Why and How Data Breaches Happen

As it turns out, the majority of data breaches happen due to hacking – like Equifax, Uber, Target, Yahoo, Myspace (do you remember it?), LinkedIn, and many other massive breaches.  

But a significant amount of sensitive data was accidentally published or lost as a result of weak security measurements. Like River City Media, Grindr or Spambot leaks.

There are many methods hackers can use to access and compromise users’ personal information. Advanced attackers research possible vulnerabilities in the company’s security system. Then they use either a network or a social attack.

A network attack means that a hacker uses infrastructure, system or other weaknesses to infiltrate a network. Social attacks occur when hackers trick employees of the company into giving access to the network. The attack is successful after the attackers extract the data they need.

13 443 149 623 data records lost or stolen since 2013. Only 4% of the total breaches were secure. This means that encryption was used and rendered data was useless.

Although when we originally published this article at the end of November 2018 the situation was worrying, now it got worse. Since then, there have already been two massive data breaches which added billions to the total of compromised accounts.

7 Biggest Breaches

Here are some of the largest data breaches (as of February 2019).

#7 Target 110 million accounts

Initial reports stated that around 40 million customers were affected, but later the number nearly tripled. Finally, it was estimated that over 110 customers had their names, addresses, phone numbers and emails hacked in the breach.

While this was not as sensitive as credit card information, the stolen data has a significant value to the wrong people.

#6 Heartland Payment Systems – 134 million accounts

When in 2008 Heartland Payment Systems suffered one of the most significant data breaches in the history, it reminded us all about the fundamentals of security.

A Skilled and malicious hacker obtained names and card numbers of over 134 million cardholders. Later Heartland paid more than $110 million to Visa, MasterCard, American Express and other card associations to settle claims.

#5 eBay – 145 million accounts

In 2014 eBay urged 145 million users to change their passwords following a cyber attack which compromised encrypted passwords and other sensitive information like names, email addresses, mailing addresses, phone numbers and dates of birth.

Hackers compromised a small number of employee login credentials and thus were able to access eBay’s corporate network.

#4 Equifax – 146.6 million accounts

Equifax reported sensitive personal information of over 146.6 million Americans was exposed during one of the most massive data breaches ever.

Hackers exploited ‘a security hole,’ and accessed customers’ passports and driver’s licenses and social security numbers. It took Equifax a month and a half to report the breach.

#3 Marriott – 500 Million Affected Customers

According to the reports, 500 million customers were compromised, for about 327 million of the guests, the breached information included some combination of a name, mailing address, phone number, even encrypted payment card information, etc.

#2 Collection #1 – 2 billion unique combinations of email addresses and passwords (and the number is growing)

This ongoing breach is known as “mother of all breaches”. It had been getting more and more massive every week. Cybersecurity expert Brian Krebs said Collection #1 is only a fraction of what’s being sold online.

As of February 2019, around 2 billion accounts are compromised, but the situation is likely to get worse.

#1 Yahoo – 3 billion accounts

Billions of accounts were compromised during breaches in 2013 and 2014. Hackers stole users’ names, email addresses, phone numbers, dates of birth, hashed passwords and answers to their security questions.

On top of that, Yahoo failed to report the breaches – it took 3 years to disclose details, and the exact scope has not been revealed until now. Earlier this month it was announced, that Yahoo agreed to pay $85 million to the data breach victims.

Other significant breaches:

  • TJX Companies – 94 million accounts
  • JP Morgan & Chase – 83 million (76 million households and 7 million small businesses)
  • Uber – 57 million
  • U.S. Office of Personnel Management (OPM) – 22 million
  • Timehop – 21 million

If My Data Was Compromised, Will I Know?

However, although data breaches affect personal information, companies are not quick to report them to the victims. Often it takes months or even years until you get a notification that your account was compromised in any way.

For example, Uber tried to hide a data breach in 2016 which affected over 57 million users and 600 000 drivers. Moreover, the company paid hackers $100 000 to keep the breach a secret. Now, Uber may have to pay $148 million for failing to inform their customers on time.

How many companies have done the same? Is Uber a rule or an exception? It’s tough to tell. But knowing this really doesn’t give a sense of security.

On the other hand, things can change in Europe. Under the EU’s GDPR, if customers’ sensitive data was affected during a cyber-attack, firms must notify them directly not later than 72 hours after having become aware of it. Failing to do that will result in serious fines.

Our Overview – Data Breach Fatigue

It may seem data breaches occur every day. And this is not very far from the truth. On the one hand, it’s good that people are notified about what’s happening in the digital world and thus urged to pay more attention to online security.

On the other hand, there’s a phenomenon called ‘data breach fatigue’. This is when people feel overwhelmed by the massive number of data breaches and stop paying attention to it. I wrote recently that only 55% users would update their password if that account had been hacked.

While we get ‘fatigued,’ hackers get more active. Therefore, hacks don’t stop, the number of attacks grows, and methods improve.

The worst part of this is that even if you secure your personal information, it doesn’t mean companies or institutions that handle your data in any way are capable of proper protection. Thus, we have to be cautious and take extra steps to protect our digital lives and think twice before giving our information to anyone. Read our blog article about data breach fatigue here.

This article was originally published: November 2018

Get Surfshark for $1.99/mo

30-day money-back guarantee with every plan