The recent Equifax breach of 143 million accounts certainly makes one wonder: Are data breaches getting worse as the years go by? It certainly feels like no matter how catastrophic one incident sounds, we’re served up with another headline months later that tops it.
Looking back at the retail-sector data breaches of 2013-14 — including Target, Sally Beauty and Neiman Marcus — many felt that cybersecurity was reaching a turning point in the face of unprecedented disaster. The industry believed employers and agencies would be snapped into reality and start to confront their risks.
Incidents after that — including the recent hack of Equifax, one of the three major American consumer credit reporting agencies — have proven otherwise.
Thus, year after year, the worst cyber attacks of all time continue to be the most recent debacles. As major employers and institutions become more dependent on network data, security programs at even the largest employers continue to lag behind — so when disaster strikes, it strikes harder and wider than ever before.
The sheer size of an attack is not the only criteria for judging its rank among the worst attacks, of course. It’s also important to consider the degree to which the attack could have been prevented, the way it was handled and, overall, what it represents for the state of cybersecurity.
With that in mind, here are five of the worst data breaches of all time.
- Yahoo (2013-14): Not only do the 2013-14 breaches at Yahoo weigh in as the largest of all time (more than 1 billion accounts compromised in total), they are also the result of the company failing to respond to warnings that their user data needed better protections. Yahoo suffered a financial toll for its failure, too, with Verizon ultimately paying $350 million less for the search company after the breaches were revealed.
- The Office of Personnel Management: A staggering lack of security protections foreshadowed the breach of 21.5 million records at the OPM — which oversees federal employees — giving just about everyone a reason to worry about identity theft. Following from the event, the agency drew ire for its slow response in notifying affected parties that their data may be compromised.
- Sony: In 2015, hackers launched a crippling attack on Sony Pictures, taking over workstations, stealing intellectual property and intercepting sensitive emails from top executives. Information about yet-to-be-released movies, as well as private information about Sony employees and other people, was released to the public. In the investigations that followed, a prominent takeaway was employees’ serious disregard for good privacy practices.
- Target: While 2013 and 2014 saw several high-profile retail cyber breaches, Target’s — which affected 41 million consumers, and required the company to pay out $18.5 million in a settlement — was the most prominent and widely discussed. Target’s case also provided a very important cybersecurity takeaway: Your third-party vendors can be the weak link in your security chain.
- Equifax: The breach of 143 million Equifax users may fall short of Yahoo, as well as MySpace (360 million, 2016) and eBay (145 million, 2014), but the fact that a credit monitoring group with especially sensitive information was breached is a far more alarming prospect. The incident was also handled with all the tact of a sledgehammer, including sending users to a buggy site separate from Equifax.com that requested six digits of their Social Security numbers, forcing some users to sign away some rights just to see if they had been affected by the breach, and tweeting a phishing link several times. The incident forced CEO Richard Smith into early retirement.
If you’re ready to learn from the mistakes of others and advance your organization’s cyber protections, Lunarline has your back. For information about the solutions and services we provide, contact us today.