority of affected users were situated in the US, and the malicious elements got away with social security numbers, phone numbers, email addresses, tax IDs, and other assorted data. The Equifax data breach was, it's worth pointing out, nowhere near as substantial as that of the earlier Yahoo breach.
The third largest data breach was the 2014 eBay hack, wherein roughly the same number of users got affected as would end up being the case with Equifax, just a few years down the line. eBay recommended that all customers change their passwords immediately, though it doesn't seem that the malicious third party got away with any unencrypted data in the end.
10 Major Data Breaches You May Have Missed Hearing About
To illustrate our point, we've singled out 10 massively substantial data breaches from the recent history. Most of them took place in the 2010s, in fact, and included tens, if not hundreds of millions of user accounts and data instances. None of them can match the mind-bogglingly massive Yahoo data breach, to be sure, but one can only hope that the Yahoo data breach can never be matched in the first place.
Keeping that in mind, these cyber security breaches are just some examples of how easily exposed data can be reached in some cases. They also illustrate the need for webmasters to protect their user accounts in any way they can, though it's worth pointing out that sensitive information can get leaked out via social engineering and the like, which obviously cannot be properly accounted for.
Heartland Payment Systems Data Breach
Date of occurrence: March 2008
Affected users: 134 million
While the Heartland Payment Systems data breach may have only gone public in early 2009, it had actually taken place over the course of several months in Q1 - Q2 2008. Aside from the big three, it's likely the biggest data breach that's happened yet, with many a million user accounts affected in the end.
The attackers succeeded in breaching HPS' firewall using an SQL injection attack, which modified the code of a specific web script. This, in turn, provided the malicious elements with access to a web login page, which side-stepped the company's web protections.
What's particularly noteworthy here is that HPS is a company specializing in payment systems and features, payroll options, and point-of-sale instances. This means that the leaked data was all but completely critical, to the point where the attackers could create entirely new credit cards with a working mag-stripe.
The persons responsible were Albert Gonzalez and two partners of his, with Gonzalez eventually being convicted to a 20-year prison sentence. Still, Heartland Payment Systems ended up losing its PCI DSS compliance for a little while, and the incident led to the company losing hundreds, if not thousands of customers at a time.
Target Data Breach
Date of occurrence: December 2013
Affected users: 110 million
For Target, this data breach was a particularly noteworthy problem. By 2017, not only had hackers made away with 40 million debit and credit records and about 70 million additional customer records from well over a million users, but the company was also required to pay an additional $18.5 million settlement to the affected customers.
The stolen data was, therefore, immensely valuable across the board, and lost the company more than $200 million, when all was said and done. Target's earnings fell an estimated 46%, too, underlining just how costly such a huge and widespread data breach can truly get. To say nothing of the trustworthiness that was lost.
Curiously, this particular data breach wasn't necessarily Target's fault. Or, not purely Target's fault. The company had a dedicated domain for third-party vendors to log into and do business with. One of these third parties got compromised, and the weakest link principle led to Target taking the brunt of the attack.
Subsequently, Target re-established its security baseline, bolstered its login credentials, and began issuing special chip-and-pin cards that reduced the possibility of future attacks. Still, malicious elements had already made away with the information, and customer data was permanently affected.
TJX Companies Data Breach
Date of occurrence: December 2006
Affected users: 94 million
Touted as one of the examples of how not to handle a data breach and a huge problem with data security, the case of TJX Companies' failure to protect its users' personal details and other assorted information is a curious one. Not the largest data breach by any measure, it is an exceedingly problematic one, as TJX consistently underestimated just how huge a problem it has at hand.
Namely, the company first reported that "only" 46 million users had been affected by the hack. In truth, more than twice the number ended up with leaked data. TJX, however, kept its customers and the authorities in the dark for as long as it could under the guise of it being in the best interest of everyone to do so.
Furthermore, TJX also seems not to have been PCI-compliant, and it has been suggested that the company was in no real rush to comply.
What's particularly noteworthy here, though, is that the same person was responsible for the TJX data breach as was the case with the HPS data breach: Albert Gonzalez. The hacker made good use of TJX's apparent lack of serious data security measures and had the opportunity to gather data for months at a time.
