Data breaches can be quite costly to organizations with direct costs (remediation, investigation, etc) and indirect costs (reputational damages, providing cyber security to victims of compromised data, etc.)
According to the nonprofitconsumer organization Privacy Rights Clearinghouse, a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed.
A data breach may include incidents such as theft or loss of digital media such as computer tapes, hard drives, or laptop computers containing such media upon which such information is stored unencrypted, posting such information on the world wide web or on a computer otherwise accessible from the Internet without proper information security precautions, transfer of such information to a system which is not completely open but is not appropriately or formally accredited for security at the approved level, such as unencrypted e-mail, or transfer of such information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.
ISO/IEC 27040 defines a data breach as: compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed.
Trust and privacy
The notion of a trusted environment is somewhat fluid. The departure of a trusted staff member with access to sensitive information can become a data breach if the staff member retains access to the data after termination of the trust relationship. In distributed systems, this can also occur with a breakdown in a web of trust. Data quality is one way of reducing the risk of a data breach, partly because it allows the owner of the data to rate data according to importance and give better protection to more important data.
Most such incidents publicized in the media involve private information on individuals, e.g. social security numbers. Loss of corporate information such as trade secrets, sensitive corporate information, and details of contracts, or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.
Insider versus external threats
Those working inside an organization are a major cause of data breaches. Estimates of breaches caused by accidental "human factor" errors range from 37% by Ponemon Institute to 14% by the Verizon 2013 Data Breach Investigations Report. The external threat category includes hackers, cybercriminal organizations and state-sponsored actors. Professional associations for IT asset managers work aggressively with IT professionals to educate them on best risk-reduction practices for both internal and external threats to IT assets, software and information. While security prevention may deflect a high percentage of attempts, ultimately a motivated attacker will likely find a way into any given network. One of the top 10 quotes from Cisco CEO John Chambers is, "There are two types of companies: those that have been hacked, and those that don't know they have been hacked." FBI Special Agent for Cyber Special Operations Leo Taddeo warned on Bloomberg television, "The notion that you can protect your perimeter is falling by the wayside & detection is now critical."
Some celebrities have found themselves to be the victims of inappropriate medical record access breaches, albeit more so on an individual basis, not part of a typically much larger breach. Given the series of medical data breaches and the lack of public trust, some countries have enacted laws requiring safeguards to be put in place to protect the security and confidentiality of medical information as it is shared electronically and to give patients some important rights to monitor their medical records and receive notification for loss and unauthorized acquisition of health information. The United States and the EU have imposed mandatory medical data breach notifications. Reportable breaches of medical information are increasingly common in the United States.
Although such incidents pose the risk of identity theft or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate damages by providing to the victim's subscription to a credit reporting agency, for instance, new credit cards, or other instruments. In the case of Target, the 2013 breach cost Target a significant drop in profit, which dove an estimated 40 percent in the 4th quarter of the year. At the end of 2015, Target published a report claiming a total loss of $290 million to data breach related fees.
The Yahoo breach disclosed in 2016 may be one of the most expensive today. It may lower the price of its acquisition by Verizon by $1 billion. Verizon later released their renegotiation to Yahoo agreeing to lower the final price from $4.8 to $4.48 billion. Cybercrime cost energy and utilities companies an average of $12.8 million each year in lost business and damaged equipment according to DNV GL, an international certification body and classification society based in Norway. Data breaches cost healthcare organizations $6.2 billion in the last two years (presumably 2014 and 2015), according to a Ponemon study.
In health care, more than 25 million people have had their health care stolen, resulting in the identity theft of more than 6 million people, and the out-of-pocket cost of victims is close to $56 billion. Privacy Rights Clearinghouse (PRC) has shown records from January 2005 to December 2018 that there has been more than 9000 breaches events. Also, what causes lead to each breach such as, insider attack, payment card fraud, lost or stolen portable device, infected malware and sending an email to the wrong person (DISC). This shows that many common mistake that leads to a data breach is humans who make mistakes allowing hackers to exploit it and perform an attack.
