Biggest data breaches of all time

 

In the recent years, data security breaches have become rampant. Not just the bigwigs, but small and medium scale companies are also getting exposed to cyber threats at an alarming rate. Hackers are targeting banks, business organizations, and financial institutions stealing valuable information from millions of people around the globe. The following statistic speaks for itself.

  •       According to Breach Live Index, there have been 9 billion data breaches since 2013.
  •       Every second, 59 data records are stolen or lost amounting to 5,130,273 breaches per day.
  •       Unfortunately, just 4% of the breaches were secured and the stolen data was rendered useless due to encryption.

 

Data breach statistics

 

 In 2017, 918 breach incidents occurred globally. However, the number of compromised breaches was unknown in almost 59.3% of the breaches.

Data breaches in 2017

 

In March 2017 alone, more than 1.4 billion data records were stolen or lost.

 

10 Biggest Personal Data Breaches of all Time

The increasing number of cyber attacks has also caused people to recognize this grave problem and take the necessary steps to avert it. However, before learning how to prevent this threat, let’s take a look at the following list of security breaches that shook the world.    

1. Pizza Hut

The Data Breach: Hackers may have accessed credit card details along with other personal information of consumers.

Date: October 2017

Number of People Affected: Approximately 60,000

Pizza Hut data breach

 

Details

The early October data breach is said to have occurred over a 28-hour period. Pizza Hut informed selected customers of the incident two weeks later via email. However, this alert came too late for a few customers whose credit card information was already being misused by hackers.

Though Pizza Hut offered affected customers a free credit monitoring service for a year with Kroll Information Assurance LLC, it didn’t help mellow the situation as angry customers took to the social media.

Customer tweet about Pizza Hut data breach

 

Consumers who placed orders on the company’s mobile app or website from the morning of October 1 to midday of October 2 were affected by the breach. Hackers may have laid their hands on sensitive personal information including customer names, ZIP codes, delivery addresses, email addresses, and credit cards information.

The official email stated, “The security intrusion at issue impacted a small percentage of our customers, and we estimate that less than one percent of the visits to our website over the course of the relevant week were affected.” Nearly 60,000 people from all over the U.S said to have been affected by the attack.

2. JP Morgan Chase  

The Data Breach: Hackers gained access to the names, addresses, phone numbers and emails of JPMorgan account holders.

Date: Jun 2014

Number of People Affected: 76 million households and 7 million small businesses in the US.

JP Morgan data breach

 

Details:

In 2014, the United States banking industry went into a tremendous shock as the cyber attack on JPMorgan Chase compromised the accounts of 76 million households and 7 million small businesses. It became one of the largest thefts of customer data in the history of U.S. banking industry.

Though the breach was discovered in late July 2014, the bank officials couldn’t stop it until the middle of August. It was declared that the hackers gained access to the names, addresses, phone numbers and emails of JPMorgan account holders. However, account associated information such as social security numbers (SSN) or passwords wasn’t compromised.

During the initial investigation, it came to the light that a neglected network server provided entry path for the hackers. At first, hackers stole the login credentials for a JPMorgan employee and used those to access the sensitive data. Despite using a two-factor authentication, hackers managed to steal the data as the bank officials simply overlooked to upgrade one of its network servers with the dual password scheme.

3. eBay

The Data Breach: It compromised encrypted log-in passwords and other personal information.

Date: February-March 2014

Number of People Affected: 145 million

eBay data breach

 

Details:

In 2014, eBay also joined the list of high profile data breach victims when hackers managed to steal encrypted passwords and other personal information of its users. The cyber attack occurred between late February and early March. Hackers used a small number of compromised employee log-in credentials to gain unauthorized access to eBay’s corporate network.

They stole personal information such as names, e-mail addresses, physical addresses, phone numbers and dates of birth. The financial information such as PayPal accounts details, credit card information wasn’t compromised because it was stored in encrypted formats separately. However, eBay asked its 145 million active users at the time to change their passwords as a precaution.

4. Yahoo

The Data Breach: The hackers stole account names, email addresses, telephone numbers, dates of birth, and passwords from Yahoo users.

Date: August 2013

Number of People Affected: 1 billion later increased to 3 billion

Yahoo data breach

 

Details:

Though this data security breach occurred in August 2014, Yahoo didn’t report the breach till December 2016. On December 14, 2016, when the cyber attack was reported for the first time, the company had declared that more than 1 billion accounts had been hit. However, further investigations lead to the discovery that all Yahoo user accounts at the time (3 billion) were affected by the breach.

According to Yahoo, now a subsidiary of U.S. telecom giant Verizon, stolen user information did not include passwords in clear text, payment card data, or bank account information. However, personal information such as account names, email addresses, telephone numbers, security questions, backup email addresses, and dates of birth, was stolen because of an outdated encryption.

