While major technological advances have had widespread positive effects for individuals and organizations, they’ve also increased vulnerability to data breaches: incidents in which information is stolen or accessed by hackers without the system owner’s permission.
Cyberattacks resulting in the exposure of data have become increasingly common over the last two decades. The annual number of data breaches in the United States more than tripled in just 10 years, from 446 million in 2007 to 1.6 billion in 2017 (Statista, 2021). These breaches are likely to become more prevalent as attackers exploit emerging attack surfaces such as the Internet of Things (IoT). Over 1.5 billion IoT device breaches were reported in the first half of 2021 alone—more than twice as many as in all of 2020 (Cyrus, 2021).
The potential size of a cyberattack is no longer just a theoretical question—in today’s information-driven world, data breaches have the potential to affect millions of people at once (Sobers, 2021). Cyberattacks are becoming both more common and more impactful (Embroker, 2022), meaning that data protection and cybersecurity strategies are in turn becoming increasingly important. In this article, we’ll take a look at some of the most significant data breaches in recent memory.
According to SEC filings, domain registration and web hosting company GoDaddy experienced a data breach in September 2021 that affected over 1 million customers (Comes, 2021). The breach went unnoticed for 2 months and reportedly resulted from a compromised password—a vulnerability caused, according to security experts, by the company’s inadequate security measures and lack of preventive practices (Carroll, 2021).
In 2020, security researcher Bob Diachenko discovered a database of data breaches reported between 2012 and 2019. Keepnet Labs, a security firm based in the United Kingdom, built the database with Elasticsearch, a data search and analytics engine based on the Lucene Java library. More than 5 billion records were exposed after they were indexed when the security firm temporarily disabled its firewall, leaving the database publicly available (Keepnet Labs, 2020).
In 2013, web service provider Yahoo experienced the largest data breach in history when hackers obtained security questions, backup emails, and other sensitive data for all 3 billion Yahoo accounts—although the full extent of the breach wasn’t revealed until 2017 (Stempel & Finkel, 2017). In late 2014, a separate, state-sponsored attack exposed the names, phone numbers, and other details associated with 500 million accounts (Perez, 2016). Cybersecurity firm InfoArmor’s investigation found that Yahoo user data was being sold on cybercriminal forums (Allstate Identity Protection, n.d.). In the wake of the highly publicized hacks, Verizon purchased Yahoo for USD 350 million less than originally planned (Lunden, 2017), and the company faced massive class action lawsuits (Stempel & Finkel, 2017).
First American Financial Corporation
In 2019, First American Financial Corporation was targeted in a massive data breach that exposed 885 million of the financial service provider’s records (Brook, 2020). The hack, first reported by independent journalist Brian Krebs, revealed information including bank statements, Social Security numbers, wire transaction receipts, mortgage and tax records, and driver’s license images that had been digitized in 2013. The breach originated from an authentication error called Insecure Direct Object Reference (IDOR)—put simply, no authentication was required to access the documents, making them available to anyone with the URL and a web browser (Mathews, 2019).
Facebook has reported several security breaches, including the famous Cambridge Analytica scandal (Sarkar, 2018). But in 2019, the company faced its biggest data breach to date when a leak exposed the cell phone numbers of more than 400 million Facebook users, along with their geographic locations (Whittaker, 2019). The information was stored in an unprotected database that could be accessed by anyone with an internet connection.
While the Marriott data breach took place in 2014, it wasn’t discovered until 2018, when an internal security tool recorded a suspicious attempt to access the guest reservation database for Marriott’s Starwood Hotels (“Marriott data breach”, 2022). The attack—which occurred prior to Starwood’s acquisition by Marriott in 2016—compromised the travel records, passport numbers, and other personal information of 500 million Marriott guests, including some customers’ payment details.
Interested in Learning How to Prevent Data Breaches?
Many of the data breaches covered in this article targeted big names, demonstrating that no one is immune to cybercrime. These recent attacks on tech giants and multinational corporations highlight malicious hackers’ advanced and sophisticated capabilities, but they also underscore the failure of many organizations to adopt a comprehensive cybersecurity strategy and strong data protections.
As the number of cyberattacks grows, so will the demand for trained cybersecurity professionals. If you think you’d enjoy the thrill of outsmarting cybercriminals and have a knack for understanding the latest technological innovations, consider enrolling in a cybersecurity program at EC-Council University (ECCU). ECCU offers several courses of study in cybersecurity, including accredited bachelor’s and master’s degrees, to equip you with the skills and competencies you need to mitigate threats and thwart cyberattacks.
Allstate Identity Protection. (n.d.). InfoArmor: Yahoo data breach investigation.
Brook, C. (2020, September 25). SEC looking into First American breach. Digital Guardian.
Carroll, T. (2021, November 23). Expert comment on GoDaddy security breach. Global Security Mag.
Comes, D. (2021). GoDaddy announces security incident affecting managed WordPress service. Securities and Exchange Commission.
Cyrus, C. (2021, September 17). IoT cyberattacks escalate in 2021, according to Kaspersky. IoT World Today.
Diachenko, B. (2020, March 19). A UK-based security company seemed to have inadvertently exposed its ‘leaks database’ with 5b+ records. Security Discovery.
Embroker. (2022, January 31). 2022 must-know cyber attack statistics and trends.
Keepnet Labs. (2021). Public statement in relation to data briefly exposed on an Elasticsearch database.
Lunden, I. (2017, February 21). After data breaches, Verizon knocks $350M off Yahoo sale, now valued at $4.48B. TechCrunch.
Marriott data breach FAQ: What really happened? (2022, January 26). Hotel Tech Report.
Mathews, L. (2019, May 24). First American Financial leaked 800-plus million sensitive mortgage documents. Forbes.
Perez, S. (2016, September 22). Yahoo confirms state-sponsored attacker stole personal data of “at least” 500 million users. TechCrunch.
Sarkar, S. (2018). Repercussions of Facebook’s data-breach scandal. Analytics Insight.
Sobers, R. (2021, April 16). 98 must-know data breach statistics for 2021. Inside Out Security.
Statista. (2021, March 3). Annual number of data breaches and exposed records in the United States from 2005 to 2020.
Stempel, J., & Finkle, J. (2017, October 3). Yahoo says all three billion accounts hacked in 2013 data theft. Reuters.
Whittaker, Z. (2019, September 4). A huge database of Facebook users’ phone numbers found online. TechCrunch.