It is notoriously difficult to obtain information on direct and indirect value loss resulting from a data breach. A common approach to assess the impact of data breaches is to study the market reaction to such an incident as proxy for the economic consequences. This is typically conducted through the use of event studies, where a measure of the event's economic impact can be constructed by using the security prices observed over a relatively short period of time. Several studies such studies have been published with varying findings, including works by Kannan, Rees, and Sridhar (2007), Cavusoglu, Mishra, and Raghunathan (2004), Campbell, Gordon, Loeb, and Lei (2003) as well as Schatz and Bashroush (2017).
Since data volume is growing exponentially in the digital era and data leaks happen more frequently than ever before, preventing sensitive information from being leaked to unauthorized parties becomes one of the most pressing security concerns for enterprises. To safeguard data and finances, businesses and companies often have to put in additional costs to take preventive measure on potential data breaches. From 2017 to 2021, the predicted global spending on internet security is to be over $1 trillion.
In early 2008, Countrywide Financial (since acquired by Bank of America) allegedly fell victim to a data breach when, according to news reports and court documents, employee Rene L. Rebollo Jr. stole and sold up to 2.5 million customers' personal information including social security numbers. According to the legal complaint: "Beginning in 2008 – coincidentally after they sold their mortgage portfolios under wrongful and fraudulent 'securitization pools,' and coincidentally after their mortgage portfolio went into massive default as a result thereof – Countrywide learned that the financial information of potentially millions of customers had been stolen by certain Countrywide agents, employees or other individuals." In July 2010, Bank of America settled more than 30 related class-action lawsuits by offering free credit monitoring, identity theft insurance and reimbursement for losses to as many as 17 million consumers impacted by the alleged data breach. The settlement was estimated at $56.5 million not including court costs.
In December 2009 a RockYou! password database was breached containing 32 million usernames and plaintext passwords, further compromising the use of weak passwords for any purpose.
In May 2009 the United Kingdom parliamentary expenses scandal was revealed by The Daily Telegraph. A hard disk containing scanned receipts of UK Members of Parliament and Peers in the House of Lords was offered to various UK newspapers in late April, with The Daily Telegraph finally acquiring it. They published details in instalments from 8 May onwards. Although it was intended by Parliament that the data was to be published, this was to be in redacted form, with details the individual members considered "sensitive" blanked out. The newspaper published unredacted scans which showed details of the claims, many of which appeared to be in breach of the rules and suggested widespread abuse of the generous expenses system. The resulting media storm led to the resignation of the Speaker of the House of Commons and the prosecution and imprisonment of several MPs and Lords for fraud. The expenses system was overhauled and tightened up, being put more on a par with private industry schemes. The Metropolitan Police Service continues to investigate possible frauds, and the Crown Prosecution Service is considering further prosecutions. Several MPs and Lords apologised and made whole, partial or no restitution, and retained their seats. Others who had been shamed in the media did not offer themselves for re-election at the 2010 United Kingdom general election. Although numbering less than 1,500 individuals, the affair received the largest global media coverage of any data breach (as at February 2012).
In January 2009 Heartland Payment Systems announced that it had been "the victim of a security breach within its processing system", possibly part of a "global cyber fraud operation". The intrusion has been called the largest criminal breach of card data ever, with estimates of up to 100 million cards from more than 650 financial services companies compromised.
Throughout the year, Chelsea Manning released large volumes of secret military data to the public.
In March 2011, RSA SecurID suffered a breach of their SecurID token system seed-key warehouse, where the seed keys for their 2 Factor Authentication system were stolen, allowing the attackers to replicate the hardware tokens used for secure access in corporate and government environments.
In June 2011, Citigroup disclosed a data breach within their credit card operation, affecting approximately 210,000 or 1% of their customers' accounts.
In the Summer of 2012, Wired.com Senior Writer Mat Honan claims that "hackers destroyed my entire digital life in the span of an hour” by hacking his Apple, Twitter, and Gmail passwords in order to gain access to his Twitter handle and in the process, claims the hackers wiped out every one of his devices, deleting all of his messages and documents, including every picture he had ever taken of his 18-month-old daughter. The exploit was achieved with a combination of information provided to the hackers by Amazon's tech support through social engineering, and the password recovery system of Apple which used this information. Related to his experience, Mat Honan wrote a piece outlining why passwords cannot keep users safe.
In October 2012, a law enforcement agency contacted the South Carolina Department of Revenue (DoR) with evidence that Personally Identifiable Information (PII) of three individuals had been stolen. It was later reported that an estimated 3.6 million Social Security numbers were compromised along with 387,000 credit card records.
