With data breaches having increased in recent months, businesses are being advised to remain extra vigilant.
Telecom company BT revealed in 2023 that more than 46 million cyberattack signals are seen on average every day worldwide, which serves as a reminder that these threats are inevitable. Therefore, what matters is if organisations have strong enough cybersecurity measures and disaster frameworks in place to mitigate the impact of malicious activity.
By implementing threat detection and response strategies, businesses have a much higher chance of protecting valuable data, or recovering more easily from a breach.
With this in mind, Cyber Magazine takes a look at some of the most prolific data breaches in recent times - to raise awareness of the often-devastating consequences.
10. Starwood (Marriott) Data Breach
Date: November 2018
Number of records compromised: 500m guests
Marriott International, a multinational hotel firm, informed customers in November 2018 of a data breach resulting in the possible disclosure of credit cards, passport numbers and other identifying information belonging to 500 million customers.
Upon investigating internally, Marriott found that hackers had encrypted data and removed it from the Starwood system. The breach was also discovered to have first occurred in 2014, but was not discovered for four years. As a result, Marriott was fined US$23.8m for failing to meet GDPR standards.
9. Facebook Data Breach
Date: April 2019
Number of records compromised: 533m users
It was revealed in 2021 that the personal information of millions of Facebook (now Meta) users from over 106 countries was leaked online. The data was reportedly obtained by exploiting Facebook's contact importer feature, which was fixed by the company in 2019 after it first discovered the vulnerability was being exploited.
As a result of the breach, roughly 20% of Facebook’s user base at the time was impacted. Exposed data included phone numbers, Facebook IDs, full names, locations, dates of birth and in some instances email addresses, employers, genders and relationship statuses.
8. Ticketmaster Data Breach
Date: May 2024
Number of records compromised: 560m
Ticketmaster owner Live Nation confirmed unauthorised activity on its database after a group of hackers admitted to stealing the personal details of 560 million customers. According to ShinyHunters, the name of the group claiming responsibility, the stolen data included names, addresses, phone numbers and partial credit card details from Ticketmaster users around the world.
Snowflake, Ticketmaster’s third-party cloud provider, identified the incident as a result of a cloud account hijacking attack. This is where stolen credentials are used to access sensitive data.
7. LinkedIn Data Breach
Date: June 2021
Number of records compromised: 700m
In June 2021, a hacker known as “TomLiner” advertised the sale of information from around 700 million LinkedIn users on a darknet forum. At the time, this figure represented roughly 90% of the company’s total user base, which made it the largest LinkedIn data breach to date.
The same individual was also responsible for the leak of 500 million LinkedIn records in April 2021. Such a large-scale data leak was caused by the misuse of LinkedIn’s API which enabled the unauthorised data collection. Speaking at the time, LinkedIn confirmed that the scraped data included email addresses, full names, phone numbers and physical addresses.
6. Verifications.io Data Breach
Date: February 2019
Number of records compromised: 763m users
Verifications.io was a data validation and verification service that helps businesses verify email addresses and other contact information.
The organisation’s data breach was first discovered by security researchers Vinny Troia and Bob Diachenko in 2019. It was revealed that 763 million unique records were exposed on the web, with the vast majority including marketing data on US citizens.
In response, the company shut down its website in March 2019 before closing entirely shortly afterwards.
5. First American Financial Corporation Data Breach
Date: May 2019
Number of records compromised: 885m users
Financial services company First American detected a cybersecurity breach in May 2019 as a result of a vulnerability within its proprietary EaglePro application, which it uses to store consumer data. As a result of the breach, hundreds of millions of customer records were exposed.
Files stored on the company’s website contained bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts and social security numbers. The information leaked dated back as far as 2003 and was available without any protection.
4.Alibaba Data Breach
Date: July 2022
Number of records compromised: 1.1bn users
The Chinese e-commerce giant Alibaba suffered a massive data breach in 2022 that compromised customer data. Sensitive information leaked included names, ID numbers, phone numbers, addresses and even criminal records. In total, 23 terabytes of data was exposed from Alibaba Cloud, China's most prominent public cloud service provider.
Dubbed as one of the biggest data breaches in history, the data of one billion Chinese citizens was exposed for more than a year, with an anonymous user in a hacker forum offering to sell the 23TB data for 10 bitcoin.
3. Aadhaar Data Breach
Date: March 2018
Number of records compromised: 1.1bn people
Aadhaar is a government programme first launched in 2009, where all residents of India have a 12-digit unique identity number based on their biometric data.
Unfortunately in 2018, a faulty Aadhaar software patch was released and provided users with elevated access levels and allowed them to bypass critical security features such as iris scan and GPS location verification. This vulnerability ultimately exposed the entire database, which at the time contained about 1.2 billion records.
Reports at the time suggested that the encryption mechanisms in place by Aadhaar were insufficient, access controls were too lax and security protocols were outdated. As a result, these vulnerabilities enabled malicious actors to exploit and compromise sensitive data.
2. Yahoo Data Breach
Date: 2017
Number of records compromised: 3bn accounts
Yahoo experienced a data breach in 2013 and did not disclose what happened until 2016, where it revealed that one billion accounts on its network had been impacted. In fact, it was revealed after Verizon Communications acquired Yahoo that the attack had actually affected all three billion of Yahoo’s user accounts.
Threat actors were able to steal names, birth dates, phone numbers and passwords of users that were encrypted with security that was reportedly simple to crack. The digital hackers were also able to obtain the security questions and backup email addresses used to reset lost passwords.
The Department of Justice charged four men, including two Russian intelligence officers, for the breach in 2017.
1.CAM4 data breach
Date: March 2020
Number of records compromised: 10.88bn records
Highlighted as the largest reported data leakage as of January 2024, the CAM4 data breach in March 2020 occurred as a result of someone at CAM4 misconfiguring Elasticsearch, an internal search engine used by employees to scan user and activity logs. Someone within the organisation unfortunately put the database online without any password protection, leaving data vulnerable to anyone with an IP address.
The nearly-11 billion records in the CAM4 data leak included sensitive user information, including first and last names, email addresses, password hashes, gender and sexual orientation and usernames, chat logs and IP addresses, amongst other information.
A cyberattack at such a large scale highlights the growing need for strong cybersecurity measures within organisations around the world so that they can mitigate against potential data leaks.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand
