How To Measure the Biggest Data Breaches of All Time?
It’s hard to come up with a definitive list of the biggest data breaches. Do we rank them by the size of the breach? Direct financial impact? Indirect social impact? Average cost per victim? Political impact? Notoriety? It is an exercise in futility to rank them all – the variety, nature and impacts of major attacks and breaches are all too different.
Instead, in no particular order, here are what we think are the biggest, most important, and noteworthy data breaches in history or at least since the dawn of the Age of Networks.
The DNC Emails
By: Fancy Bear (Russia, State Sponsored, Wikileaks…Others?)
When: 2016
Data Impact: Over 200,000 emails made public
Financial Impact: Undetermined
Claim to Fame: Influenced the American elections
It was only a single email reset request that was clicked on by John Podesta, but the repercussions likely altered the entire global geo-political landscape for years and decades to come. The emails, numbering over 200,000, gave the public unlimited access to the DNC inner workings, a PR nightmare that reframed the election (and buried Trump’s “Locker Room Talk” video). Would Clinton have won the election if not for the malicious email Podesta clicked? It’s hearsay, but in all likelihood we wouldn’t be discussing Mueller, blackmail, border walls, World War 3, and all the other headlines that have graced us for nearly two years now
More: AP investigation details how Russia hacked the DNC’s emails
Yahoo Data Breach
By: FBI Charged 2 Russians. Some suspected China.
When: 2013 (reported 2016 and 2017)
Data Impact: 3 Billion records
Financial Impact: $350 million
Claim to Fame: Biggest known data breach
The biggest data breach on record, it was initially believed the breach exposed a mere 1 billion records. 10 months later, that number jumped to all of Yahoo!’s records or 3 billion. That is a record that is unlikely to ever be breached again. So few single organizations’ databases can come close to that in size. It also cost Yahoo! a reported $350 million in its sale to Verizon, making it one of the most expensive on record as well (that also doesn’t include other costs – stock price declining, damages, etc.)
More: After data breaches, Verizon knocks $350M off Yahoo sale
Sony Playstation Network
By: Unclear
When: 2011 (2014)
Data Impact: 77 million records affected
Financial Impact: $171 million (+ $15M Settlement in 2014)
Claim to Fame: One of the biggest in records and financial impact to an individual company. And then they got hacked again a few years later.
Not to be confused with the more recent North Korea response to The Interview, in 2011 the Playstation network was affected, with 77 million records being hacked. This included names, addresses and many credit card numbers (though encrypted and no verified reports of identity theft have been recorded). Sony shutdown the network for a week, without informing users of what happened. While it seems most users were merely inconvenienced, for Sony it was a nightmare that was to be repeated in 2014 when the North Koreans stole records and unreleased materials in retaliation for The Interview. That makes the 2011 attack more notable. Fool me once…
JPMorgan Chase
By: Gery Shalon, Joshua Samuel Aaron, and Ziv Orenstein
When: 2014
Data Impact: 76 million households and 7 million small businesses
Financial Impact: Unclear, post fact investment of $250 million in security
Claim to Fame: Biggest Bank Data Breach on record
Banking institutions hold a special place in the security world. Financial institutions should be the fortresses – after all, they have our money. So when the likes of a JP Morgan Chase reports that 90% of it’s records have been compromised, our confidence in the institutions should be shattered. It appeared post fact that the records had not been used directly to malicious ends. But as is the case with many breaches, the data is often used to launch massive targeted phishing campaigns, for which the source of the data is hard to track. It appears that the criminals hoped to use the stolen data to launch their own brokerage. It also seems that using the stolen data, they launched a stock manipulation scheme to net millions.
Read: The SEC 8-K filed by JPM disclosing the breach.
Equifax Data Breach
By: Unknown/Possibly State-Sponsored
When: 2017
Data Impact: 148 Million user records
Financial Impact: Over $600 Million
Claim to Fame: Likely most expensive on record, also the largest breach of data that includes Social Security.