In October 2013, Adobe Systems revealed that their corporate database was hacked and some 130 million user records were stolen. According to Adobe, "For more than a year, Adobe’s authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than 1,000 times. This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored."
In August 2014, nearly 200 photographs of celebrities were stolen from AppleiCloud accounts and posted to the image board website 4chan. An investigation by Apple found that the images were obtained "by a very targeted attack on user names, passwords and security questions". However, Apple toughened iCloud security through an opt-in 2 factor authentication, after celebrity breach.
In September 2014, Home Depot suffered a data breach of 56 million credit card numbers.
In October 2014, Staples suffered a data breach of 1.16 million customer payment cards.
In November 2014 and for weeks after, Sony Pictures Entertainment suffered a data breach involving personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of (previously) unreleased Sony films, and other information. The hackers involved claim to have taken over 100 terabytes of data from Sony.
In October 2015, the British telecommunications provider TalkTalk suffered a data breach when a group of 15-year-old hackers stole information on its 4 million customers. The stock price of the company fell substantially due to the issue – around 12% – owing largely to the bad publicity surrounding the leak.
In July 2015, adult website Ashley Madison suffered a data breach when a hacker group stole information on its 37 million users. The hackers threatened to reveal usernames and specifics if Ashley Madison and a fellow site, EstablishedMen.com, did not shut down permanently.
In February 2015, Anthem suffered a data breach of nearly 80 million records, including personal information such as names, Social Security numbers, dates of birth, and other sensitive details.
In June 2015, The Office of Personnel Management of the U.S. government suffered a data breach in which the records of 22.1 million current and former federal employees of the United States were hacked and stolen.
In February 2016, the 15-year-old British hacker Kane Gamble leaked the personal details of over 20,000 FBI employees, including employees' names, job titles, phone numbers and email addresses. The judge said Gamble engaged in "politically motivated cyber-terrorism."
In April 2016, news media carried information stolen from a successful network attack of the Central American law firm, Mossack Fonseca, and the resulting “Panama Papers” sent reverberations throughout the world. Perhaps a justified vindication of illegal or unethical activity, this nonetheless illustrates the impact of secrets coming to light. The Prime Minister of Iceland was forced to resign and a major reshuffling of political offices occurred in countries as far-flung as Malta. Multiple investigations were immediately initiated in countries around the world, including a hard look at international or offshore banking rules in the U.S. Obviously the implications are enormous to the ability of an organization—whether a law firm or a governmental department—to keep secrets.
In September 2016 Yahoo reported that up to 500 million accounts in 2014 had been breached in an apparent "state-sponsored" data breach. It was later reported in October 2017 that 3 billion accounts had been breached, accounting for every Yahoo account at the time.
Vault 7, CIA's hacking techniques revealed in data breach. Leaked documents, codenamed Vault 7 and dated from 2013–2016, detail the capabilities of the CIA to perform electronic surveillance and cyber warfare, such as the ability to compromise the operating systems of most smartphones (including Apple's iOS and Google's Android), as well as other operating systems such as Microsoft Windows, macOS, and Linux.Joshua Adam Schulte, a former CIA employee, has been accused of leaking CIA hacking secrets to WikiLeaks.
Equifax, July 2017, 145,500,000 consumer records, the largest known data breach in history at the time leading to the potential for the largest class action lawsuit in history As of early October 2017, the cities of Chicago and San Francisco and the Commonwealth of Massachusetts have filed enforcement actions against Equifax following the July 2017 data breach, in which hackers allegedly exploited a vulnerability in the open-source software used to create Equifax's online consumer dispute portal. The hackers had not only information of U.S. residents but also U.K. and Canadians as well.
United States-South Korea classified military documents, October 2017. A South Korean lawmaker claimed that North Korean hackers stole over 235 gigabytes of military documents from the Defense Integrated Data Center in September 2016. Leaked documents included South Korea-U.S. wartime operational plans.
In March, Google identified a vulnerability exposing the personal information of nearly half a million users. While they patched the vulnerability, they did not disclose the exposure to users until the issue was reported on by The Wall Street Journal 6 months after the fact.
