The global cumulative cost of cyber crime in 2018 alone is believed to have been $600 billion.
Thus far, Equifax has had the single most damaging and expensive cyber breach. Its breach-related costs are expected to cross $600 million. However, that does not include the fact that 143 million people are at risk of identity theft and credit fraud, which could result in wider economic costs.
In this article, we compiled a list of the 25 most significant and famous data breaches that occurred the past decade. Based on open source information, we listed the causes, scope, costs, and potential preventative steps for each incident.
Be it government institutions, the financial services industry, retail and restaurants, or airlines, no industry is immune to cyber security breaches.
Table of Contents
Government, Cities & Universities
1. Atlanta, GA – 2018
Summary
On March 22, 2018, the city of Atlanta, Georgia was struck by a ransomware attack known as SamSam. Like other cryptoworms, the attack prevented municipal workers from accessing their systems — the hackers demanded $51,000 in Bitcoin payments for restoring access.
The attack hampered the city’s court and utility services as well as its ability to receive bill payments. Some of these systems did not come back online until April.
The city was criticized for maintaining a “woefully disorganized and outdated” IT system.
Type: SamSam ransomware.
Date: March 22, 2018
Cost: Estimated recovery costs at $2.7 million.
Impact: Essential city systems were taken offline, some (such as managing traffic-ticket System hearings) did not come back online until mid-April.
What Could Have Been Done
Atlanta could have replaced obsolete and non-secure software and established processes — including training, strong password protection, etc — to prevent and respond to cyber attacks.
2. Republican National Committee – 2017
Summary
In 2017 the personal information — including names and addresses — of 198 million American voters was exposed. Anyone could look up the Republican National Committee’s (RNC) information without the need for a password or other security measures.
The cause for the cyber breach vulnerability originated from misconfigured servers owned by Deep Root Analysis, an outside contractor providing analytics services to the RNC.
Type: Data breach
Date: June 2017
Cost: Unknown
Impact: 198 million personal address records at risk.
What Could Have Been Done
Deep Root Analysis should have taken all necessary steps to keep its cloud servers secure. Not doing so could be a breach of various federal and state regulations.
3. Aadhaar – 2018
Summary
In January 2018, Aadhaar, which is both India’s and the world’s largest government database (containing information about more than 1 billion-plus people) was exposed.
The exposure was exploited by a group that was charging money in return for the information of any person registered in Aadhaar. People could also buy print-outs of the Aadhar cards, a unique identification card people could use to access fuel subsidies and other benefits.
The exposure came as a result of multiple cyber threats (including weaknesses in Aadhaar’s main application), social engineering attempts involving fake Aadhaar portals, and mistakes on the part of Aadhaar staff.
Type: Data exposure, insider threats, and exploits against weak applications.
Date: January 2018
Cost: Unknown
Impact: The personal information of 1 billion-plus Indian citizens was exposed.
What Could Have Been Done
A system of this scale required a prompt and fully-defined response mechanism to deal with potential data exposure and other potential cyber security breaches.
In addition, as social engineering was one of the methods used to instigate the breach, Aadhaar staff should have been trained to recognize and stop such attempts.
 |  |  |
4. Cyber Attacks on US & Global Institutions – 2013-2018
Summary
On March 23, 2018, the US Department of Justice indicted nine Iranians for a spate of security breaches against US government institutions and major private entities, such as universities and research institutes since at least 2014.
According to the Justice Department, the attackers struck:
“144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.”
Type: Primarily spear-phishing
Date: 2013-2018
Cost: The hackers stole 31 terabytes of information, including intellectual property (IP) worth $3 billion dollars (Wired).
Impact: Loss of billions of dollars worth of research IP and confidential private sector data (including those of law firms, investment firms, and a healthcare company).
What Could Have Been Done
With false emails being the major data breach method, the affected institutions should have invested in training all staff to identify and report spear-phishing emails.
In addition, these institutes could have also invested in geofencing to prevent out-of-country logins, analytics tools to alert cyber security staff of irregular behavior by potentially affected accounts, and multi-factor authentication.
