A data breach is defined as the unauthorized access to sensitive information about a person – whether it's their personal, financial information, passwords, credit card numbers, social security number, and other sensitive information. It is one of the most costly and damaging issues that can plague any person and company. Unfortunately, it has become a far too common occurrence these days as hackers constantly find ways to break even the most complicated security measures.
Though data breaches happen regularly, those aren't as damaging as what we'll be discussing below. Without further ado, here are the top 10 data breaches in the 21st century listed according to the number of users that were affected by the blow:
1. Yahoo (2013-2014) – 1 to 3 Billion Accounts
In September 2016, during their negotiation with Verizon, Yahoo disclosed that “state-sponsored actors” had hacked into their system and stole billions-worth of data from their database. This act compromised the names, email addresses, passwords, phone numbers, and dates of birth of more than 500 million users. Furthermore, Yahoo believed that the hackers hashed the passwords using a bycrypt algorithm.
A couple of months later, Yahoo disclosed another breach that happened in 2013, burying the previous record. The hackers compromised more than 1 billion user accounts (which was later revised to 3 billion user accounts), exposing the email addresses, date of birth, and passwords, and the users’ security questions and answers.
The timing of Yahoo's disclosure wasn’t the most ideal as all of it happened while they were negotiating their sale to Verizon. Yahoo was originally worth $100 billion, but its net worth plummeted to $4.8 billion because of the data breaches.
2. Adult Friend Finder (2016) – 412.2 Million Users
Adult Friend Finder is part of the FriendFinder Network. In mid-October 2017, hackers got into their system and stole 20 years' worth of data from their users from 6 databases. This included email addresses, names, and passwords.
According to the expert's analyses, the FriendFinder Network used an SHA-1 hashing algorithm to secure their users' information. It was too weak of protection that by the time LeakSource.com analyzed and identified what went wrong, more than 99% of the Adult Friend Finder users' passwords were already cracked.
3. eBay (2014) – 145 Million Accounts
In May 2014, one of the biggest online shopping platforms, eBay, reported a cyberattack. The cybercriminals used three corporate employee accounts to gain access to the network. They had complete access to the company for 229 days, which was enough time for them to get into the company's database.
The breach compromised the names, addresses, dates of birth, and passwords of all its 145 million users. Fortunately, no credit card numbers or other financial information were compromised, as eBay stored this information separately. The company then communicated with its users and asked them to change their passwords immediately to avoid further damage.
Users criticized the company for its poor handling and lack of communication during the new password implementation process. They also experienced a decline in user activity after disclosing the breach.
4. Equifax (2017) – 143 Million Customers
One of the major credit bureaus in the United States, Equifax, also experienced a data breach that impacted 40% of the country's population. Though they announced the breach in September, the company suspected that it had started earlier, around mid-March of the same year.
The breach compromised the personal information of more than 143 million consumers. Personal and financial data such as social security numbers, names, date of birth, and even driver's license numbers were stolen.
The public criticized Equifax for its weak and vulnerable security system. Once the hackers were inside the system, it was easy for them to get into the other elements.
Two years after the breach, Equifax disclosed that they had spent $1.4 billion on the clean-up costs alone. It included the "incremental costs to transform our technology infrastructure and improve the application, network, and data security." They also spent $1.38 billion to resolve consumer claims.
5. Target Stores (2013) – 110 Million People
The 2013 Target Store breach started on Thanksgiving, but it wasn't until several weeks later that the management detected the hack. It compromised the credit and debit card information of more than 110 million people. Aside from card information, the hackers also accessed the personal identifiable information (PII) of Target's customers, including their names, addresses, email addresses, and telephone numbers.
Upon investigation, Target suspected that the hackers obtained access into the company's database through its third-party HVAC vendor's point-of-sale (POS) system. The initial report stated that the hackers were able to steal 40 million credit and debit card numbers. A month after, the company revised the extent of the impact and announced that the breach affected more than 110 million customers.