Reference: Edwin Covert (via Medium)
JP Morgan & Chase Data Breach
Date of occurrence: July 2014
Affected users: 83 million (households and businesses)
One of the more recent data breaches on this list, the hacking of the investment banking enterprise JP Morgan & Chase made waves due to its exceedingly widespread effect on individuals and households across the USA. Estimations claim that sensitive information was leaked for roughly 76 million households and an additional 7 million small businesses, which is a staggering number.
This is one of the biggest data breaches of all time, and the leaked data included email addresses, user names and real-world names, residential addresses, phone numbers, and more. Thankfully, hashed passwords and financial information seem to have been kept safe through the ordeal, which is quite the silver lining for JPM&C.
Over 90 domain instances and servers got infiltrated by unknown malicious actors as part of this breach. While it is still unclear what, exactly, led to the breach, JP Morgan & Chase has massively increased its security spending as a result, and the working theory is that hackers used some of the more commonly available web apps to breach the firewall.
Specifically, it would seem that there had been a zero-day vulnerability present in one of these web apps, which in turn allowed hackers to run rampant for a non-insignificant amount of time. A data breach of this kind, therefore, cannot reliably be predicted.
Uber Data Breach
Date of occurrence: November 2017
Affected users: 57 million
One of the more publicized data breaches on this list is certainly that of Uber. This mishap seems to have been architected by two hackers who gained access to both driver and customer data. A huge issue all on its own, it was exacerbated further when Uber failed to notify the legal authorities in due time.
According to what is known about this case, Uber seems to have uploaded code to Github which, as it turned out, included login credentials and other sensitive information that should've been purged beforehand. This compromised data allowed the hackers to get Uber records exposed in short order, which then allowed them to gain access to the site's AWS servers.
The curious part is that Uber subsequently paid $100,000 for hackers to delete the data and keep the breach on the down low. NDAs may have been signed, according to sources, which prevented the hackers from getting Uber's records exposed as happened with most other data breaches on this list.
This wasn't necessarily a case of a proper security breach, then. Instead, it seems to have been Uber's own fault that the data breach happened in the first place, as the company failed to properly accommodate uploaded code and remove login credentials from the equation.
Reference: Corporate Compliance Insights
Ashley Madison Data Breach
Date of occurrence: July 2015
Affected users: 32 million
This one would've been hard to miss, even from a layperson's perspective. Of course, the thing that put the Ashley Madison data breach into the limelight was the topical nature of the service it offers. Since the owner of Ashley Madison, Avid Life Media, specializes in adult hookup services, it has an overabundance of personal details on each and every one of its users, and it's plainly obvious why this is a bad time for everyone involved.
When hackers - the so-called Impact Team - got into Ashley Madison, specifically, they seemingly weren't all too interested in monetary gain, espionage, or anything of the sort. Instead, they stole and dumped about 10 GB worth of personally identifiable information of 32 million users in total.
What's more, is that Avid Life Media's own "full delete" account feature doesn't seem to have actually deleted all the information in every case. Instead, this data breach gained access to some of that information, too, with information such as credit card transactions yet retained.
The discussions surrounding the Ashley Madison data breach kickstarted a wealth of theorycrafting on the nature of modern data breaches. After all, what are the odds that Avid Life Media is the only company that retains user information even after it's been instructed to delete it?
Reference: Mathew Ingram (via Fortune)
US Office of Personnel Management Data Breach
Date of occurrence: 2012 - 2014
Affected users: 22 million
This is, without a doubt, one of the most dangerous and biggest data breaches ever to take place in the US. The gravity of this particular instance compared to other data breaches lies in the nature of stolen data: it included a plethora of personally identifiable information as well as a huge array of data about government employees, and it's bene suggested that it has been carried out by the Chinese government.
Curiously, the US OPM data breach consisted of two disparate, yet related attacks executed over the course of several weeks. X1 is the official name of the initial data exfiltration from OPM's networking setup, while X2 is the second and bigger of the two data breaches. Here, the hackers targeted the government's Central Personnel Data File, likely knowing precisely what they were looking for.
The extent of these two data breaches is not fully known, granted, but it is all but certain that the hackers got away with military records, combat veteran data, dates of birth and addresses, job and payment history, health and life insurance, pension data, and more.
Of all the recent data breaches, this one may have been one of the most serious, and it led to the resignation of several higher-ups in charge of the OPM.
