One of the first hacks to get widespread public attention in the United States and Canada occurred on the night of April 27, 1986.
Millions of HBO subscribers in the Eastern time zone were watching the film The Falcon and the Snowman when their screens suddenly displayed this message instead of the movie:
"Captain Midnight" hacked the HBO signal and beamed his gripes about pricing to the world for four and half minutes. How could someone do that, the world asked?
[Related: Original HBO Hack]
To some, the ability to hack a satellite broadcast was unsettling. To others, it was amusing. But beyond blocking a few minutes of a movie that was probably playing again the next day anyway, there was no real damage done.
How times have changed.
Now, headlines about ransomware, cyberattacks, and data breaches pour into social media feeds at a steady drumbeat. And the annual global damage from these attacks is estimated to be in the trillions of dollars each year. Cybersecurity Ventures predicts that cybercrime will cost the world $6 trillion annually by the end of 2021.
SecureWorld News takes a look at some of the largest data breaches to ever occur.
Top 10 most significant data breaches
Yahoo data breach (2013)
- Records affected: 3 billion
- What was compromised: real names, email addresses, dates of birth, telephone numbers, and security questions
- Damages: $350 million estimated loss in value of company
- Who attacked: unknown
- Summary: Yahoo believes that "state-sponsored actors" compromised all of their users accounts between 2013 and 2014. It was difficult timing for Yahoo, as they were in the process of being purchased by Verizon, decreasing the value of the company by $350 million.
First American Financial Corporation data breach (2019)
- Records affected: 885 million
- What was compromised: bank account numbers, bank statements, mortgage and tax records, social security numbers, wire transaction receipts, and driver license images
- Damages: charges from the New York State Department Financial Services (NYDFS)
- Who attacked: no attacker
- Summary: This data breach was unique in the sense that there was not a breach in the company's servers, but an authentication error, meaning no authentication was required to view documents. There was a common web design error called Insecure Direct Object Reference (IDOR), which basically means that anyone who searches the direct link will have access to it. Once a single link is found, cyber criminals can use Advanced Persistent Bots (APBs) to collect and index the remaining documents. This error went undiscovered for years. The New York DFS alleges that First American failed to follow its own policies, neglecting to conduct a security review or a risk assessment of the flawed computer program.
Equifax data breach (2017)
- Records affected: 148 million
- What was compromised: Social Security numbers, birth dates, addresses, and in some cases driver license numbers and credit card information
- Damages: $700 million to help people affected by the data breach; reputational damage; congressional inquiries
[Related: Day by Day Breach Timeline from Former Equifax CEO]
- Who attacked: unknown hackers
- Summary: In 2017, an application vulnerability in one of their websites lead to the breach. The breach went undiscovered for months. The company has been faulted for a number of security and response lapses, the application vulnerability being prime among them. Inadequate system segmentation made lateral movement easy for the attackers. The sensitivity of the compromised information of this data breach makes it particularly unique.
Marriott International data breach (2018)
- Records affected: 500 million
- What was compromised: some combination of contact information, passport number, Starwood Preferred Guest numbers, travel information, credit card numbers and expiration dates, other personal information
- Damages: U.K. fine of approximately $24 million and class-action lawsuits filed
- Who attacked: Chinese intelligence group seeking to gather data on U.S. citizens using a Remote Access Trojan (RAT) and MimiKatz
- Summary: Marriott purchased Starwood in 2016, but did not integrate the Starwood platform to the Marriott reservation system. In 2018, it was discovered they were still using the old IT infrastructure and it had been compromised in 2014. It is unknown if the stolen credit card information was ever decrypted and used.
[Related: 2018 Data Breach Announcements: via Livestream, Law Firms, Twitter]
Adult FriendFinder Networks data breach (2016)
- Records affected: 412.2 million
- What was compromised: names, email addresses, and passwords
- Damages: sensitive leaked account information
- Who attacked: unknown
- Summary: The stolen data came from six databases with 20 years of information. A majority of the passwords were protected by the weak SHA-1 hashing algorithm, which resulted in 99% of the credentials being posted by LeakSource.com in 2016. This data breach was particularly painful for users due to the nature of the website, which offered casual hookups and adult content.