Finance
5. Anthem Inc. – 2014-2015
Summary
In 2015, Anthem Inc. became the victim of one of the biggest hacks in the financial services industry in recent years. The major data breach affected a database containing the personal information — including social security numbers — of nearly 80 million people.
Type: An undisclosed type of cyber attack (CSO Online).
Date: December 10, 2014, to January 27, 2015.
Cost: Anthem settled to a $115 million class-action lawsuit (USA Today).
Impact: With 37.5 million records stolen, the attack put millions of Anthem’s clients at risk identity theft and having their private data sold on the black market.
What Could Have Been Done
Few public details are available, but given that the attack had occurred for over a year, it was clear that Anthem lacked a prompt threat identification, reporting, and response mechanism.
In addition, Anthem did not encrypt client data, which, while not a regulatory requirement under HIPAA at the time, was considered a best practice.
6. Equifax – 2017
Summary
Of more recent data breaches, Equifax is among the biggest in scope considering the attack compromised 143 million accounts in the US.
The attack exposed the names, birth dates, driver’s licenses, and social security numbers of millions of people. It also affected people residing in the UK and Canada.
By combining the cost of recovery, class action lawsuits, and regulatory penalties, this attack is on pace to becoming the costliest electronic breach thus far.
Type: An undisclosed cyber attack result of a security flaw in Apache Struts (CNN).
Date: July 29, 2017.
Cost: $439 million by the end of 2018, potentially $600 million-plus (Reuters).
Impact: 143 million people at risk of identity theft and other fraudulent activity.
What Could Have Been Done
Equifax said it had closed the vulnerability, but it still happened. Thorough stress testing by a certified ethical hacker could have put Equifax’s fixes to the test and potentially uncovered the gap so that the company could fix it properly.
Airlines & Hotels
7. Marriott – 2018
Summary
In November 2018, Marriott disclosed that the data of up to 383 million guests were exposed.
However, the seriousness of the breach varies. For example, most of the affected databases were still encrypted (Vox), despite potentially being in the hands of the attackers.
Though it had revealed the cybersecurity breach was a result of an attack, it did not state how the attack occurred or the gaps the attacker exploited (Bloomberg).
Type: An undisclosed type of cyber attack.
Date: November 30, 2018.
Cost: Marriott could potentially spend $200 million in fines and legal costs (Bloomberg).
Impact: Of the 383 million exposed accounts, Marriott reported that 5.25 million of them were unencrypted passport numbers, 20.3 encrypted passport numbers, and 8.6 encrypted credit and debit card numbers exposed (Vox).
What Could Have Been Done
Marriott did not disclose the cause of the attack, but it appears that incomplete recovery work for past cyber breaches may have had a hand. An aggressive cyber security audit of those past efforts may have helped identify gaps sooner.
8. British Airways – 2018
Summary
This was a more recent cyber security breach. In October 2018, British Airways announced that as many as 380,000 credit cards, and possibly more, may have been compromised due to credit card skimming malware found in its system in August 2018 (TechCrunch).
Type: Malware code injection into British Airways’ global website and application.
Date: July or August 2018
Cost: Not disclosed.
Impact: 380,000 accounts at direct risk of theft and other fraudulent activity.
What Could Have Been Done
Critics have suggested that British Airways’ parent company, IAG, did not invest enough in modern cyber security technologies and was too focused on cutting costs (Financial Times).
Technology Companies
9. Facebook – 2018
Summary
With 50 million Facebook users potentially affected, the breach was a result of a vulnerability in Facebook’s code, specifically its “View As” function (Wired).
Type: Exploits aimed at gaps or weaknesses in Facebook’s code.
Date: 16 September 2018
Cost: Undisclosed.
Impact: Undisclosed, potentially 50 million users.
What Could Have Been Done
Facebook has a vast and complex system, so keeping tabs on potential exploits requires a significant investment in monitoring, stress testing, issue reporting, and issue response capabilities.
10. T-Mobile – 2018
Summary
In August 2018, T-Mobile announced that it shut down a data breach affecting customer data.