5. Equifax

The Data Breach: The attack compromised sensitive information such as names, social security numbers, birth dates, addresses, and a few drivers’ license details.

Date: May 2017

Number of People Affected: 143 million

Equifax data breach

 

Details:

Just like the JP Morgan Chase, this attack also paints a picture of negligence from one of the three largest credit reporting agencies in the U.S. The breach occurred from mid-May to July. But, Equifax took almost six weeks to disclose it.

The data breach not only exposed personal information of 143 million Equifax users but also compromised credit card numbers of about 209,000 people and credit dispute documents with personal identification information of nearly 182,000 people. Hackers entered Equifax servers through a web-application vulnerability that had a patch (security update) available in March 2017, but wasn’t installed.

To compensate the victims, the company has offered its credit monitoring service free of cost for a year. However, is it wise to enroll the services of a company that was just hacked? “The fact that the breached entity (Equifax) is offering to sign consumers up for its own identity protection services strikes me as pretty rich,” said security expert Brian Krebs in his article.

6. Zomato

The Data Breach: It compromised personal information including names, emails, numeric user IDs, usernames, and password hashes.

Date: May 2017

Number of People Affected: 17 million

Zomato data breach

 

Details:

Zomato, India’s popular food tech company also joined the list of corporate security breach victims in May 2017. The cyber attack compromised the data of 17 million user records including names, emails, numeric user IDs, usernames, and password hashes.

According to hackread.com, the hacker was willing to sell the stolen data on the dark web. As a precautionary measure, Zomato reset the passwords for all affected users and logged them out of the app and website. The breach, however, didn’t compromise credit card information of the affected users.

The company website, however, claimed that they are in touch with the hacker who stole the data only to point the vulnerabilities in Zomato’s system. “We were lucky we could get in touch with the person (hacker) in good time. As it turned out, the hacker was a security researcher (ethical hacker) who had put up the data for sale to get our attention (and/or to teach us a lesson)” said the company blog.

7. Target Stores

The Data Breach: Hackers stole credit and debit card using memory scanning malware from the POS devices.

Date: Between Nov. 27 and Dec. 15, 2013

Number of People Affected: 40 million credit and debit cards

Target data breach

 

Details:

The hackers believed to be a 22-year-old Ukrainian and his team members, gained access to Target’s network using stolen credentials of a third party vendor called Fazio Mechanical Services. After the initial test phase, they installed and uploaded as many as five versions of the malware on several different POS devices.

Apart from the 41 million customer payment card accounts, the breach also compromised contact information of more than 60 million Target customers. In May 2017, Target agreed to pay $18.5 million to settle various claims arising from the cyber attack.

8. Home Depot

The Data Breach: Home Depot’s Point of Sale systems were compromised resulting in the theft of payment card information.

Date: September 2014

Number of People Affected: 56 million credit/debit cards

Home Depot data breach

 

Details:

This cyber attack was similar to Target Stores personal data breach that occurred in 2013. Hackers used third-party vendor’s login credentials to gain illegal access to the Home Depot network and installed memory-scraping malware on more than 7,500 self-checkout POS terminals. The malware successfully stole 56 million credit and debit cards and 53 million email addresses.

Apparently, an important feature called “Network Threat Protection” in Symantec Endpoint Protection (SEP) antivirus software wasn’t turned on. The company offered identity protection services to the affected customers. Later, a settlement was also proposed providing payments to those who documented losses caused by the breach.

9.  Deloitte

The Data Breach: Attackers stole confidential emails and plans of some of its blue-chip clients.

Date: October or November 2016

Number of People Affected: Unknown

Deloitte data breach

 

Details:

Deloitte, one of the largest accountancy and consulting firms in America, fail victim to cyber attack last year. According to the company, hackers stole plans from its blue-chip clients including 6 private companies and a few government agencies as well as the company emails. The internal investigation is still ongoing.

The hackers gained access to an administrator account of the internal email service hosted in Microsoft’s Azure cloud. This allowed cyber criminals to gain unrestricted access to the client data. The attack, however, was a huge embarrassment to Deloitte, particularly its cyber-security consulting business.

10. Adobe

The Data Breach: The attackers stole customer data and its source code.

Date: October 2013

Number of People Affected: 38 million user accounts

Adobe data breach

 

Details:

The massive data breach compromised total 38 million user accounts including 2.9 million accounts with credit card information as well as the source code for Photoshop, Acrobat, Reader, and ColdFusion. The company offered free credit monitoring service for a year to customers whose credit card data was compromised. In 2016, Adobe was fined $1 million for this cyber attack.

How to Secure Your Data from Personal Data Breach

Gone are the days, when one could rely on the sophisticated technologies used by renowned banks, financial institutions, and businesses to protect your sensitive personal data. In fact, security breaches continue to paralyze nation’s high-profile private and public databases, making it more necessary than ever to understand how to protect your personal information.

