10 Data Breaches of the Decade: How Famous Brands Let Us Down
Does remembering the year 2010 bring you a warm glow of nostalgia? Spain won the World Cup, Eminem rocked, and everybody played Angry Birds. You (and I) were ten years younger, so the grass was probably greener and the parties were more fun.
Instagram launched, the iPad went to market, and Mark Zuckerberg became Time’s Person of the Year. It truly was a new decade of huge digitalization and connection.
But at the start of the 2010s we never considered the potential pitfalls of our brave new digital world. We were quick to create online accounts and believed both banks and governments would keep our records safe. We didn’t ever consider anyone profiting from our data.
Now we know the realities. During the next 10 years, world headlines were dominated by the names of household companies next to the words “data breach”.
Let’s explore the most notorious data breaches of the 2010s and learn why so many big companies got it wrong when it came to protecting personal data.
1. Yahoo! - the largest data breach
Yahoo! is the top of our chart of data breaches. It was hacked twice, in 2013 and 2014, and later revealed the extent of the breach - an astonishing 500 million and three billion accounts were compromised .
In 2017, at the time of the breach announcement, three billion people constituted about 40% of the global population. What did the hackers access? Names, email addresses, encrypted passwords, birthdays, phone numbers, and, in some cases, security questions and answers. While not the most sensitive information, the breach’s scale is jaw-dropping.
2. Facebook - multiple data failures
Facebook is a runner-up thanks to its long history of data incidents. In April 2019, it suffered an enormous data breach as the records of 540 million Facebook users were exposed in public storage.
Earlier in 2019, it appeared that Facebook stored passwords in plain text, which affected 200 to 600 million users. In 2018, the social media platform was in trouble again for sharing user data with tech partners and phone manufacturers.
And surely we can’t forget the Facebook–Cambridge Analytica scandal. In early 2018, Facebook revealed that data from 87 million accounts was stealthily harvested and used for political advertising. Eventually, the FTC hit Facebook with a record-breaking $5 billion fine. But would that really make Zuckerberg’s company behave?
3. First American - huge exposure of financial records
This case is recent, huge, and devastating. In May 2019, it emerged that First American Financial Corporation, a real estate and insurance giant, exposed 885 million sensitive financial records of its clients. This included Social Security numbers, bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts, and photos of driver's licenses dated back to 2003.
All of these files could have been collected from the company’s website by anyone who knew how to modify a page link. No password was required. Moreover, data harvesting could have been automated by bots. So far, it is unknown whether anyone actually collected the records before First American fixed the error but the exposure of such sensitive financial information still involves an immense risk of mass identity theft.
4. Uber - covering up the breach
No company can be 100% sure it won’t be hacked. But what matters is the steps it takes should a breach happen. Uber demonstrated a really bad example of post-attack behavior.
In 2016, personal data from 57 million Uber accounts, including 600,000 license numbers, was exposed. Instead of disclosing the incident and helping its clients, Uber paid the hackers $100,000 to conceal the details of the attack. The breach was announced only a year later.
The case didn’t go unnoticed. There was a lengthy investigation focused on Uber’s violation of data breach reporting laws and, eventually, the company was fined $148 million in the US. Later, separate investigations were held in the UK, the Netherlands, and France. These cost Uber an additional $1.6 million in fines.
5. Myspace - years of unawareness
Myspace was an extremely popular social network in the late 2000s. In May 2016, it announced that a hacker stole over 360 million email addresses and passwords to Myspace accounts .
Interestingly, Myspace couldn’t identify when the attack took place. Security researcher Troy Hunt analyzed the facts and concluded that the hack likely occurred between mid-2008 and early 2009. It means Myspace didn’t notice and failed to disclose the breach for seven or eight years. Naturally, users were also unaware that for all this time their passwords were exploited and traded.
6. Equifax - financial breach affecting half of the US
Before First American, Equifax was probably the most widely-discussed financial data breach. Equifax is one of the largest credit reporting bureaus in the US. After a cyberattack in 2017, hackers stole the data of about 147 million Americans, nearly half of the country’s population. The information in question was extremely sensitive: it included Social Security numbers, home addresses, dates of birth, some driver's licenses, and credit card numbers.
After an investigation, it was concluded in the governmental report that Equifax breach “was entirely preventable”. It happened due to inefficient security practices and outdated systems at Equifax. The company has agreed to pay at least $575 million in fines, although the case is ongoing.
7. Marriott-Starwood - luxury hotels, poor cybersecurity
This story shows that even the world’s largest hotel chain was not immune to a cyberattack. Hackers hit Marriott in 2014 through its acquired company, Starwood Hotels and Resorts. The criminals stole passport details, email addresses, phone numbers, and some credit card records from guests. In total, 383 million people were affected by the breach.
What is worse, it took the company 4 years to discover and announce the breach. Then, Marriott needed a few more months to properly evaluate how many records were stolen. This is not to mention that the hotel giant neglected the encryption basics making it easy for hackers to use the stolen data.
8. Ashley Madison - the most delicate breach
In many cases, data breaches are hard to link to real-life troubles people experience. If one’s credit card is misused, it’s not that obvious when and where its number was stolen. However, the data breach of Ashley Madison, a website for extramarital affairs, directly led to multiple resignations, divorces, and even suicides.
In 2015, hackers exposed about 32 million users of the service. Names, passwords, addresses, phone numbers, and other details were exposed. While it’s not the largest data breach in history, it proved to be extremely painful for those involved.
9. Target - missing a breach alert
Around Black Friday 2013, Target, one of the largest US retailers, experienced a massive data breach. This time, it wasn’t actually Target that had a security flaw. Instead, the criminals hit the retailer’s vendor, a refrigeration contractor. It exposed Target’s systems and let hackers steal details of shoppers’ debit and credit cards. The gain was massive: up to 100 million people became victims of this hack.
Ironically, both Target and its refrigeration vendor had security software that could have prevented this trouble but it wasn’t deployed properly. The contractor had a free version of an anti-malware product that only worked on demand and didn’t offer real-time protection. Target itself was notified about the breach by a specialized program, but the warning went unnoticed. This is yet more proof that software alone can’t protect you from cyber threats.
10. Twitter - a streak of flaws
Similarly to Facebook, Twitter faced security issues throughout the decade. The scale was not too big, although disturbing for such a popular social media platform. Here are a number of data exposures Twitter faced.
In 2013, the company announced that 250,000 user accounts were potentially hacked. Next, in 2018, it turned out that Twitter internally store user passwords in plain text - and this put the platform’s 330 million users at risk. Eventually, the end of 2019 brought more sad news. In October, Twitter confirmed that it exploited the users’ private phone numbers and email addresses to serve targeted ads. In December, two bugs were revealed in Twitter’s Android app: the first one allowed hackers to take control of users’ accounts, while the second bug made it possible to match accounts with phone numbers. Hopefully, 2020 won’t bring similar revelations.
All of these cases prove that even the most successful companies, whose services we use daily, can be hacked. While there were 662 data breaches in 2010, by the end of 2018 this number nearly doubled to hit 1244 cases.
In a world where our personal information is so easily exposed, we need to be prepared and know how to secure ourselves. Read our guides:
- How to Protect Yourself from Identity Theft?
- What to Do if Your Identity Has Been Stolen?
- 5 Real-Life Lessons About Identity Theft
We’re working on more materials and tools to support best practice around data protection. Wishing you safety and privacy in the upcoming decade!