If your data was stolen and you were concerned about monitoring the impact, where would you turn? Credit reporting agencies. Now, what if they were hacked? That was the crazy scenario 2017 presented to us. In the largest breach of personal information on record, Equifax experienced a data breach exposing the records of 148 million users. The data names, address, birthdays, and social security numbers, along with 209,000 credit card numbers and dispute documents containing personal information of 182,000 more people. This isn’t Yahoo! email addresses and passwords, but the keys to commit large scale identity fraud. The full impact of this breach will never be known and will likely reverberate for decades to come.
Read: Was Equifax hack state-sponsored?
Adult Friend Finder Doesn’t Learn
By: Unclear
When: 2016
Data Impact: 412 millions records
Financial Impact: Not Reported
Claim to Fame: The second hack in a year, blackmail treasure trove, second only to Yahoo in scale
In 2015 Ashley Madison was rocked by a massive data breach of all of it’s 37 million users. It was devastating for all these users who were intent on committing adultery (2 possible suicides have been linked to this hack). So, it is all the more shocking that in 2016 the same thing happened to Adult Friend Finder, except 10 times the size. Worse yet, they had been breached already in 2015 though on a smaller scale (a mere 4 million users’ sexual preferences, sigh). In 2016, 412 million records, user names, passwords and email address, including .gov & .mil domains. While sexual preferences do not appear to be in the data – an email address could be enough to use as blackmail. Worse, the records included 16 million previously deleted accounts!
Read: Timeline of the Ashley Madison Breach
Office Of Personnel Management
By: Chinese Nationals (suspected, though not proven to be state-sponsored)
When: 2014-2015
Data Impact: 22.1 million records
Financial Impact: Undetermined
Claim to Fame: Richest data set for attack of this scale
We’ve been using big numbers – 400 million, 3 billion – so 22 million might seem small. With some of these data breaches the amount of quality varies. In Yahoo’s case, of the 3 billion addresses, how many are active or unique users? For Adult Friend Finder, what percent used primary email addresses? Equifax is much graver for that reason.
Though OPM was smaller than Equifax, the data that was breached was highly sensitive and valuable to hackers. J. David Cox, president of the American Federation of Government Employees, said this “…The hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.” It was important enough to introduce a much stronger cyber security focus in the federal government. If this was state sponsored as is suspected, this was a major coup for the Chinese.
Read: Inside the OPM Data Breach
Honorable Mentions:
Ebay – one of the biggest in it’s day, with 145 million records breached, though no cards or Social security ID was involved.
Experian – 200 Million records were accessed by Hieu Minh Ngo who ran an ID theft ring.
Heartland – The data of an estimated 100 million cards were stolen from the payment processor
Home Depot – 56 million credit card records were stolen.
Target – 41 million customer card accounts were impacted, with millions more contact information as well.
When Will the Next Big Data Breach Happen?
This is a sampling of the data breaches we’ve seen, most pretty recent, all in the past decade. Often the most dangerous ones are the ones we don’t hear about. When the breach makes headlines, you can take action, and the data might be too hot for many criminals to do anything with. As well, the bigger the attack the more attention law enforcement puts on the case, and thus increasing the likelihood of catching the criminal and disrupting the data flow. When a breach goes unreported, it can be very different. Even more frightening is how those we trust with our most sensitive data as well as those who monitor it, such as credit agencies and the government, are liable to be victims of breaches- and we haven’t even touched on healthcare data breaches here.
It would be nice to say things are improving, but from the look of breaches as they come out, it’s hard to say that there is an end in sight. Equifax is still very fresh. All of the largest breaches listed above happened in the last decade. Several on this list, as we are seeing, are getting repeatedly hacked and compromising their customers with near-impunity. We hope things are getting better, but if the past decade is any indication we have a long way to go.
Leave a Comment