5 of the largest data breaches in recent history — and 4 more you forgot
National Cybersecurity Awareness Month
As Friday the 13th rolls around, the digital community has a lot of recent bad luck to think about. Breaches of seemingly ever larger scale come on the heels of one another, and keeping track of them is a feat.
The breakdown of company data breaches from the last five years brings up many billions of painful memories:
In light of recent news and events, Equifax's position at No. 5 may come as a surprise, but the number of affected individuals or compromised records is not necessarily an indicator of the severity of a breach.
Around 360 million individuals still holding onto their Myspace account — a number which may have been more surprising than the incident itself — got a surprise in 2016 when the three-year old breach was discovered. They, however, were probably less concerned than the 145.5 million consumers who had PII compromised in the Equifax breach or the additional two billion Yahoo users who only recently found out their accounts were also breached in 2013.
More records were impacted in the Yahoo breach than in the 2013 Adobe incident, for example, but is Yahoo necessarily worse because it had a higher mathematical toll? Does the slightly scandalous nature of PII breached in the 2016 FriendFinder Networks hack afford it a spot near the top of the least coveted list of the digital age?
Naming any breach as "the worst in history" is difficult because of the nuance of each individual breach. As the country mulls the impact of an increasing number of breaches, here is a look at some particularly bad incidents people might have forgotten about (and companies may not have learned a lesson from):
They won't write an Anthem about this one
- Who: Anthem
- What: Phishing scam
- When: April 2014
- Discovered: Jan. 2015
- Disclosed: Feb. 2015
- Size: 80 million members and employees
The Anthem breach took place after an employee opened a phishing email and is believed to be the work of a foreign government. While investigations found the company carried out a "quick and effective" response, 80 million people were immediately affected.
The company failed to patch a known cybersecurity vulnerability and was criticized for not encrypting sensitive personal and health information as well as taking weeks to notify impacted individuals.
Anthem denied any wrongdoing and agreed to settle on a class-action lawsuit in June for $115 million, the highest data breach settlement to date. By comparison, one firm is seeking as much as $70 billlion in damages from Equifax.
Personal data [mis]management
- Who: U.S. Office of Personnel Management (OPM)
- What: Malware
- When: March 2015
- Discovered: April 2015
- Disclosed: June 2015
- Size: 21.5 million people
The OPM breach compromised SSNs and other sensitive information of 19.7 million security clearance applicants and 1.8 million spouses or cohabitants of these applicants. The Office of the Inspector General warned the department of lax data security policies and protocols in 2007, but OPM's data security saw no improvements.
OPM suffered another breach and revealed 5.6 million fingerprint records were accessed in September of the same year. Overlap between the two breaches affected 22.1 million individuals in total, according to The Washington Post.
The FBI says Chinese government hackers were responsible for the breach, and a Chinese national was arrested in August in connection to the creation of the malware used, CNN reports. In September, a federal judge dismissed a lawsuit filed by federal employees, citing an inability of the plaintiffs to demonstrate they were harmed by the breach, but the plaintiffs have appealed, according to Nextgov.
Internal is in the name, but external is in the game
- Who: IRS
- What: Impersonation
- When: Feb.-May 2015
- Discovered: May 2015
- Disclosed: May 2015
- Size: 724,000 taxpayers
It took the IRS many months to understand the scope of the breach, and initial estimates said just 114,000 taxpayers were impacted. Hackers used personal information acquired elsewhere to assume identities, infiltrate an online IRS portal and download tax histories, which were used to file $50 million in fraudulent tax returns.
A variety of federal audits and reports from 2007 to 2014 highlighted vulnerabilities in the IRS database to threats, according to USA Today, and the department's own inspector general recognized its longstanding security problems. Sound familiar?
In November, a U.S. district judge in D.C. threw out a lawsuit brought upon the IRS by taxpayers in response to the breach, saying speculative injury does not have legal standing, Law360 reports.
A date of infamy
- Who: Ashley Madison
- What: Hack
- When: July 2015
- Discovered: July 2015
- Disclosed: July 2015
- How many: 32 million site users
The Ashley Madison data breach is certainly one of the most memorable, compromising users more than just financially. A group of hackers called the Impact Team accessed personal details and log-ins of millions of account holders, threatened to expose them if the site was not shut down and then posted the information on the dark web when it wasn't.
The hackers targeted the information for moral reasons and as an objection to the company's demand of a fee for user's to delete their data — which, it turned out, the company did not actually delete.
The company settled an FTC case and agreed to pay $1.6 million and implement a comprehensive data-security program in Dec. 2016. The case alleged the company gave false assurances to users that their PII would be "100% secure and anonymous."
Follow Alex Hickey on Twitter