A data breach is a security incident where sensitive, protected confidential information is copied, transmitted, viewed, stolen or used by a person or persons with unauthorized access.
Data breaches can involve financial information like credit card numbers or bank account details, personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. Other terms for data breaches include unintentional information disclosure, data leak, cloud leak, information leakage or a data spill.
Most data breaches involve overexposed and vulnerable unstructured data such as files, documents and sensitive information or personal information.
While the first thing you may think of when you hear data breach is a situation where a cyber attack is performed by cybercriminals associated with organized crime, political activism or a national government, careless disposal of computer equipment or a poorly configured S3 bucket are just as common causes, if not more so.
Table of contents
- Why do data breaches occur?
- What are the consequences of a data breach?
- Does it matter if my encrypted data is stolen?
- What do cybercriminals do with data they gain access to?
- What are the biggest data breaches?
- Yahoo - 3 billion
- Aadhaar - 1.1 billion
- Yahoo - 500 million
- Marriott/Starwood - 500 million
- Adult Friend Finder - 412.2 million
- MySpace - 360 million
- Exactis - 340 million
- Twitter - 330 million
- LinkedIn - 165 million
- MyFitnessPal - 150 million
- Equifax - 148 million
- eBay - 145 million
- Quora - 100 million
- MyHeritage - 92 million
- Facebook - 87 million
- Notable data breaches
- What are data breach laws?
- What should I do if my organization's data is stolen?
- What should I do if my data is stolen in a data breach?
- How to prevent data breaches
- How UpGuard can prevent data breaches and find leaked credentials
Cybercrime is a profitable industry that continues to grow. Part of this is due to the distributed nature of the Internet and the ability for cybercriminals to attack targets outside of their jurisdiction, making policing it extremely difficult. Cybercriminals seek out personally identifiable information (PII) to steal money, identities, or sell over the dark web.
Common ways for data breaches to occur:
- Exploiting system vulnerabilities: An exploit is a type of cyber attack that takes advantage of software bugs or vulnerabilities to gain unauthorized access to a system or its data. Vulnerabilities are found by criminals and cybersecurity researchers alike and it's often a race to see who can find them first. Cybercriminals want to find vulnerabilities to exploit and install malware or ransomware. Researchers want to find and report vulnerabilities to hardware and software manufacturers to have them patched. Operating systems, internet browsers and applications like Microsoft Office are all targets for potential exploits. Cybercriminals may even package up multiple exploits into automated exploit kits to make it simple for criminals with no technical knowledge to take advantage of common vulnerabilities.
- SQL injection (SQLI): An SQL injection is a form of cyber attack that exploits a weakness in an SQL database of an insecure website to get the website to give access to information in its database without authorized access. SQLI attacks are unsophisticated and require minimal technical knowledge. Like automated exploit kits, cybercriminals often automate SQL injections.
- Spyware: Spyware is malware that infects your computer or network to steal personal information, Internet usage or any other sensitive data it can acquire. You might install spyware by downloading an email attachment or by what seems to a benign application (bundleware). Alternatively, spyware can be installed on your computer as a secondary infection from a Trojan horse. Once spyware is installed, all your data is send back to the command and control servers run by the cybercriminals.
- Phishing: Phishing attacks are a form of social engineering that aim to manipulate emotions or trick you into revealing sensitive information like usernames or passwords. A typical phishing attack is a spoofed (fake) email that looks like it's coming from the CEO of the company you work for. The email will contain aggressive or demanding language and require an action like logging into a web page, verifying a payment or making a purchase. Clicking any links in the email or downloading any attachments could result in your login credentials being stolen or installation of spyware in a malware attack as mentioned above. SMS and social media attacks are becoming increasingly common too. Another example is offering a free credit check to try gain access to personally identifiable information (PII).
- Insecure passwords: Passwords that are easy to guess, such as dictionary words or common passwords, make it easy for cybercriminals to gain access to sensitive information. Your organization should enforce secure passwords and multifactor authentication for any systems that contain sensitive information. To learn more about what makes a password secure, see our password security checklist.
- Broken or misconfigured access controls: Even the best passwords and cybersecurity can be undone by poor configuration. For example, your organization may enforce secure passwords and two-factor authentication but have a poorly configure S3 bucket that is open to anyone on the Internet without a password. Check your S3 permissions or someone else will. If you're not secure by design, a cybercriminal using a few Google searches could find misconfigured folders and steal data. Think of it as having a house with the best security system and an open window. You're asking for a cyber attack.
- Physical theft: Criminals may steal your computer, smartphone or hard drive to gain access to your sensitive data that is stored unencrypted.
