Unprecedented data breaches of the last ten years – and their aftermath

• NinjaOne study delves into significant data breaches in recent history.
• Yahoo experienced the most significant data breach, compromising three billion records in 2013.
• In 2019, First American Corporation and Facebook followed, with breaches of 885 million and 540 million records, respectively.

Imagine a scenario where your online activities, from casual email exchanges to confidential financial dealings, leave a digital footprint prone to cyberthreats. This situation is far from a mere speculative plot in a science fiction film; it’s a tangible challenge we confront in our current era of digital interconnectivity. In this environment, the security of our personal data, which is invaluable and deeply intertwined with our private lives, is under continuous threat.

Despite its role in connecting global communities and streamlining our lives, this digital era has also been the backdrop for some of the most significant data security breaches. These incidents, impacting billions of people worldwide, go beyond mere statistics. They represent personal stories, breaches of confidential information, and shattered trust, all having far-reaching consequences in our increasingly online existence.

What have been the most monumental data breaches of recent times? And how have even prominent corporations succumbed to cyber-incursions, despite the general awareness of the danger? From the astonishing Yahoo breach impacting billions to an unknown company’s unsecured database leak, each incident sheds light on the dynamic field of cybersecurity and the relentless effort to defend our digital selves.

Analyzing monumental data breaches

A recent analysis by NinjaOne, a patch management software company, unveils startling findings: Yahoo’s 2013 data breach is the most severe, with three billion records compromised. This study sifts through the most significant breaches to identify which organizations have faced the gravest data losses.

1. Yahoo with three billion records in 2013

In 2013, Yahoo endured the most significant recorded data breach in history, affecting every one of its three billion user accounts. Initially underestimated at one billion affected accounts, this figure was later corrected to a breathtaking three billion. The breach led to the theft of diverse data, including email addresses, passwords, birth dates, and phone numbers.

2. First American Corporation with 885 million records in 2019

First American, the nation’s second-largest title insurance company, processes vast amounts of personal and financial information annually. This data, sourced from numerous title-related documents, is stored in its proprietary software, EaglePro.

In May 2019, a security weakness was discovered in EaglePro. This vulnerability allowed unauthorized access to confidential documents, enabling anyone with a specific link to view their documents and those of unrelated transactions without needing authentication. A whopping 885 million records were compromised due to lax security on its servers, exposing critical data like bank accounts, social security numbers, wire transactions, and mortgage details.

The New York State Department of Financial Services (DFS) investigated and found that First American had violated cybersecurity regulations. The company had failed to establish adequate governance, access controls, identity management, and risk assessment procedures, leading to insufficient security measures in EaglePro against unauthorized data access.

DFS recently announced that First American would face a US$1 million penalty for breaching cybersecurity regulations. This fine is linked to the May 2019 cybersecurity incident, which unintentionally exposed sensitive consumer information.

3. Facebook with 540 million records in 2019

A leak of data from around 540 million Facebook users, including personal details like names and phone numbers, was recently made public. Initially, Facebook downplayed this as relating to a known 2019 breach, but later admitted the data came from a previously unreported exploit in their contact import feature. The breach was distinct from other Facebook security issues and involved the information of notable figures. Facebook’s response to the incident, including a failure to directly notify affected users, has drawn criticism for lack of transparency and clarity.

4a. Marriott International with 500 million records in 2018

Marriott International, a global hotel chain, tied for the fourth-largest breach in 2018, with half a billion records compromised. The data breach, allegedly orchestrated by hackers linked to the Chinese government, targeted Marriott’s reservation database, compromising sensitive data, including passport numbers and credit card details.

4b. Yahoo with 500 million records in 2014

Yahoo’s 2014 data breach, tied as the fourth-largest, affected 500 million records, including personal details like usernames and birth dates. The fallout from this breach, which became more apparent in 2018 with a US$35 million fine for Yahoo’s delayed disclosure, heightened public awareness of data security. Additionally, between 2015 and 2016, hackers breached 32 million more accounts. Yahoo’s subdued response to these incidents, mainly through security notices on its website, sparked concerns about its commitment to robust cyberdefenses.

6. FriendFinder Networks with 412 million records in 2016

In 2016, FriendFinder Networks suffered a major hack, exposing over 412 million accounts across sites like Adultfriendfinder.com. Steve Ragan initially reported security flaws, but the full scale of the breach, involving usernames, emails, and weakly encrypted passwords, was revealed by LeakedSource. Despite a previous breach in 2015, FriendFinder continued insecure password practices, leading to widespread concerns about its commitment to data security.

7. Exactis with 340 million records in 2018

Exactis, a marketing and data aggregation firm, suffered the seventh-largest breach in 2018, with 340 million records exposed. It inadvertently made detailed personal data of millions publicly accessible, including phone numbers, addresses, and email contacts.

8. Airtel with 320 million records in 2019

In 2019, Airtel, a major Indian telecom provider, faced a data breach exposing 320 million customer records due to a system vulnerability. This breach compromised personal details like names, phone numbers, email addresses, and Aadhaar card numbers.

The incident prompted data privacy concerns and investigations in India. In response, Airtel strengthened its security protocols and informed affected customers, highlighting the need for stringent data protection measures to handle sensitive information.

9. Truecaller with 299 million records in 2019

Truecaller, known for its caller ID and call-blocking features, encountered the ninth-largest breach in 2019, with 299 million records compromised. Leaked data encompassed phone numbers, email addresses, and other personal details.

10. Database leak with 275 million records in 2019

In 2019, an unknown company reportedly faced the tenth-largest breach when a misconfigured database with 275 million records was exposed.

The need for robust cybersecurity measures

NinjaOne remarked on the findings, highlighting the immense value of data in our interconnected world and the significant returns of investing in robust security measures.

It underscored the importance of updating software and limiting access to sensitive data as critical strategies to minimize data breach risks.

NinjaOne pointed to Yahoo’s 2013 and 2014 data breaches, which resulted in billions of compromised records, as stark examples of the significant costs of data breaches. These incidents, with the 2013 breach being one of the largest in history, led to severe financial consequences for Yahoo.

The company faced a monumental class action settlement of US$117,500,000. Additionally, Yahoo and its successors encountered legal implications for how they managed these breaches.

“One such example is the US$35,000,000 SEC fine Yahoo incurred for not disclosing the data breach when it first learned about it, thereby misleading investors,” NinjaOne said.

This commentary emphasizes the critical nature of transparency and proactive security measures in the digital domain. The cases of Yahoo and others serve as stark reminders of the vital importance of protecting digital data and the potential consequences of failing to do so in our increasingly connected world.

---

---

---