World's Biggest Data Breaches of the Decade

Biggest Data Breaches of the Decade
Biggest Data Breaches of the Decade

The world’s biggest data breaches reflect the ongoing need for highly skilled cybersecurity professionals. Software engineers help their employers avoid the consequences faced by companies that have had data breaches. Your cybersecurity skills contribute to a still-growing field in need of innovative minds. 

The Identity Theft Resource Center (ITRC) publishes an annual report detailing data breaches around the world. ITRC’s 2019 report showed the overall impacts of data breaches including: 

  • 1,473 breaches reported
  • 164,683,455 sensitive records exposed by hackers 
  • A 17% growth in data breaches from 2018 to 2019

IBM’s 2019 Cost of a Data Breach Study identified financial costs for companies that have had data breaches. The average cost of a data breach was $3.92 million in 16 surveyed countries. American data breaches proved the costliest with an $8.19 million average price tag. 

ITRC and CNBC published a list of the world’s biggest data breaches from the previous decade that impacted 6.4 billion records. This list reveals how cybersecurity weaknesses and gaps lead to the world’s biggest data breaches. You can keep these breaches in mind as your cybersecurity career progresses. 

Under Armour 

Fitness apparel company Under Armour ventured into mobile apps when it acquired MyFitnessPal in 2015. The app allows a user to track their exercise, meal, and sleep activities. In March 2018, the company reported a data breach that impacted 143.6 million records. 

Unauthorized access to the app created one of the world’s biggest data breaches of the 2010s. Under Armour reported that usernames, email addresses, and passwords were exposed to outside users. MyFitnessPal used a separate payment system for premium features not hacked in this incident. 

Under Armour took one week from the data breach identification to report the issue. Potential harm from one of the world’s biggest data breaches came from the uneven application of password encryption. Most passwords were made impenetrable by the bcrypt feature but others were left exposed after encryption by SHA-1. 

Impacts of the Under Armour Breach

The short-term impact of this breach was a 3.8% drop in Under Armour’s shares. MyFitnessPal users filed a class-action lawsuit against the company that went to arbitration in 2019. Better backend security and uniform password encryption would have prevented one of the world’s biggest data breaches.

Equifax

Equifax is well-known among American consumers and businesses for its credit reporting services. An Equifax report with a good credit score is useful when applying for a car loan, mortgage, or credit card. The company tracks the lending histories of hundreds of millions of consumers. 

Four hackers soured the public’s view of Equifax with a series of data breaches in September 2017. The breach opened driver’s license numbers, Social Security numbers, and birthdates for 147 million consumers to the hackers. An estimated 56% of American consumers had their personal information exposed in one of the world’s biggest data breaches.

Negligence by Equifax at multiple points allowed hackers to gain access to sensitive files. Apache Software Foundation published a patch to its Struts software in March 2017 that covered gaps in remote access. Equifax did not apply this patch to its dispute resolution system, leaving an access point for the hackers. 

Resolution to the Equifax Data Breach

Equifax faced a class-action lawsuit by consumers along with investigations by the Federal Trade Commission and 48 state attorney generals. In July 2019, a settlement was reached that created a $425 million restitution fund to: 

  • Cover credit monitoring by the three major bureaus to monitor hack impacts
  • Pay $125 per affected consumer who already uses credit monitoring
  • Pay up to $20,000 for those with demonstrable expenses related to the hack

The world’s biggest data breaches provide short-term harm to companies that act quickly. Equifax could have avoided reputational damage and expensive settlements by adhering to cybersecurity best practices. 

Dubsmash

Dubsmash has encouraged millions of users to lip-sync to their favorite songs, movies, and TV shows since 2014. This video messaging app paved the way for TikTok and other competitors catering to the social media generation. Dubsmash hit 1 billion video views per month in early 2020 despite a large-scale data breach in December 2018. 