You must assume that your personal information too, is at risk as cyber attacks happen all the time. Fortunately, there are a few tried and tested ways to protect your data from cybercriminals.

Encrypt Your Data

One of the easiest ways to keep your personal information safe is to encrypt your emails and other data. Data encryption is no longer the domain of computer geeks. In fact, there are several different encryption tools such as Kruptos 2, Secure IT, Crypto Forge, and Folder Lock available out there that can encrypt data locally.

 

Encryption tools to avoid data breach

 

Data encryption is particularly useful for safeguarding private online communication. Some of this software can also backup your data in case a cyber attack compromises your device which brings us to your next point.

 

 

Backup Your Data

It may seem obvious, but backing up your data on a secure external hard drive is also a critical factor in data theft prevention. Despite having strict security measures, cybercriminals, sometimes, may hack into your device. If you back up your data, you don’t need to worry about losing your valuable information. You can also back up the data in the cloud. However, cloud storage is relatively more vulnerable to cyber attacks.

Update Your Antivirus and Firewall

From the above list of security breaches, you must have understood the importance of keeping your software updated. Not just the antivirus, antimalware, and firewall, but the entire system must be kept up to date to avoid data security breach.

Make sure to update every device from your mobile phones to your computers and laptops. Computer operating systems such as Mac OS and Windows OS also provide regular security updates. It is better to turn on automated updates to ensure the highest level of protection.

Shield Your IP Address

The IP address of your computer can reveal a lot about you such as your location, operating system, and even the activities on your device. That’s why you need to shield or hide your IP address whenever you go online. Just like data encryption software, there are several different IP shield tools out there. All you need to do is to sign up for a Trusted Proxy (TP) or Virtual Private Network (VPN) service provider.

 

 

Use Two-Factor Authentication

Two-factor authentication provides an additional layer of security in case hackers manage to crack your passwords. The system usually uses a security question or a Personal Identification Number (PIN) or a One-Time Password (OTP).

Most online service providers such as banks, e-commerce stores, email service providers, and social media channels use two-factor authentication. However, you can also use two-factor authentication apps such as Authy, Google Authenticator or HDE OTP to secure your mobiles and laptops.  

Don’t Sync Your Phone to Unknown Devices  

People often tend to sync their mobile phone with unknown devices such as a rental car or a friend’s laptop for a variety of reasons. As far as possible, try to avoid syncing any of your devices to unknown ones. If you sync your phone to a device make sure to delete the connection from the device’s memory after the use.

Destroy the Data You No Longer Need

You should either back your old data safely or destroy it if you no longer need it. Make sure to clean your old hard disks or external hard drives before tossing them into the trash. Shred outdated personal documents such as passports, certificates, tax forms, bank and credit card statements, credit and debit cards, and personal identification or use a burn bag.

Set Fraud Alert

When it comes to preventing a personal data breach, the simplest option is to set up a fraud alert, for free, by calling one of the three major credit bureaus including Experian, Equifax, and TransUnion. You only need to call one of the agencies as it will automatically inform the other two.

After the Equifax data security breach fiasco, however, most people may not consider this a safe option. So, another option is to sign up with an identity theft protection service provider. Besides sending fraud alerts, a theft protection service provider will also help you through the recovery process if a data security breach occurs.

Check Your Social Media Privacy Settings

When it comes to social media, people often overshare personal details in a desperate attempt to feel connected. However, oversharing on social media can provide a potential path for cybercriminals to steal your personal information.

For almost all social media channels such as Facebook, Twitter, and Instagram are by default set to “public” mode. Thus, all your posts are visible to everyone. It is strongly recommended to change this default to “Friends Only” so only your friends can view the information you share. You should also avoid sharing sensitive details such as credit card number or bank account details through chatting apps or social media channels.

Check Website URL

While browsing the internet, you need to be wary of suspicious looking web URLs. Hackers often use such websites for phishing attacks. Usually, the websites beginning with “https://” are deemed safe as they have Secure Socket Layers (SSL), a website security protocol.

Alternatively, you can also use online services such as Google Safe Browsing to verify a link. Just type http://google.com/safebrowsing/diagnostic?site= followed by the site or the IP address you want to check. Google will tell you if the site has hosted malware in last 90 days. See the example below.

 

Usually your antivirus software also provides safe browsing application that you can use while you are sharing sensitive information. Always type the full web address while opening a bank website instead of clicking on a link.

Share Personal Information on a Need to Know Basis

You should always refrain from sharing personal information whenever possible. You don’t have to share your SSN or other identification everywhere. Sometimes businesses may ask for information that is truly unnecessary. So, share personal information on a need-to-know basis. Make sure to educate your children in this regard as well.

