Posted by Lauren Sporck / November 22, 2017
There were 8,069 data breaches between January 2005 and November 2017 according to the Identity Theft Resource Center, and in recent years the number of data breaches and compromised records has skyrocketed.
Although there have been too many data breaches to count in recent years, whether large-scale or small, there are a few that stand out from the rest as some of the worst data breaches in history in terms of resulting costs and the number of records compromised. Below is a list of 11 of the worst breaches in history, highlighting the causes of the breaches and the effects on the public and business sectors.
3 billion is a large number. The 3 billion Yahoo accounts compromised by a 2013 hack make this easily the biggest data breach in the internet era. All Yahoo users were affected by the breach – although Yahoo did not determine that this was the case until 2017. Though the U.S. government indicted Russian hackers for a later breach that took place in 2014, it is not certain how the 2013 hack occurred.
Between February and March of 2014, eBay requested that 145 million users change their account passwords due to a breach that compromised encrypted passwords along with other personal information. Like many of the other breaches included in this post, hackers gained access to eBay accounts through stolen login credentials. The credentials did not come from customers themselves but instead from eBay employees. In this particular breach, user payment information via PayPal was safe since it was encrypted; users were only asked to change their passwords as a precautionary measure.
In 2017, credit bureau Equifax was breached, putting the data of over 143 million Americans and many people in other countries at risk. At the very least, several hundred thousand identities were stolen. Although Equifax did not announce the breach until September 7, the breach took place several months prior, in May 2017. Hackers were able to breach Equifax by exploiting a vulnerability in open-source software Apache Struts – CVE-2017-5638, to be precise, for which a patch was issued in March 2017.
4. JP Morgan Chase
In 2014, a cyber attack aimed at JP Morgan Chase compromised 83 million household and business accounts that included personal information such as names, email addresses, and phone numbers. The attack was said to impact two-thirds of all American households, making this breach one of the largest in history. A little less than a year later, four men were indicted for the attack on JP Morgan Chase as well as several other financial institutions with charges including securities and wire fraud, money laundering, and identity theft. The men made over $100 million through the scheme. In some instances, login credentials were obtained through tricking users and then used to access customer information. Hackers also exploited the Heartbleed bug in this breach, a vulnerability in OpenSSL that allowed hackers to steal information that is normally encrypted.
In February of 2015, hackers broke into Anthem's servers and stole up to 80 million records. The healthcare giant is the parent company of several well-known healthcare providers including Blue Cross and Blue Shield. The attack began with phishing emails sent to five employees who were tricked into downloading a Trojan with keylogger software that enabled the attackers to obtain passwords for accessing the unencrypted data. This breach was particularly devastating because it included the theft of millions of medical records thought to be worth 10 times the amount of credit card data.
In order to gain access to customer credit and debit card numbers, hackers installed malicious software on POS systems in Target stores in self-checkout lanes. The card-skimming malware compromised the identities of 70 million customers and 40 million credit and debit cards. The same malware was later found in the Home Depot breach referenced below.
Although the names, email addresses, phone numbers, and license plate numbers for at least 57 million drivers and customers were accessed by hackers in October 2016, Uber concealed the data breach from both the public and from government regulators until November 2017. The company instead paid the hackers $100,000 to prevent them from using the data and keep the breach under wraps. Hackers accessed the data by stealing Uber engineers' credentials from a private GitHub account, and then using those credentials to break into an Uber AWS account.
8. Home Depot
A security breach that attacked Home Depot's payment terminals affected 56 million credit and debit card numbers. The Ponemon institute estimated a loss of $194 per customer record compromised due to re-issuance costs and any resulting credit card fraud. For example, protection from identity theft through Experian is $14.95 per month. For this specific breach, that would amount in $837.2 million in costs related to fraud monitoring, which is often offered in the wake of a breach in order to protect victims from identity theft. Hackers first gained access to Home Depot's systems through stolen vendor login credentials. Once the credentials were compromised, they installed malware on Home Depot's payment systems that allowed them to collect consumer credit and debit card data.
A hacker managed to infiltrate TJX chains, including Marshalls and TJ Maxx, and stole 45.7 million customer credit card and debit card numbers. Although not thought to be responsible for the hack itself, a group of people in Florida were charged for buying customer credit card data from the hackers and then used that data to purchase $1 million dollars' worth of electronic goods and jewelry from Walmart. This breach is still considered one of the biggest retail data breaches of all time.
10. Hannaford Brothers
Hackers managed to steal 4.2 million credit and debit card numbers within 3 months from 300 Hannaford stores, a large supermarket retailer. Hackers collected customer data via malware uploaded to Hannaford servers. The malware could intercept customer data during transactions, which was then used in over 2,000 cases of international customer fraud.
11. Sony Pictures
Analysts believe that the Sony breach began with a series of phishing attacks targeted at Sony employees. These phishing attacks worked by convincing employees to download malicious email attachments or visit websites that would introduce malware to their systems. This type of attack used social engineering, where phishing emails appeared to be from someone the employees knew, thus tricking them into trusting its source. Hackers then used Sony employee login credentials to breach Sony's network. Over 100 terabytes of data was stolen and monetary damages are estimated to be over $100 million.
To find out how to prevent large-scale data breaches, visit our page about Metadefender, the most powerful threat detection and prevention platform.