An unidentified hacker broke into the databases of Dubsmash and 15 other websites. Dubsmash discovered 161.5 million user records were placed for sale on the dark web in February 2019. Among the victims of one of the world’s biggest data breaches in this 2018 Dubsmash incident were: 

  • MyHeritage (92 million)
  • ShareThis (41 million)
  • HauteLook (28 million)
  • Animoto (25 million)
  • EyeEm (22 million)

In total, the hacker stole 620 million records from the targeted websites. Entire member databases were placed for sale to spammers and others who needed access to personal records. Dubsmash reported that passwords and emails were stolen but not credit card numbers or addresses. 

Consequences of the Dubsmash Breach

Dubsmash users were encouraged to change their passwords and check their accounts for aberrations following the breach. There were no reports on the causes of the data breach nor remedies for one of the world’s biggest data breaches. The uptick in monthly viewers indicates that consumer trust in the app rebounded from the breach.

At least one of the impacted databases was purchased from the dark web by February 2019. Each database was available for $1,976 in bitcoin at the time. The buyer is likely a spammer or phisher looking for new targets. 

The low price tag for consumer data on the dark web undersells the impact of data breaches on consumers. Cybersecurity professionals should keep in mind the priceless value of privacy when protecting digital assets. 

Deep Root Analytics

Major political parties work with data contractors and consultants to better understand voters. These data streams create voter profiles based on multiple data points that are invaluable to mobilization at election time. An incomplete approach to cybersecurity leaves this data exposed to hackers sowing political chaos. 

The Republican National Committee works with Arlington, VA-based Deep Root Analytics to micro-target voters for outreach in each election cycle. Deep Root Analytics admitted to one of the world’s biggest data breaches in June 2017. Records on 198 million Americans — approximately 61% of all residents — were open for public use. 

Deep Root Analytics held 1.1 terabytes of data from organizations like Americans for Prosperity in its cloud server. The voter profiles included the following information: 

  • Phone numbers and addresses
  • Modeled ethnicity and religious affiliation
  • Sentiment analysis on political views
  • Records of past voting activity

In the wrong hands, the exposed data could be used for misinformation campaigns by domestic and foreign agents. The records also held the potential for social media efforts to drive down turnout or warp public perceptions about candidates. 

Deep Root Analytics Breach Causes

Cybersecurity firm Upguard discovered that Deep Root failed to apply a password to its cloud server. An Upguard expert came across the server in Amazon Web Services by identifying its six-character subdomain name. The world’s biggest data breaches are not always caused by clever hackers; they sometimes emerge from simple mistakes. 

No files were stolen from the Deep Root server during the 12 days of open access. Upguard found that a hacker would have required at least three days to upload the entire database. 

The Deep Root Analytics case provides basic lessons on how to avoid joining the world’s biggest data breaches. Cybersecurity experts know not only to use passwords but conduct white-hat testing that simulates efforts made by hackers. 

Zynga

Millions of web users play mobile games with the Zynga brand. This app producer is best known for games like Words with Friends and Draw Something. These apps are designed to bring people around the world together to play games. 

Zynga joined the list of the world’s biggest data breaches following a September 2019 hack. A hacker named Gnosticplayers accessed a database of user information holding 218 million records. The company announced that the following records were impacted by the hack: 

  • Usernames
  • Email addresses
  • Facebook IDs
  • Encrypted passwords

The Aftermath of the Zynga Data Breach

Zynga worked with a cybersecurity firm to identify the potential damage caused by this hack. A review of the breach found that no credit card information was captured by the hacker. 

The company followed the typical playbook for companies that have had data breaches. Impacted app users were encouraged to change passwords with in-app notifications. Zynga also fortified its security procedures to prevent similar attacks in the future. 

The world’s biggest data breaches not only weaken consumer trust but disrupt daily behaviors. Zynga responded quickly to this breach but needed more substantial security measures to avoid data losses. In an app-heavy world, cybersecurity procedures need to evolve to keep up with new tools and tricks for hackers. 

Exactis

Businesses around the world rely on companies like Exactis to provide consumer data. Exactis maintains a database of 3.5 billion consumer records updated monthly based on publicly available information. Companies use Exactis records to create models and digital avatars that simulate consumer behavior. 

Exactis provided insufficient security for these records based on research by security expert Vinny Troia. Troia conducted an audit of the database platform ElasticSearch to demonstrate security vulnerabilities. The security audit revealed that Exactis left its consumer records database unprotected by passwords. 