Use Secure Passwords

None of the above precautions are worth the trouble if you are using weak passwords. Always try to create long and complex passwords consisting of absurd or random alphabets, symbols, and special characters.

Most websites and online applications allow passwords up to 16 characters in length. Do not reuse a password. If you have trouble memorizing long passwords, you can use password managers. A password manager stores all your passwords securely that you can access with a master password.  

How to Deal with a Personal Data Breach

Despite taking above precautions, chances are you may have to come across a personal data breach at some point in your life. The corporate organization or a bank you do business with may fail prey to the next infamous data security breach. Regardless of what the organization will do to remedy the situation, you should also take steps to prevent further misuse of stolen data. Here is what you can do.

Assess the Damage

The first thing you need to do is to find out the extent of the personal data breach. A thorough assessment of stolen information will determine the steps you need to take to handle the situation. Usually, there are following 3 scales of data breaches.

  1. Low: It includes loss of names and street addresses. It is relatively harmless.
  2. Medium: In this type of personal data breach, hackers often steal more sensitive information such as email addresses, dates of birth, and credit/debit card account numbers.
  3. High: It involves stealing highly sensitive information including social security numbers, bank account details, online-account passwords, and credit/debit card account numbers.

Change Every Password

Regardless of whether online accounts with the concerned organization were affected by the breach or not, change every single electronic password. It includes passwords for your email accounts, online bank accounts, credit card sites, insurance sites, and income tax sites. If you use the same password on other sites, change that too. While you are at it, don’t forget to update your security questions as well. To be on the safer side, make it a practice to change your passwords regularly.

Monitor Your Finances Closely

Though you should check your financial statements regularly, this is the time to be extra vigilant. Your liability may depend on how soon you identify and report relevant financial discrepancies. It includes checking your credit card statements, bank account statements, insurance statements, healthcare accounts, and tax returns.

Inform the Concerned Organizations

Upon receiving the news of fraud, inform the relevant bank or organization immediately. Don’t wait until the criminals misuse your credit or debit cards. Speak with the concerned authorities and tell them about the potential risk of fraud. Cybercriminals often try to exploit the stolen credit/debit cards as soon as possible. So, the sooner you inform the relevant financial institutions, the better.

In the United States, though federal rules limit the customer’s liability for fraud, you should check with your bank about the regulations in this regard. Debits cards have much less protection because criminals can practically drain your entire bank account. So, it is better to use your credit card for online and POS payments.

Enroll for Credit Monitoring Service

It may seem like locking the stable door after the horse has bolted, but you should enroll for credit monitoring services. Most probably the affected business organization will provide free credit monitoring and identity theft protection services for a year or so. Sign up for it. It may not be much, but it is better than nothing.

Sign up with Identity-Monitoring Service

Alternatively, you can also subscribe to identity theft protection and recovery services. The services provider may offer you emergency cash, identity theft insurance, and recovery assistance depending on your monthly plan.

Place a Fraud Alert and Credit Freeze

You should also inform the three major credit agencies including Equifax, Experian, and TransUnion about the fraud directly. They will set a fraud alert that will remain active for at least 90 days. You can also ask for a credit freeze. It will make sure no alterations can occur in your finances without your consent much like two-factor verification.

Report Identity Theft

When it comes to a personal data breach, identity theft is the worst case scenario. The above measures can prevent identity theft. Sometimes, however, they may not be enough to keep the cybercriminals at bay.

  • According to the 2017 Identity Fraud Study, in 2016, 6.15% of consumers became victims of identity fraud, an increase by more than 2 million victims from the previous year
  • The study also found that $16 billion was stolen from 15.4 million U.S. consumers in 2016, compared to $15.3 billion from 13.1 million victims in 2015.

Identity fraud due to data breach

If ID theft occurs, you should file a formal report of identity theft with the Federal Trade Commission besides setting up a credit freeze. The FTC website www.identitytheft.gov will help you create your Identity Theft Report and a personal recovery plan based on your circumstances. You will also need to file a police report with the local precinct. Make sure to ask the concerned officer to attach your FTC ID Theft Complaint to it.

Remember, you should take the above steps, (except for the last one) even if you are unsure of the extent of the compromised information.

Wrapping It Up

Every year, hundreds of cyber attacks take place, affecting millions of people around the globe. The increasing number of data breaches and the failure stop these cybercriminals in their tracks has become a global concern. Hopefully, reading this article will not only help you understand the global scale of data breaches but protect your personal information as well. You will also learn to deal with the situation in case your data gets stolen. We would love to hear your feedback. Drop your remarks, suggestions, and questions in the comments section below.

 

Image Source: (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)

Video Source: (1, 2)

Leave your comment

Your email address will not be published.