The Top Ten Data Breaches of All Time

Written by

While the data collection and retention concept has taken off as the online world has evolved, the cost has been major losses and breaches of that data suffered by those entrusted to securely store it.

Going back to the TK Maxx breach of 2005, to the HMRC CD loss of 2007, right up to those massive breaches of 2016, these instances are now a mainstay of IT security news. The difference is the industries affected – we’ve seen credit card processors, retailers, healthcare providers and social networks all reporting bad news, while legions of customers and members face the choice of whether to stick with the company or switch to a competitor in protest.

In 2018, European businesses will fall under the General Data Protection Regulation, which will mandate data breach reporting in the same manner as those in the United States, in particular Massachusetts and California. One thing is clear from the number of instances and figures involved; this problem is not getting any better.

1: Yahoo – 2014

The search and email giant announced in summer 2016 that 500 million account details had been breached back in 2014, with multiple protected and unencrypted details exposed.

2: FriendFinder Networks – 2016

The company behind 49,000 adult and specialist dating websites was hacked with data belonging to 412 million users made available, including historical data for the past 20 years on six FriendFinder Networks (FFN) properties.

3: Myspace – 2013

Myspace’s social media legend didn’t prevent it from losing 360 million user passwords in June 2013. The passwords were unsalted SHA-1 hashes, vulnerable to cracking tools.

4: Experian – 2012

Data firm Court Ventures saw a database of 200 million Social Security numbers accessed after Court Ventures obtained the information through a data-sharing agreement with U.S. Info Search. Experian acquired Court Ventures in 2012.

5: USA Voter Database – 2015
A database sat on the web that contained various pieces of personal information relating to 191 million American citizens registered to vote. A total of 300GB of voter data dating back to 2000 was collected and included names and addresses, party affiliations, and logs of whether or not they had voted in primary or general elections.

6: LinkedIn – 2012

LinkedIn initially disclosed a breach of 6.5 million user accounts in 2012, but in 2016 it was revealed that 165 million accounts were impacted, and 117 million passwords had been hashed but not ‘salted’.

7: NASDAQ stock exchange - 2012

Attackers stole more than 160 million credit and debit card numbers, targeting more than 800,000 bank accounts by exploiting SQL Injection vulnerabilities in the victim companies' websites to obtain login credentials and other sensitive data, then installing malware to get a backdoor into the networks. NASDAQ, along with Citibank, PNC Bank, Heartland Payment Systems, 7-Eleven, JCPenney and Hannaford Brothers were impacted.

8: ebay - 2014

Attackers gained access to an ebay database of 145 million user accounts, which included names, addresses, dates of birth and encrypted passwords.

9: Heartland Payment Systems – 2009

It was estimated that 100 million cards were impacted when data was stolen within its processing system, including the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards.

10: VK – 2016

A database of 100 million accounts on Russian social networking site were breached, and reportedly sold for 1 Bitcoin. The database contained information like full names, email addresses and plain-text passwords.

What’s hot on Infosecurity Magazine?