The breach reportedly affected 2.3 million T-Mobile customers (Vice), but T-Mobile stated that no financial or social security information was exposed. Rather, only account numbers, email addresses, and phone numbers were at risk (USA Today).
Type: Undisclosed.
Date: August 20, 2018.
Cost: Undisclosed.
Impact: 2.3 million customers affected.
What Could Have Been Done
T-Mobile did not disclose how long the attackers had access to its customer data, but in this case, prevention and a rapid response mechanism were essential requirements.
11. Sony (PlayStation Network) – 2011
Summary
In 2011, Sony’s PlayStation Network (PSN) suffered a major breach that resulted in the theft of personal information of up to 77 million gamers.
Sony said that its gamers’ “names, addresses, email address (sic), birth dates, usernames, passwords, logins, and security questions” were compromised (Reuters).
The Sony data breach also resulted in a network outage of PSN’s online gaming for 23 days.
Type: Undisclosed type of hack plus a distributed denial of service (DDoS) attack.
Date: April 20, 2011 to May 14, 2011.
Cost: $171 million in recovery costs (PC Magazine).
Impact: 77 million user accounts affected.
What Could Have Been Done
One of the most famous data breaches up until that point, the attack was well-planned and well-executed. The technology to make prevention easier is available today, but at that time, quicker response timing and a fully defined recovery strategy were critical.
12. Uber – 2016
SummaryIn November 2017, the CEO of Uber, Dara Khosrowshahi, disclosed that the company suffered a data breach in late 2016.
The breach exposed the names and license plate numbers of 600,000 drivers in the United States as well as the names, phone numbers, and email addresses of 57 million Uber users worldwide. Uber maintains that no financial or social security information was affected.
Type: Undisclosed type of hack on an outside cloud service.
Date: Uber says in “late 2016.”
Cost: $148 million in regulatory fines (CNBC) plus undisclosed recovery costs.
Impact: 57 million user accounts affected.
What Could Have Been DoneIn its incident response efforts, Uber paid $100,000 to the hacker in exchange for not disclosing the issue. This is against cybersecurity best practices (and dubious).
Also, Uber should have reported the breach to regulators and affected persons sooner.
13. RSA Security – 2011
Summary
In 2011, the multi-factor authentication (MFA) company RSA disclosed that it was struck by two successful spear-phishing attacks.
These attacks carried a zero-day exploit of Adobe Flash and compromised RSA’s SecureID tokens. At this point, Lockheed Martin was using SecureID and had reported at the time that it was at the receiving end of a hacking attempt. This was one of many major security breaches of direct concern to the US Government.
Type: Spear-phishing (The Register)
Date: Disclosed in March and April 2011.
Cost: $66 million (The Register)
Impact: Not only did the attack compromise a trusted security vendor, but as a result, it also potentially compromised its clients, which included marquee firms such as Lockheed Martin. This was a national security issue.
What Could Have Been Done
Training all employees to recognize and properly escalate phishing/spear-phishing attempts.
14. Timehop – 2018
Summary
On July 04, 2018 Timehopdisclosed that it identified an unauthorized user initiated an attack on the company’s database, affecting 4.7 million users (TechCrunch). The company said that it is now taking steps, such as hiring a security consultant, to prevent future breaches.
Type: The attacker compromised an authorized admin’s logins to gain access.
Date: The attacker began probing in December 2017 and started the attack in July 2018.
Cost: Undisclosed.
Impact: 4.7 million user accounts affected.
What Could Have Been Done
Besides training to prevent users from sharing login details, security tools such as multi-factor authentication (MFA), geofencing admin logins, and monitoring admin accounts for suspicious behavior could have helped prevent the attack from occurring by spotting the probing earlier.
15. Yahoo – 2013-2014
Summary
In September 2016, Yahoo announced that it had a data breach (at that point the biggest in the history of major data breaches) affecting 3 billion user accounts.
Type: Undisclosed type of cyber attack.
Date: 2013 to 2014.
Cost: Undisclosed, but it forced Yahoo to discount its purchase price to Verizon (which was in the process of buying Yahoo) by $350 million.