Potential Impacts of Exactis Breach 

Troia contacted the company and law enforcement authorities after his discovery. A less honorable person may have turned this discovery into one of the world’s biggest data breaches. 

The scale of the Exactis security vulnerability is difficult to understate. Troia told Wired, “I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.” He was able to access records on random names provided by the publication as proof of the database’s breadth. 

Exactis did not provide follow-up information to consumers who may have had their files accessed by unauthorized personnel. Each record included the following information: 

  • Composition of the family including ages and genders
  • Religious denomination
  • Mailing addresses and phone numbers
  • Purchasing habits pulled from public posts on social media

We don’t know if Exactis records were ever accessed by people with malicious intent. If stolen, a consumer’s records could be used to access loans, send phishing emails, and impersonate family members. Keeping these impacts in mind could have helped keep Exactis off the list of the world’s biggest data breaches. 

Marriott

International companies face many considerations during mergers and acquisitions. A relatively new concern for the acquiring company is inherited data security. Acquired companies with weak or nonexistent security procedures contribute to the world’s biggest data breaches. 

Hotel chain Marriott faced this situation after its 2016 acquisition of Starwood Hotels. In September 2018, Marriott discovered multiple instances of unauthorized access to a Starwood guest database dating back to 2014. This data breach placed 383 million guest records at risk. 

Starwood Hotels previously faced scrutiny for a malware attack in 2015 that placed credit card information in jeopardy. Marriott determined that the 2018 data breach exposed guest names, addresses, and passport information. The saving grace for this breach is that Starwood encrypted payment information following the 2015 attack. 

Marriott Data Breach Aftermath

Marriott followed the well-publicized breach with multiple responses to ease customer concerns. The company responded to one of the world’s biggest data breaches by: 

  • Emailing notifications to all impacted guests 
  • Offering a free website monitoring service to track dark-web use of data
  • Creating a website detailing news and additional responses by the company

Comprehensive responses to the world’s biggest data breaches do not indefinitely protect against hackers. Marriott faced another data breach in 2020 that affected 5.2 million guest records. This breach occurred when hackers gained access to log-in details for two Marriott employees. 

Cybersecurity experts are trained to identify moving targets rather than static threats. Your software knowledge can help you design portable security systems that survive mergers. 

Veeam

Veeam provides data backup and recovery services to hundreds of clients around the world. The Swiss company helps customers navigate storage options in an ever-changing technical environment. A September 2018 incident placed Veeam among the world’s biggest data breaches in the past decade. 

Bob Diachenko discovered the breach during a test of MongoDB database vulnerabilities. The security expert found 445 million customer records were left open for 10 days. A 200-gigabyte database collected names and email addresses gathered from 2013 to 2017. 

Responses to Veeam’s Data Breach

Prospective hackers would have needed to know the exact location of the database to take advantage of this vulnerability. CEO Peter McKay noted that no sensitive information was included in the unprotected database. 

McKay said that Veeam was evaluating its security processes and alerted authorities to develop a more effective response. After the initial evaluation, the company found that the total records impacted included duplicates that inflated published figures. 

Diachenko pointed to MongoDB in his evaluation of the Veeam breach. He said: 

“Even taking into account the non-sensitivity of data, the public availability of such large, structured, and targeted dataset online could become a real treasure chest for spammers and phishers. It is also lucky that the database was not hit by a new wave of ransomware attacks which have been specifically targeting MongoDBs.”

Veeam responded quickly to the data breach but the incident revealed an important lesson to cybersecurity experts. The world’s biggest data breaches often involve multiple moving parts that need to be secured. A dynamic and evolving cybersecurity program anticipates program integrations. 

River City Media

River City Media is well-known in the business world for managing email marketing campaigns for major brands. The company has sent promotional emails for AT&T, Gillette, and Nike. At its peak, River City Media campaigns distributed one billion emails per day. 

River City Media joined the world’s biggest data breaches with a simple mistake made in March 2017. The company did not protect a database backup with a password, leaving email addresses open to anyone in the world. TechCrunch reported 1.37 billion names and emails were left out in the open for months. 