- Third-party vendor breaches: Criminals can target third-party business partners or service providers to gain access to large organizations who may have sophisticated cybersecurity standards internally but a poor third-party risk management framework.
Many countries have passed data breach notification laws, requiring companies to inform customers and remediate breaches when they occur.
Data breaches can result in identity theft (such as full names, Social Security numbers and dates of birth), loss of sensitive information (credit reports or other credit monitoring) or other sensitive data (phone numbers, social media credentials).
It is difficult to obtain information on the direct and indirect cost of poor data security that results in a data breach. And it may seem that stories of massive data breaches pop up in the news frequently, likely due to new data breach notification requirements.
This doesn't mean that the reputational damage of even a small data breach containing sensitive user data is decreasing. If anything, the reputational impact of data breaches is increasing.
This, paired with increased outsourcing of core business functions in and outside of financial services, has increased every organization's need to manage cybersecurity risk and their need for third-party risk management frameworks, cybersecurity risk assessments and a better organizational understanding of information security.
Planning for potential data breaches is now part of any good organization's information risk management strategy and leaders must educate their employees about the differences between cybersecurity and information security.
As the trend toward outsourcing continues and more information moves to the digital world, cyberattacks will become more and more common.
Yes. After a data breach, you may want to assure your customers that it doesn't matter, the data was encrypted. This isn't necessarily true and here's why. Many companies use a basic form of password encryption: unsalted SHA1 hashing.
A password encrypted with SHA1 will always hash into the same string of characters, making them easy to guess. For example, password1 will always hash to "E38AD214943DAAD1D64C102FAEC29DE4AFE9DA3D".
This is another reason why using a weak password is a bad idea. Cyber criminals can check a list of stolen, hashed passwords against a list of known hashed passwords and decrypt the password easily.
Depending on the type of data and its value, stolen data can end up in a variety of places and uses. Personally identifiable information (PII) typically ends up on the dark web for sale. The dark web is not indexed by search engines and is used to by criminals to traffic illegal goods like drugs, guns, pornography and personal data. There are marketplaces that specialize in selling large batches of personal information gathered from various data breaches that are both known and unknown.
Even if you change your password after a data breach, cybercriminals often use old login credentials to trick you into thinking the account has been hack and use social engineering methods like phishing to gain access to the new login credentials.
If you reuse your password across sites, you are exposing yourself to danger because a data breach on any of the sites you use could result in other accounts being compromised. Cybercriminals use your stolen login from one site to hack into your account on another site, this is a cyber attack known as credential stuffing. The usernames and passwords obtained from one data breach will automatically be used to send login requests to other popular sites.
Here are the 15 biggest data breaches in history by number of accounts affected.
Yahoo disclosed that a breach in August 2013 by a group of hackers had compromised 1 billion accounts. In this instance, security questions and answers were also compromised, increasing the risk of identity theft. The breach was first reported by Yahoo on December 14, 2016, and forced all affected users to change passwords, and to reenter any unencrypted security questions and answers to make them encrypted in the future.
In March of 2018, it became public that the personal information of more than a billion Indian citizens stored in the world’s largest biometric database could be bought online.
Yahoo believed that a "state-sponsored actor" was behind this initial cyberattack in 2014. The stolen data included personal information such as names, email addresses, phone numbers, hashed passwords, birth dates, and security questions and answers, some of which were unencrypted.
In November 2018, Marriott International announced that hackers had stolen data about approximately 500 million Starwood hotel customers. The attackers had gained unauthorized access to the Starwood system back in 2014 and remained in the system after Marriott acquired Starwood in 2016. However, the discovery was not made until 2018.
In October 2016, hackers collected 20 years of data on six databases that included names, email addresses and passwords for The FriendFinder Network. The FriendFinder Network includes websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com.
In June 2013 around 360 million accounts were compromised by a Russian hacker, but the incident was not disclosed publicly 2016. The information that was leaked included account information such as the owner’s listed name, username, and birthdate.
In June of 2018, Florida-based marketing and data aggregation firm Exactis exposed a database containing nearly 340 million records on a publicly accessible server. The breach exposed highly personal information such as people's phone numbers, home and email addresses, interests and the number, age and gender of their children.
In May of 2018, social media giant Twitter notified users of a glitch that stored passwords unmasked in an internal log, making all user passwords accessible to the internal network. Twitter told its 330 million users to change their passwords but the company said it fixed the bug and that there was no indication of a breach or misuse, but encouraged the password update as a precaution.
In June 2012, Linkedin disclosed a data breach had occurred, but password-reset notifications at the time indicated that only 6.5 million user accounts had been affected. LinkedIn never confirmed the actual number, and in 2016, we learned why: a whopping 165 million user accounts had been compromised, including 117 million passwords that had been hashed but not "salted" with random data to make them harder to reverse.