The incident prompted both the CIO and CEO to step down from their positions. The estimated cost of the breach was reported to be $162 million.
6. Capital One (2019) – 106 Million Users
In March 2019, Paige Thompson – former software engineer at Amazon Web Services) hacked into Capital One's customer databases. Thompson was able to gain access to nearly 106 million bank clients and applicants. She extracted the personal information of both customers and applicants from 2005 to the early months of 2019.
Capital One was able to take hold of the situation immediately. The bank offered free credit monitoring and identity protection to those who were affected by the breach.
The publicized breach can potentially cause the bank between $100 million to $500 million in fines. Aside from that, the bank's then-chief Information Security Officer, Michael Johnson, was demoted from his position four months following the incident.
7. JP Morgan Chase (2014) – 76 Million Households and 7 Million Small Businesses
JP Morgan Chase is the largest bank in the United States. Although they spend approximately $250 million a year on security, it didn't stop hackers from going into their system in the summer of 2014. During the data breach, the cybercriminals gained access to the personal information, email addresses, contact numbers, and home addresses of most users. The breach affected 76 million households and 7 million businesses.
No money was stolen during the breach. However, it did give the hackers "root" privileges in more than 90 servers of the bank. This gave them control over most of the bank accounts. They could control fund transfers and even close accounts.
Moreover, the information stolen was also used for money laundering and identity theft.
8. Uber (2016) – 57 Million Users and 600,000 Drivers
In late 2016, Uber fell victim to a data breach that compromised its 57 million users' personal and sensitive information, along with the driver's license number of more than 600,000 of its drivers. The breach was not the most noteworthy part of the issue. The way that the company handled the situation was what made the situation worse.
One of Uber's biggest mistakes was it waited a year before disclosing the information to the public. Secondly, they reportedly paid $100,000 to the hackers to destroy the data stolen and didn't even ask to verify that the information was indeed destroyed. Moreover, the company put the blame on the then CSO of the company, which eventually cost him the job.
Not only did the data breach destroy the company's reputation, but it also knocked Uber's net worth off from $68 billion to $48 billion. Not long after, the company decided to sell to Softbank.
9. Home Depot (2014) – 56 Million Customers
Home Depot had suspected a breach in their system from the beginning of April to May of 2014. However, they were only able to announce the breach in September 2014. According to the Home Depot management, the impact resulted in the theft of the credit and debit card details of more than 56 million Home Depot customers. The hackers were able to get into the system through custom-built malware, which posed as anti-virus software.
By March the following year, Home Depot agreed to pay for the damages caused by the breach. The settlement covered 40 million customers who incurred out-of-pocket losses and 52 million more whose credit and debit card was stolen from the breach.
10. Adobe (2013) – 38 Million Users
In early October 2013, Brian Krebs reported about a breach that happened to Adobe. It took weeks for the company to verify how much damage the hackers caused. According to Krebs' initial report, the cybercriminals hacked and stole more than 3 million encrypted credit card information along with the login information of an undetermined number of the platform's users.
As the company continued its investigation, they later increased the estimated number, including user IDs and passwords of more than 38 million active users. Krebs then reported that a file posted days before revealed that the hackers accessed usernames and hashed passwords of more than 150 million Adobe users. The hack exposed the users' names, passwords, credit card information, and IDs.
By 2015, Adobe paid $1.1 million in legal fees. They also paid a settlement claim to several customers for violating the Customer Records Act. Initially, the amount paid to the users was not disclosed to the public. However, in 2016, the amount was reported to be $1 million.
The Bottom Line
Although it happens daily, a data breach isn't something that you should take lightly if you're running a business. If left undetected, this could result in thousands of personal and financial information lost and could negatively impact your business's operation.
Businesses that handle sensitive information, such as those in the healthcare industry and financing and staffing agencies, should ideally be on the lookout for data breaches that could compromise both their customers and the company's sensitive information. Aside from focusing on the marketing or sales plan, they should prioritize the security plan for the company to prevent costly damages.