River City Media Breach Fallout

Cybersecurity researcher Chris Vickery discovered the River City Media breach along with the company’s email methods. Vickery spoke about how the company acquired emails in the first place: 

“The most likely scenario is a combination of techniques. One is called co-registration. That’s when you click on the ‘Submit’ or ‘I agree’ box next to all the small text on a website. Without knowing it, you have potentially agreed your personal details can be shared with affiliates of the site.”

River City Media denied these practices in a statement following the breach. The company also discussed the breach’s impact on their business: 

“River City Media has always had a stellar reputation within the affiliate marketing industry and was able to obtain this by upholding the highest business standards. River City Media’s business has suffered catastrophic damages from an unwarranted and malicious security breach, which has negatively impacted the company’s employees, vendors, business associates, and families.”

The world’s biggest data breaches often point to the need for constant vigilance and responsive systems. Cybersecurity experts also need to maintain high ethical standards to earn employer and client trust. 

Yahoo!

Yahoo! was a revolutionary web directory in the late 1990s and early 2000s. The website combined news and localized information to its search interface before its competitors. Yahoo! also provided billions of email addresses to global users. 

The king of the world’s biggest data breaches was the Yahoo! breach in 2013. The company originally estimated 1 billion email addresses were stolen by hackers. Yahoo! suffered another breach in 2014 that impacted names, phones, and encrypted passwords for 500 million accounts. 

Consequences of the Yahoo! Data Breach

Verizon’s 2017 purchase of Yahoo! revealed that the entire database of 3 billion emails was likely exposed in the 2013 breach. The company did not reveal the extent of one of the world’s biggest data breaches during the sale. 

The post-acquisition audit of Yahoo! data breaches found user data on the dark web. Three buyers spent $300,000 apiece for copies of the hacked database in 2016.

Yahoo! faced a class-action lawsuit from users who were exposed during the 2013 and 2014 breaches. The settlement included a $117.5 million settlement fund that covered two years of credit monitoring for impacted users. 

The scope of the Yahoo! breaches shows what’s at stake for cybersecurity professionals. Experts like you can build software and systems that avoid the damage caused by the world’s biggest data breaches. 

Learning from the World’s Biggest Data Breaches

National and international organizations have been hit by the world’s biggest data breaches. We’ve seen faulty processes and outdated systems potentially exposed by malicious hackers. Cybersecurity professionals are needed in large numbers to protect sensitive information from prying hands. 

Burning Glass’s 2019 review of the cybersecurity job market shows a high demand for skilled practitioners like you. In particular, the review found: 

  • A 94% growth in cybersecurity jobs over a six-year period
  • An average salary of $93,540 for cybersecurity positions
  • Cybersecurity jobs took 20% longer to staff than general IT positions
  • An average hiring timeline of 50 days for open positions 

Government agencies and businesses around the world need cybersecurity help now. Your computer science background provides a strong foundation for a cybersecurity career. Baylor University’s Online Masters in Computer Science builds on this foundation with rigorous skill development from world-class faculty. 

Baylor University Prepares Graduates for Cybersecurity Careers

The program’s Software Engineering track teaches future experts to develop efficient and effective programs. Courses in software verification, object-oriented development, and distributed systems translate well into the cybersecurity field. Graduates of the program develop and adapt security software to avoid the world’s biggest data breaches. 

Your Baylor University degree also shows a commitment to academic excellence essential in this critical field. Niche’s 2020 university grades included an overall grade of A for Baylor. The university also placed well in the following categories: 

  • No. 11 of 358 in Best Christian Colleges in America
  • No. 105 of 958 in Top Private Universities in America
  • No. 120 of 1,579 in Colleges with the Best Academics in America

Baylor University graduates carry the school’s mission throughout their professional careers and personal lives. This segment of the mission statement highlights the lifelong value of a Baylor degree: 

“Aware of its responsibility as the largest Baptist educational institution in the world and as a member of the international community of higher learning, Baylor promotes exemplary teaching, encourages innovative and original research, and supports professional excellence in various specialized disciplines.”

Learn how you can prevent the world’s biggest data breaches by contacting an enrollment advisor.