Facebook data breach (2019)
- Records affected: 540 million
- What was compromised: phone numbers, user names, genders, and locations
- Damages: leaked account information
- Who attacked: no attacker
- Summary: Multiple Facebook databases were found to be unprotected by passwords or encryption, meaning anyone who searched the internet could find them. The databases cover multiple locations, including the U.S., the U.K., and Vietnam. Facebook announced in 2018 that it would make changes to "better protect people's information," yet this incident occurred in 2019, showing there were still flaws in their security systems.
Target data breach (2013)
- Records affected: 60 million
- What was compromised: names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other sensitive data
- Damages: $18.5 million multistate settlement, $10 million class-action lawsuit settlement, and $10,000 payments to customers with evidence they suffered losses
- Who attacked: unknown third party
- Summary: The attackers gained access to Target's networks in 2013 through stolen credentials of a third party vendor—the company that serviced HVAC systems. They then gained access to a customer service database and uploaded malware to capture sensitive information. A resulting lawsuit came from 47 states and the District of Columbia, where a settlement was reached and new standards set for Target to improve its security systems.
Definitive attribution for the attack has never been reported, however, a Latvian computer programmer is doing 14 years in prison for developing malware that someone used in this data breach.
U.S. Office of Personnel Management data breach (2015)
- Records affected: 21.5 million
- What was compromised: Social Security numbers, fingerprints, and highly sensitive information used for background checks
- Damages: extremely personal information stolen (see below)
- Who attacked: state-sponsored attackers working for the Chinese government, according to U.S. officials
- Summary: The OPM was the victim of two cyberattacks in 2015. The first attack led to stolen government employees' information, including names, birth dates, home addresses, and social security numbers. The second led to stolen sensitive information of current, former, and prospective federal employees who had background checks. Information in background checks includes interview findings, mental health records, financial history, and other information, but there is no evidence that shows this data was impacted.
MySpace data breach (2013)
- Records affected: 360 million
- What was compromised: email addresses, usernames, and passwords for some but not all affected accounts
- Damages: leaked accounts could be hacked
- Who attacked: Russian hacker
- Summary: MySpace was attacked in 2013, though the attack was not made public knowledge until 2016. The stolen accounts were leaked to LeakedSources and also available to purchase on the Dark Web market The Real Deal for 6 Bitcoin (roughly $3,000 in 2013). The passwords were stored as SHA-1 hashes of the first 10 characters of the password, converted to lowercase.
LinkedIn data breach (2012)
- Records affected: 165 million
- What was compromised: usernames and passwords
- Damages: paid $1.25 million to breached victims in the U.S. who paid for premium services
- Who attacked: Russian hacker
- Summary: The company was attacked in 2012, when usernames and passwords were posted to a Russian hacker forum. The same hacker selling MySpace's data was found to be selling individual user information for 5 Bitcoin (roughly $5,000 in 2012). It was not until 2016 that LinkedIn revealed the full extent of the attack.
Adobe data breach (2013)
- Records affected: 153 million
- What was compromised: debit and credit card information, usernames, and passwords
- Damages: $1.1 million in legal fees and $1 million to affected customers
- Who attacked: unknown
- Summary: In 2013, Adobe reported that nearly three million customers had their encrypted information stolen by hackers. Later in the same month, they raised their estimate to 38 million customers. A report that same week showed that more than 150 million accounts had been accessed. In 2015, a settlement was reached for violating the U.S. Customer Records Act and unfair business practices.
SolarWinds supply chain data breach (2020)
- Records affected: unknown
- What was compromised: more than 18,000 organizations and governments at risk; attacks activated against approximately 50 organizations including U.S. government agencies
- Who attacked: The U.S. Attorney General says it appears to be Russia-backed hackers, however, Microsoft reported it had detected two different sets of attacks which were compromising SolarWinds software updates.
- What happened: For 18,000 companies and governments around the world, software updates arrive from an IT management company called SolarWinds; and specifically, from its Orion product.
Nation-state backed hackers (think of them as digital soldiers) somehow got inside the SolarWinds update process and secretly placed malware into a few months of updates. They also managed to digitally "sign" the updates, which made them look legitimate.
The end result is that when SolarWinds sent out the software updates, receiving networks saw the legitimate information but not the hidden malware, and organizations unknowingly accepted both. This is a supply chain attack which acts like a Trojan horse.
The malware in these updates gave the nation-state backed attackers a foothold in computer networks around the globe, including within a number of U.S. government agencies. U.S. agencies say the data breach likely will have a "grave impact." Read our original story here.