We live in an environment where customer data is constantly at risk. A security incident occurs when intruders compromise data systems and information is at risk. Research on data breaches by Verizon defined an incident as one that “compromises the integrity, confidentiality, or availability” of data
On the scale of cybersecurity threats, a data breach is the most severe and affects reputation, revenue, and customer trust. In the recent Cost of Data Breach Study, the average cost per data breach is $3.62 million and per record is $158. For a small to mid-sized business, the impact can be crippling.
Today we look at five of the worst cybersecurity breaches of all time. There are many ways to rank the largest cybersecurity breaches. We chose to highlight those that affected the most records, triggered the highest dollar impact, was repeated, was an inside job, and the most egregious.
#1 Most Records Affected: Yahoo
When Yahoo admitted in 2014 that it was hacked the prior year, it didn’t come clean on the extent of the breach. In fact, the search engine company was infiltrated more than once. When Verizon dug into the search engine company’s records during due-diligence for their acquisition, they uncovered more than Yahoo cared to admit.
- Cost: At a minimum, Yahoo lost $350 million as that’s how much Verizon dropped its purchase price and more will come in settlements of the many lawsuits over this breach.
- Estimated records stolen: The first report stated 500 million accounts were affected, but further investigation found the breach impacted every existing Yahoo account.
- Impact: Yahoo lost customers, traffic, and ad revenue plus the lower sales price. Many long-time users walked away from the search engine and email provider for good.
- Methodology: The most successful of the two breaches began with a spear phishing email sent to one employee.
- Length of access: The Russian hackers that orchestrated the breach installed a back door and ransacked email accounts and user data for months.
- Motive: The DOJ charged four Russian spies and criminal hackers. The spies’ motive was to infiltrate and destabilize American financial firms while the hackers wanted cash.
- Compliance: Yahoo violated state and federal data breach notification laws by delaying notification and now faces multiple class-action lawsuits.
#2 Greatest Financial Impact: Epsilon
To date, the costliest cybersecurity breach occurred at a company that’s not a household name. Epsilon is an international email marketing company hit by a database hack back in 2011. Epsilon managed email campaigns to customers of Capital One, Barclays, and Citigroup, among others, and its breach was projected to enable innumerable successful phishing scams.
- Cost: Epsilon itself paid an estimated $225 million in costs and its 75 affected clients paid around $410 million. When you include forensic audits, monitoring, litigation and lost business, the estimated total damage was $3-$4 billion.
- Estimated records stolen: The breach compromised about 250 million records among 75 of Epsilon’s 2,500 clients.
- Impact: Epsilon lost an estimated $45 million worth of business as clients walked away in droves. The breach was so severe that the Secret Service got involved.
- Methodology: The details were not made public, but experts estimate that a single point of intrusion allowed the hackers to hijack the email system.
- Length of access: Again, details are murky, but Epsilon detected the breach rapidly and shut it down quickly, limiting what could have been a much worse breach.
- Motive: There were indictments against two Vietnamese and one Canadian national in the breach motivated by profit. The hackers raked in an estimated $2 million via spam emails.
- Compliance: Epsilon was warned about the increased potential for hacks and tightened security, so the breach was discovered quickly such that only 3% of their client base was affected. They also met regulatory compliance for notification.
#3 Most Repeated Breaches: Yahoo
Yahoo makes the top cybersecurity breaches list twice because it was hit multiple times to the extent that the breaches compromised every one of its three billion customer email accounts. That represents a stunning 100% failure. Also troubling is that Yahoo’s delayed notification put customers at ongoing risk.
There were at least two separate breaches, in August 2013 and another in late 2014. Yahoo delayed notification of the latter breach until 2016 when it became public knowledge that customer data was for sale on the dark web. In a 2016 SEC filing, the search engine giant claimed it had no knowledge about a breach or loss of data but then revised its filing and owned up to the hack.
#4 Biggest Inside Job: Court Ventures
It’s upsetting when criminals creep into a company and steal data through a back door. However, when they walk right through the front door and buy sensitive data, it’s nothing short of unsettling. Such is the case with Court Ventures, now owned by Experian, which sold personal data to a criminal that ran an identity theft business. All it took was a credible lie and some cash.
- Cost: The total cost of the Court Ventures breach is unknown. What is known is that almost 14,000 consumers fell victim to income tax fraud totaling more than $65 million.
- Estimated records stolen: Roughly 200 million consumer data records were sold and accessed, but Experian insisted there was no compromise of its data files.
- Impact: Experian and Court Ventures countersued one another over the fraud. Consumers filed a class action suit against Experian as the new owner of Court Ventures over violations of the Fair Credit Reporting Act.
- Methodology: Hieu Minh Ngo posed as a private investigator and purchased access to sensitive data including Social Security numbers which he sold to 1,300 perpetrators of identity theft.
- Length of access: Ngo bought information from US Info Search via Court Ventures for more than a year including a 10-month period after Experian acquired Court Services.
- Motive: The perpetrator’s motive was purely profit-based.
- Compliance: Neither Court Ventures nor Experian discovered the breach. The Secret Service notified Experian who then shut down access and cooperated with law enforcement. Because this was a front-door attack, the issue at hand was lack of due diligence in screening clients to whom Court Ventures sold data.
#5 Most Egregious: OPM
The breach at the Office of Personnel Management made this list because it so brazenly targeted the US government. The cleverly buried malware was discovered during routine decryption of SSL traffic to verify data integrity. The highly coordinated and heavily-funded breach began with a hack at a government contractor where credentials were stolen to facilitate the attack on OPM.
- Cost: So far, the costs resulted from forensic audit services along with detection and destruction of the malware. The court dismissed a class action suit filed on behalf of federal employees because the plaintiffs failed to prove legally actionable harm.
- Estimated records stolen: A team worked round the clock to ferret out and destroy the malware that nested on 10 machines including an admin server. Hackers had access to millions of background checks, employee files, and even digital fingerprint archives.
- Impact: What’s frightening about this breach is that investigators don’t know where the data went or who has it now. Agency head Katherine Archuleta resigned, as did OPM’s CIO.
- Methodology: Hackers used a faux McAfee security file to shuttle data to a site owned by “Steve Rogers.” A secretive hacker group that orchestrated many devastating cyber attacks often uses Avenger’s names, but the specific perpetrators are unknown.
- Length of access: By the time OPM’s cybersecurity found the back door, it had been open for almost a year.
- Motive: This attack was labeled an advanced persistent threat (APT) meaning it was likely state-sponsored and aimed at economic, military, or political objectives and Chinese in origin.
- Compliance: OPM repels roughly 10 million attempted hacks each month yet its Assistant Inspector General for Audits told Congress there’s a “long history of systemic failures” of managing IT infrastructure.
Preparing for a cyber attack is critical because it’s not a matter of if a company will be attacked, but when. It’s often more than 200 days between malware infection and discovery of the intrusion. These are some of the biggest hacks of all time, but even a minor cybersecurity breach can devastate a business’ reputation and future. If you're not prepared with a cybersecurity incident response plan, you're at risk.
Start a conversation with Alpine Security today to see how we can help protect your company’s data.