With so much of our lives now being moved to the digital space we share a great deal of our personal information over the internet; whether that’s online banking, setting up phone contracts, using social media platforms or doing our shopping. But with all this data being stored by businesses and big-name brands, the security of our personal information becomes extremely important. This means that cybersecurity is a key issue for all businesses who wish to keep their customers and company safe from a data breach.
But with the amount of data increasing, so are the risks of a security breach and in the last decade some of the world’s biggest and best-known brands have fallen victim. In fact, data breaches have increased from 656 breaches in 2008, to 1579 in 2017. This equates to a 401% increase in breaches over this nine-year period. These data hacks can be hugely detrimental to businesses and their customers. Evalian.co.uk have taken a look at five of the biggest data breaches of the last decade and the lessons that can be learned from their mistakes.
- Yahoo
The details:
First on our list is Yahoo. This internet giant was victim to the biggest data breach in history back in 2013 and then again in 2014. The breach in 2014 compromised the personal data of over 500 million users, revealing their full names, emails, phone numbers, passwords and dates of birth. It was later revealed that the earlier breach in 2013 resulted in the data of all three billion of its users being affected. However, neither of these incidents were reported until 2016 and the company have been facing a number of lawsuits ever since.
These breaches were said to have been a result of hackers using manufactured web cookies to be able to falsify logins and gain access to all accounts and the personal information they held. Yahoo faced backlash for their weak security measures and for not reporting the breach sooner.
Lessons to be learned:
- Ensure you have effective and tested security measures in place
- Report breaches as soon as possible
- Uber
The details:
In recent years Uber has found itself in the middle of many big news stories, one of the biggest and most embarrassing being the 2016 data breach. This breach is worthy of number two on our list, not just because of the sheer amount of data that was accessed, but because of the extremely poor way in which the situation was handled by the company.
After two hackers were able to break into Uber’s GitHub account, they accessed the personal information of over 57 million people. What’s more, the license numbers of over 600,000 Uber drivers were also exposed. This terrible breach in security was made worse by the fact that this information shouldn’t have been on the GitHub account in the first place and instead of reporting the situation senior members of the company decided to pay the hackers $100,000 to destroy the data. It was never confirmed whether the cybercriminals really did destroy the data they stole.
Lessons to be learned:
- Make sure all data is secure
- Don’t store data anywhere it shouldn’t be – make sure all appropriate systems are safeguarded
- Report any data breaches as soon as possible
- Don’t negotiate with hackers or take their word that the data has been destroyed
- eBay
The details:
Next on the list is online auction site, eBay. This is an interesting story as hackers were able to access the company network and consequently the information of 145 million of its users, by obtaining the login credentials of three corporate employees. Worryingly, the hackers had complete access to the network for 229 days; this meant they had plenty of time to scan through the database and take the information they wanted. Luckily for users, financial information such as credit card numbers are stored separately and were therefore safe.
Once eBay was aware of the breach, it asked users to change their passwords. However, user activity had already declined and people began criticising the site for lack of communication and also for not effectively implementing a password renewal process.
Lessons to be learned:
- Ensure the credentials of all staff are safe and secure
- If a breach does happen ensure good communication with users or customers
- Encourage and implement password renewal processes for users on a regular basis
- Marriott International
The details:
In 2016 Marriott International acquired Starwood hotels unaware that cyber attackers had been in the Starwood systems for two years already, starting in 2014. Unfortunately for Marriott, these hackers remained in the system for another two years and weren’t discovered until 2018, allowing them to steal the data of over 500 million customers. While some of the more fortunate customers only had their names, emails and phone numbers stolen, roughly 100 million customers had their credit card information stolen as well.
Having worked out that the original breach came from the Starwood system, the breach was later attributed to a Chinese intelligence group, but there was no solid evidence that this was the case. That said, if the Chinese group were to blame and were collecting data on US citizens, this could be the largest known data breach from a single nation state.
Lessons to be learned:
- Be sure to check all systems, especially when acquiring or partnering with another brand
- Conduct regular security checks to spot breaches as early as possible
The details:
In 2016, Russian cyber criminals took just 72 hours to crack 90% of LinkedIn users passwords. With this information they began stealing and selling personal data on the dark web, compromising the data of 117 million users. They even posted 6.5 million encrypted passwords on Russian hacking forums. As soon as the chief security office of LinkedIn was aware of the breach, they began encouraging users to change their passwords. The site claimed it was ‘salting’ passwords to make these less susceptible to hacking. However, those who had obtained the data said this ‘salting’ wasn’t safeguarding all passwords as they had only begun putting this measure in place in 2012.
Lessons to be learned:
- Ensure effective solutions such as ‘salting’ are in place
- Put these security measures in place right from the start
- In the event of a data breach communicate with users and encourage them to change passwords
Author Information
This article was written by Stuart Cooke of Evalian.co.uk, data protection and cyber security consultants and training providers. They know how important it is to take lessons from notable data breaches even if your business is relatively small in comparison.