Timehop Data Breach
Date of occurrence: April - June 2018
Affected users: 21 million
The Timehop data breaches were carried out over the course of several months in 2018, where Macy's, Bloomingdale's, and Domain Factory's web servers stealthily got breached, giving hackers ready access to all manner of personally identifiable information.
What makes this more interesting than many other comparable data breaches is that malicious elements initially gained access to the service backend by using a valid, baseline user account. This allowed them to eventually gain access to users' real-world names, home addresses, phone numbers, email addresses, dates of birth, and - most problematically - some credit card info.
The silver lining, however, was in the fact that credit card CVVs remained inaccessible. This proves that, even if a data breach occurs, it pays off immensely to have multiple layers of additional security in place. That way, even if non-critical data is accessed, the more important information is still safe.
Granted, the reason why more data breaches aren't far more disruptive and damaging is because information is often sequestered with double or triple-layer protection. The more compartmentalization and layering there is in a security firewall, the lesser the odds of future data breaches permanently damaging a brand or a service.
Reference: MIT Sloan
Hong Kong Department of Health Data Breach
Date of occurrence: July 2018
Affected users: 1.5 million (est.)
According to official sources, one of China's biggest data breaches of the medical system took place over the course of two weeks in July of 2018, and it consisted of a ransomware attack. Such data breaches are particularly problematic because their primary goal isn't necessarily to stealthily extract information and be done with it, but to extort financial gain, instead.
To that end, the Hong Kong Department of Health had some of its key files encrypted and held for ransom. Strangely, whereas the hackers did leave behind an email address for the DOH officials to contact, no ransom was actually requested, suggesting that the hackers' plans may have fallen through at some point.
Ransomware attacks are one of the more popular choices for healthcare system data breaches, as these are often positively crucial files that the service cannot do without. Hackers are, therefore, emboldened in requesting ransom from hospitals and the like, making them a particularly enticing target for those who are only interested in financial gain - morality be damned.
Reference: Straits Times
Reddit Data Breach
Date of occurrence: June 2018
Affected users: undisclosed
It shouldn't be awfully surprising to hear that Reddit, too, has made its way onto this list of some of the most recent data breaches. A website that hosts millions upon millions of users on a daily basis, Reddit is the go-to choice for web denizens from all walks of life, and its data harvesting capabilities are incredibly powerful, though not on the same level as, say, Facebook, Twitter, and the like.
Malicious elements have long-since recognized this fact, and a particularly noteworthy security breach took place over the course of several days in June of 2018. At that time, Reddit was attacked by an unknown entity that compromised several employee accounts and managed to get through SMS-based two-factor authentication, to boot.
According to the official announcement, the attacker was purged before getting to the point of doing serious, permanent damage. However, all Reddit data from 2007 and beforehand had been accessed and potentially backed up elsewhere. The attacker gained access to Reddit's storage systems and had the ability to view virtually all of Reddit's older internal data.
Following this breach of security, Reddit reported the issue to law enforcement and reached out to affected users with ways to secure their older user accounts. An improved 2FA system was implemented as well, effectively securing the site against future attacks of a similar sort.
What Can You Do To Stay Safe?
Having gone through all of the above, it may be all too easy to believe that data security is just a fool's errand. After all, when the biggest data breaches affect platforms with over a million users like it's no big deal, what could a smaller, more specialized and less prominent business hope to accomplish? The sheer statistics of how many data breaches take place may look damning at a glance.
The goal, however, isn't necessarily to make your website outright impregnable. Instead, it's to cover all of your bases and make your domain a target that's not worth the effort. The harder it is for malicious third parties to execute a major data breach on your domain, the lower the odds are that they're going to try accessing your sensitive information in the first place.
It is of utmost importance that any given domain establishes a baseline of security to reduce the odds of being susceptible to a potential data breach. SSL certificates are this baseline, and in many cases, they come packaged with stellar quality-of-life features that may make keeping up your proverbial firewall that much easier. On top of that, the examples featured above illustrate just how important transparency is, should push come to shove.
SSLTrust, specifically, has a substantial list of article-based resources you could peruse to greatly reduce the odds of a future security breach on your domain. You can also reach out to our support team if you're interested in investing in a fully fledged SSL/TLS solution right away. With these tools at your disposal combined with exposure to previous data breaches, you're already well on your way to preventing a security breach in the long run. So, why not take the plunge?