Impact: According to Yahoo, the attack exposed the names, email addresses, birth dates, and phone numbers of each of those 3 billion users (CSO Online).
What Could Have Been DoneSince neither Yahoo or Verizon (the new owner of Yahoo’s internet business) disclosed the exact cause of the attack, it is unclear what steps could have been taken.
However, Yahoo should have notified regulators as soon as those breaches occurred, not 2 to 3 years after the fact.
16. Under Armour – 2018
Summary
On February 2018 Under Armour announced that 150 million of its MyFitnessPal users were affected by a cybersecurity breach.
Under Armour confirmed that the breach did not affect its users’ social security numbers and driving license numbers as it does not request that information.
Type: Undisclosed.
Date: February 2018
Cost: Undisclosed.
Impact: 150 million user accounts affected.
What Could Have Been Done
Given that Under Armour has not disclosed specifics about the attack, it is difficult to define best practices in its specific case. However, it has been criticized for not reporting the issue to regulators and affected users soon enough.
Food, Shopping & Retail
17. eBay
Summary
In 2014, eBay disclosed that a cyber security breach compromised the names, birth dates, addresses, and encrypted passwords of each of its 145 million users. The attackers had full access to the user database for 229 days.
Type: Undisclosed, but experts believe the eBay data breach to have been a result of a spear-phishing attack.
Date: 2014
Cost: Undisclosed, but eBay lowered its annual sales target for that year by $200 million.
Impact: 145 million user accounts affected.
What Could Have Been Done
With the attacker active for over half a year, it’s evident that eBay had required a better threat detection and incident response mechanism. It also should have reported the issue earlier.
18. Panera Bread – 2018
Summary
In April 2018, Panera Bread disclosed that it was affected by — and subsequently resolved — a cyber breach affecting “thousands” of customer records.
However, the company was made aware of the breach 8 months prior to its official statement (The Verge). Experts also found that Panera Bread’s website leak had included millions of customer records. The actual fix itself took less than two hours (CSO Online).
Type: Panera Bread’s website was using an unauthenticated API endpoint.
Date: The vulnerability was there since August 2017.
Cost: Undisclosed.
Impact: 37 million customer records at risk (CSO Online).
What Could Have Been Done
Panera Bread should have had a process to investigate the initial report about its website.
Besides that, Panera Bread could have also instituted regular audits of its cyber security system so that such leaks are internally identified earlier.
19. Heartland – 2008
Summary
In March 2008 Heartland was struck by one of the largest cyber security breaches up until that point. However, the company did not learn of the breach until January 2009 when Visa and MasterCard notified it of dubious activities from accounts that it processed (Comodo).
Type: The attacker installed spyware to Heartland’s systems using an SQL injection.
Date: March 2008
Cost: $148 million as compensation for those affected by fraudulent activities.
Impact: Undisclosed.
What Could Have Been Done
It should have better monitored its data systems to detect suspicious activities, such as the SQL injection, and audited its systems (via system scans) to identify the spyware.
20. Target Stores – 2013
Summary
In late 2013, 70 million customer credit and debit card accounts were thought to have been compromised as a result of a major electronic breach at Target (Forbes).
Type: Undisclosed, but the attackers exploited a gap in one of Target’s vendors.
Date: November 27 to December 18, 2013.
Cost: $162 million as of 2015 (TechCrunch)
Impact: 70 million customer accounts affected.
What Could Have Been Done
The information the attackers needed to plan for the attack was freely available on the web (ZDNet). Target should have guarded this information and should have also held its outside vendors more accountable for their cyber security practices.
21. Sonic Drive-In – 2017
Summary
In 2017 Sonic Drive-In disclosed that it found a data breach affecting 325 of its locations. The company warned that “credit and debit card numbers may have been acquired without authorization as part of a malware attack experienced in certain Sonic Drive-In locations.”
Type: Undisclosed type of malware attack.
Date: Announced in September 2017
Cost: Undisclosed.
Impact: Up to 5 million customer credit cards may have been compromised, causing Sonic’s customers to closely monitor their purchases and request replacement cards.