In February 2018, the diet and exercise app MyFitnessPal (owned by Under Armour) suffered a data breach, exposing 144 million unique email addresses, IP addresses and login credentials such as usernames and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts).
In September 2017, Equifax, one of the three largest consumer credit reporting agencies in the United States, announced that its systems had been breached and the sensitive personal data of 148 million Americans had been compromised.
Between February and March 2014, eBay was the victim of a breach of encrypted passwords, which resulted in asking all of its 145 million users to reset their password.
Quora, a popular site for Q&A suffered a data breach in 2018 exposed the personal data of up to 100 million users.
MyHeritage, a genealogical service website was compromised, affecting more than 92 million user accounts. The breach occurred in October 2017, but wasn't disclosed until June 2018.
Though a slightly different type of data breach as the information was not stolen from Facebook, the incident that affected 87 million Facebook accounts represented the use of personal information for purposes that the affected users did not appreciate. Cambridge Analytica was a data analytics company that was commissioned by political stakeholders including officials in the Trump election and pro-Brexit campaigns. Cambridge Analytica acquired data from Aleksandr Kogan, a data scientist at Cambridge University, who harvested it using an app called "This Is Your Digital Life".
- Medical Procedure: How a Misconfigured Storage Bucket Exposed Medical Data
- Data Warehouse: How a Vendor for Half the Fortune 100 Exposed a Terabyte of Backups
- Open Enrollment: How HCL Exposed Employee Passwords and Project Data
- Losing Face: Two More Cases of Third-Party Facebook App Data Exposure
- The Aggregate IQ Files, Part One: How a Political Engineering Firm Exposed Their Code Base
- The AggregateIQ Files, Part Two: The Brexit Connection
- The AggregateIQ Files, Part Three: A Monarch, A Peasant, and a Saga
- The AggregateIQ Files, Part Four: Northwest Passage
- Out of Commission: How the Oklahoma Department of Securities Leaked Millions of Files
- Out of Pocket: How an ISP Exposed Administrative System Credentials
- Overboard: How Tea Party Campaign Assets Were Exposed Online
- Public Option: How Medical Records and Patient-Doctor Recordings Were Exposed
- HR Violation: How a Corporate Data Exposure Can Affect Employees
- Public Domain: How Configuration Information For the World's Largest Domain Name Registrar Was Exposed Online
- Short Circuit: How a Robotics Vendor Exposed Confidential Data for Major Manufacturing Companies
- LA Confidential: How Leaked Emergency Call Records Exposed LA County's Abuse & Crisis Victims
- Block Buster: How A Private Intelligence Platform Leaked 48 Million Personal Data Records
- Learning Curve: How Personal Data for One Million Individuals Was Exposed
- Health Risk: How a Medical Practice Exposed Details for 40,000 Patients
- Cloud Burst: Software Delivery via Public Cloud Storage
- Double Indemnity: How An Insurer Exposed Its Customers
- Bad Influence: How A Marketing Startup Exposed Thousands of Social Media Stars
- Home Economics: How Life in 123 Million American Households Was Exposed Online
- Credit Crunch: Detailed Financial Histories Exposed for Thousands
- Black Box, Red Disk: How Top Secret NSA and Army Data Leaked Online
- Dark Cloud: Inside The Pentagon's Leaked Internet Surveillance Archive
- System Shock: How A Cloud Leak Exposed Accenture's Business
- Cut Cord: How Viacom's Master Controls Were Left Exposed
- Insecure: How A Private Military Contractor's Hiring Files Leaked
- The Chicago Way: An Electronic Voting Firm Exposes 1.8M Chicagoans
- Blackout: Engineering Firm Exposes Critical Infrastructure Data
- Cloud Leak: WSJ Parent Company Dow Jones Exposed Customer Data
- Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts
- The RNC Files: Inside the Largest US Voter Data Leak
- Spy Games: How Booz Allen Hamilton Exposed Pentagon Access Keys
- Political History: How A Democratic Organization Leaked Six Million Email Addresses
- Clinical Trials: How Personal Information for Thousands of Australians was Exposed
- Capital One Breach Casts Shadow Over Cloud Security
It feels like every news cycle has more data breaches. Are data breaches occurring more? Or are we just hearing about them more?
It's likely that the increasing appearance of data breaches in the news is being driven by growing regulation around the world about how data breaches are communicated.
There are also a number of industry guidelines and government compliance regulations that mandate strict control of sensitive and personal data to avoid data breaches. For corporations, the Payment Card Industry Data Security Standard (PCI DSS) dictates who can handle and use personally identifiable information (PII), such as credit card numbers or names and addresses.