On 1 August, Reddit disclosed they were hacked. The hacker was able to compromise employees accounts even though they used SMS based Two-factor authentication. Reddit refused to disclose the number of affected users.
On 29 March, Under Armour disclosed a data breach of 150 million accounts at MyFitnessPal, with compromised data consisting of user names, the users' e-mail addresses and hashed passwords. Under Armour were notified of the breach on the week of 19–25 March, and that the leak happened sometime in February.
It was reported on 1 April that a data breach occurred at Saks Fifth Avenue / Lord & Taylor. About 5 million credit card holders may have had their data compromised in stores in North America.
It was reported on 20 July that a data breach on SingHealth, one of Singapore's largest health organisations, happened on 4 July, with about 1.5 million personal data (including data of some ministers, including Singapore's Prime MinisterLee Hsien Loong) being compromised. Ministers on a press conference dubbed the data breach as the "most serious breach of personal data".
On September 7 it was reported that British Airways experienced a data theft of about 380,000 customer records including full bank details.
On December 3, Quora reported a data breach that affected its 100 million users data.
In May, personal data of roughly 139 million users of the graphic design service Canva were exposed, including real names of users, usernames, addresses and geographical information, and password hashes.
On July 16 Bulgaria’s National Revenue Agency, a branch of the country’s Ministry of Finance.
In September, personal data of Ecuador's entire population of 17 million along with deceased people was breached after a marketing analytics firm Novestrat managed unsecured server leaked out full names, dates, places of birth, education, phone numbers and national identity numbers.
On July 7, the writing site Wattpad suffered a major data breach by ShinyHunters, involving over 270 million users; users' data were sold on a forum in the darknet, including password hashes.
Computer security, cybersecurity or information technology security is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.
RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource.
SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Equifax Inc. is an American multinational consumer credit reporting agency and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. In addition to credit and demographic data and services to business, Equifax sells credit monitoring and fraud prevention services directly to consumers.
The 2011 PlayStation Network outage was the result of an "external intrusion" on Sony's PlayStation Network and Qriocity services, in which personal details from approximately 77 million accounts were compromised and prevented users of PlayStation 3 and PlayStation Portable consoles from accessing the service. The attack occurred between April 17 and April 19, 2011, forcing Sony to turn off the PlayStation Network on April 20. On May 4, Sony confirmed that personally identifiable information from each of the 77 million accounts had been exposed. The outage lasted 23 days.
The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.
Identity theft involves obtaining somebody else's identifying information and using it for a criminal purpose. Most often that purpose is to commit financial fraud, such as by obtaining loans or credits in the name of the person whose identity has been stolen. Stolen identifying information might also be used for other reasons, such as to obtain identification cards or for purposes of employment by somebody not legally authorized to work in the United States.
The 2014 Russian hacker password theft is an alleged hacking incident resulting in the possible theft of over 1.2 billion internet credentials, including usernames and passwords, with hundreds of millions of corresponding e-mail addresses. The data breach was first reported by the New York Times after being allegedly discovered and reported by Milwaukee-based information security company, Hold Security.
Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.
Alex Holden is the owner of Hold Security, a computer security firm. As of 2015, the firm employs 16 people.
Credential stuffing is a type of cyberattack in which stolen account credentials, typically consisting of lists of usernames and/or email addresses and the corresponding passwords, are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.
The Internet service company Yahoo! was subject to the largest data breach on record. Two major data breaches of user account data to hackers were revealed during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted. Both breaches are considered the largest discovered in the history of the Internet. Specific details of material taken include names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords. Further, Yahoo! reported that the late 2014 breach likely used manufactured web cookies to falsify login credentials, allowing hackers to gain access to any account without a password.
The Equifax data breach occurred between May and July 2017 at the American credit bureau Equifax. Private records of 147.9 million Americans, along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.
The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.
Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country.
ShinyHunters is a criminal black-hat hacker group that is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.
The 2021 Air India cyberattack was a cyberattack that affected more than 4.5 million customers of Air India airlines.
↑ Cavusoglu, Huseyin; Mishra, Birendra; Raghunathan, Srinivasan (2004). "The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers". International Journal of Electronic Commerce. 9 (1): 69–104. doi:10.1080/10864415.2004.11044320. JSTOR27751132. S2CID10753015.