What Could Have Been Done
Experts believe the issue was largely out of Sonic’s hands considering the attackers methods exploited gaps in the technology itself, not Sonic specifically.
For example, the United States is the last G20 member to adopt chip-based card technology, which is much more secure than stripe, but only 44% of stores in the US were accepting it for payments as of March 2017.
Health
22. Catawba Valley – 2018
Summary
In 2018, HealthEquitysuffered from 2 data breaches, one in June and the other in October.
The first attack compromised the accounts of 16,000 customers, while the second breached the accounts of 190,000 customers.
Though the hackers breached the system by accessing employee email accounts, they were able to bypass HealthEquity’s multi-factor authentication (MFA) system by exploiting an email configuration error.
Type: Undisclosed.
Date: Undisclosed.
Cost: Undisclosed.
Impact: Undisclosed.
What Could Have Been Done
The spear-phishing attacks could have been thwarted if Catawba Valley employees were trained on recognizing and stopping such attacks.
23. HealthEquity – 2018
Summary
In 2018, HealthEquitysuffered from 2 data breaches, one in June and the other in October.
The first attack compromised the accounts of 16,000 customers, while the second breached the accounts of 190,000 customers.
Though the hackers breached the system by accessing employee email accounts, they were able to bypass HealthEquity’s multi-factor authentication (MFA) system by exploiting an email configuration error.
Type: A combination of spear-phishing and exploiting an email configuration error.
Date: June and October 2018.
Cost: Undisclosed.
Impact: 206,000 patient accounts affected.
What Could Have Been Done
HealthEquity could have trained its employees to recognize and stop phishing attempts as well as auditing its systems to ensure endpoints, such as email, are properly configured.
 |  |
24. MedEvolve & Premier – 2018
Summary
In July 2018, MedEvolve, a healthcare software provider, disclosed that it suffered from a data breach that compromised 200,000 patients at Premier Immediate Medical Care (renamed to Tower Urgent Health Care).
The breach was pinpointed to an unsecure file on an FTP server in which Premier’s patient data was freely available. Of those records, 11,000 contain social security numbers.
MedEvolve removed the file when it was notified about the issue by a researcher at Premier.
Type: Data exposure due to a server misconfiguration.
Date: March 29 to May 4, 2019. MedEvolve discovered the issue on May 11, 2019.
Cost: Undisclosed.
Impact: 200,000 patient accounts affected.
What Could Have Been Done
First, MedEvolve should have ensured that its servers were properly secured and that its clients’ data was not exposed.
Second, Premier should have required MedEvolve to prove that all of its data was secure, this may have prompted MedEvolve to conduct an audit and discover the vulnerability earlier.
25. Augusta University Health – 2016-2017
Summary
In August 2018, Augusta University Health disclosed that it suffered from a potential data breach in July and August 2017. The breach affected 417,000 individuals and had put their personal and health data at risk of exposure.
The hospital announced that it will remedy the issue by:
- Installing new leaders to manage “critical areas”;
- Implement multi-factor authentication for off-campus email access;
- Employ new software to scan emails for confidential health and private information;
- Train staff;
- Enhance compliance efforts.
Type: Spear-phishing.
Date: July-August 2017.
Cost: Undisclosed.
Impact: 417,000 patient accounts affected.
What Could Have Been Done
Based on Augusta University Health’s planned remediation steps, it appears that the hospital required a thorough review of its cyber security practices from training to systems.
Conclusion
In most of these major security breaches, the cause of the breach can be traced to a gap in the affected party’s training and in cyber security processes, especially in identifying, reporting, and addressing threats.
However, even with the right preparation and alignment with cyber security best practices and regulations, cyber criminals are showing (e.g., credit card skimming) a propensity for deploying increasingly sophisticated cyber attacks.
The lesson from these cases is that one’s cyber security infrastructure and practices cannot remain static, they must continually evolve and, at times, exceed regulatory requirements to keep up with evolving cyber threats.
Author: CloudSecureTech
Happily providing insights and thought leadership for businesses to understand technology and cybersecurity! We help you leverage the best IT and technology services providers who you can trust.