In healthcare, the Health Insurance Portability and Accountability Act (HIPAA) regulates who can see and use personal health information (PHI) such as a patient names, dates of birth, Social Security Numbers (SSNs) and healthcare treatments. HIPAA also has specific requirements for reporting healthcare related data breaches in its Health Information Technology for Economic and Clinical Health (HITECH) Act.
With the introduction of the General Data Protection Regulation (GDPR) by the European Parliament and Council in 2016, the need to respond to information security breaches has become a regulatory requirement for any business operating within the EU. Companies are now required to:
- provide data breach notifications
- appoint a data-protection officer
- require user consent for data processing
- anonymize data for privacy
In the United States, there is no national law overseeing data breach disclosures. However, as of 2018, all 50 US states have data breach laws in some form. There are a few commonalities including:
- The requirement to notify those affect as soon as possible
- Let the government know as soon as possible
- Pay some sort of fine
California was the first state to regulate data breach disclosures in 2003, requiring persons or businesses to notify those affected "without reasonable delay" and "immediately following discovery". Victims can sue for up to $750 and companies can be fined up to $7,500 per victim.
New York's Office of Information Technology Services says that "State entities and persons or businesses conducting business in New York who own or license computerized data which includes private information must disclose any breach of the data to New York residents whose private information was exposed."
Large multinational enterprises and small businesses can suffer from data breaches whether from cybercriminals or from accidental data breaches that are caused my misconfigured cloud services or failing to implement proper access controls such as password requirements for public-facing web services or applications. Organizations should have an incident response plan that is implemented when a breach does occur to identify, contain and quantify the breach.
Responding to a breach well is the most important thing, here's what you need to do:
- Ensure the breach has stopped: Before you do anything, you need to make sure the breach has stopped by identifying the affected parts of your computer system and isolating them. You're going to need all the information on those servers to understand what data was compromised, you need to be logging everything.
- Determine scope of breach: You need to know what data has been exposed. This means an exhaustive audit of what data was accessed and when. To determine the scope of the breach simply read what data was accessed or modified. Ideally, you will have audit logs and backups to compare what has changed on your affected server. If you don't have logs or don't think you can trust them, look for an expert on the data in your organization and ask them to check the data to try determine if it is accurate.
- Inform customers: You need to communicate to those affected that their data was exposed. As you know from above, there are legal reasons to inform your customers but quick, quality communication can also help save your organization from potential reputational damage. Give your customers the steps required to secure their accounts (or personal details) where possible.
- Improve your security to make sure this type of breach cannot happen again: To regain the trust of your customers you need to ensure the breach won't happen again. The SANS Institute has security guidelines about how to prevent breaches and the National Institute of Standards and Technology (NIST) publishes a set of standards, guidelines and best practices to manage cybersecurity risk in their Cybersecurity Framework.
Additional measures like well-written and widely understood security policies for employees, third-party vendors and leadership can help to educate and reduce the chance of accidental data exposure. The principle of least privilege (POLP) gives employees the bare minimum permissions need to perform their duties (and no more).
To protect yourself when if your data is exposed or stolen, there are a few steps you can take to protect yourself, your money and your personal information including:
- Changing your password: If a site you use has been breached, change your password to a unique password for each online account. If you find keeping track of these passwords difficult, you can use a password manager like 1Password.
- Monitor your bank account and other financial accounts: Check your bank account on a regular basis for unfamiliar activity.
- Check your credit report: Do so regularly to ensure that no credit cards are being opened under your name.
- Take action: If you see suspicious activity, contact your financial institution or the website that has been affected immediately.
- Secure your phone: Your phone can hold a lot of valuable personal information, a simple passcode will prevent it from being accessed if it is ever stolen.
- Check URLs: Even if it looks legit, make sure that the site has a valid SSL certificate (https) that matches the site you're looking to log in to.
- Check have i been pwned?: It's a free service that will let you check if your email address has been included in any known data breaches.
There is no one security product or control that can prevent data breaches alone. At a minimum you need common sense security practices to make a reasonable attempt at reducing data breaches. This includes ongoing vulnerability and penetration testing, malware protection, enforcing strong passwords, multifactor authentication and consistently updating hardware and software to patch known vulnerabilities.
These steps will attempt to prevent intrusions into a protected environment and cybersecurity professionals should also encourage strong encryption of sensitive data regardless of if it is stored on-premise or in cloud services.
Organizations should also practice network segmentation, splitting computer networks into subnetworks reducing the impact of an attack if they do gain access to a network while boosting performance.
UpGuard BreachSight's typesquatting module can reduce the cyber risks related to typosquatting, along with preventing breaches, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure.