Data breaches impact countless companies across all industries. When choosing the top cybersecurity incidents, we considered the scope of the breach, the type of information accessed, and the overall damage done. Many of these breaches occurred because of basic cybersecurity failures at multiple levels. Some of the largest companies in the world fall into these holes and leave themselves vulnerable to attackers, whether they're a solo hacker or a state-sponsored group. The following nine data breaches are among the most egregious cases.
Table of Contents
- Clearview AI
- First American Financial Corporation
- MongoDB Databases
- Capital One
- US Office of Personnel Management
1. Clearview AI
Clearview AI is a controversial startup that scrapes billions of publicly available photographs to power its facial recognition platform. The intruder found an unspecified flaw and gained access to the company’s client list. While the list of 2,200 clients is small compared to other data breaches on this list, there were many surprising organizations outside of the primary user base of law enforcement agencies. BuzzFeed News found that retailers such as Best Buy were also included among Clearview AI’s clients. Even individuals could sign up, and clients were spread throughout 27 countries. This breach occurred in February 2020, and the company patched its systems to address the vulnerability following the incident.
2. First American Financial Corporation
First American Financial Corporation is a large real estate title insurance company in the Fortune 500. It suffered from a long-running breach caused by publicly accessible documents on its website. Due to the nature of real estate transactions, First American Financial has a wealth of highly sensitive information in its documents, including driver’s licenses, wire transactions, Social Security numbers, and bank account information.
Anyone that had a document URL could access other documents simply by changing the numbers in the link. The systems did not require authentication to view this data, and the vulnerability dated back to 2003. More than 885 million records were accessible with this method. Ben Shoval, a real estate developer, discovered the problem but was unable to get a response from the company. He reached out to KrebsOnSecurity for assistance with this process. First American Financial disabled the document website to address the design defect.
Facebook has gone through several data breaches, but we’re going to focus on a few of the incidents caused by third-party Facebook applications. Culture Colectiva, a media organization, caused a large-scale breach that included 540 million records in 146 gigabytes through a publicly accessible Amazon S3 bucket. They accessed information that included Facebook IDs, usernames, and social media activities such as comments. The sheer volume of records makes this a notable incident.
Another data breach exposed the user names, passwords, and other information of 22,000 people signed up for an app called “At the Pool.” The application developer also relied on a publicly accessible Amazon S3 bucket for their database backup, which had data stored in plain text. In addition to the account details provided when users signed up for the application, the database also included Facebook user IDs, likes, interests, groups, and other social media activity.
“At the Pool” addressed its vulnerability prior to being notified by any security organization. However, Culture Colectiva was non-responsive. It took four months before that S3 bucket was secured.
4. MongoDB Databases
Several MongoDB databases with unspecified owners exposed more than one billion records due to a lack of protection. Bob Diachenko, a Security Discovery researcher, first uncovered a database with more than 275 million records. The data included the names, emails, employment history, dates of birth, and professional details of Indian citizens. The MongoDB database used Amazon AWS for hosting, and the data was exposed for over two weeks. The hacker group Unistellar attacked the database and deleted the records.
Diachenko continued the investigation and found four more unsecured MongoDB databases with large-scale data leaks. More than 808 million emails, 200 million resumes, and 77 million personal information records were in these databases. None of these MongoDB instances had passwords and failed to use the protective configuration options available to stop a potential breach, making it a failing of the database administrators rather than the technology itself. Compliance with database administration best practices is a critical component to data security.
Equifax is one of the leading consumer credit reporting agencies, with a collection of sensitive information from millions of Americans and businesses. It suffered from a data breach that compromised the data of almost half the population of the United States, as well as a portion of the agency’s Canadian and United Kingdom records. Social security numbers, driver’s license numbers, credit card numbers, addresses, and other personal information was affected. Four members of the Chinese Military were charged with this attack, and it was the subject of Congressional hearings, a Federal Trade Commission investigation, an SEC investigation, and multiple lawsuits by governments and individuals. The hackers had access to Equifax’s credit dispute application for almost two months and used the Apache Struts CVE-2017-5638 vulnerability. This vulnerability was addressed in a patch prior to the Equifax hack, but the company failed to apply it to its systems before the breach.
The fallout from this data breach was widespread for consumers, as the accessed information could easily fuel identity theft efforts. Negative marks on credit reports have many consequences, from losing out on job opportunities to being unable to access loan products and credit cards. Consumers needed to freeze credit reports and proactively monitor their credit for any unknown activity.
6. Capital One
Capital One, one of the largest credit card issuers, had the records of 106 million customers breached. A former software engineer, Paige Thompson, used her expertise as an AWS specialist to leverage a misconfigured application firewall and access one of Capital One’s servers. This server contained the records of United States and Canadian customers, with information ranging from Social Security numbers, bank account numbers, credit scores, and personal information. This data came from credit card applications and had over a decade’s worth of records.
The breach was discovered, and the hacker arrested due to her public admission of having Capital One information. She posted in multiple places, including GitHub, Twitter, and Slack, detailing how she gained access to the server. Her goal was to distribute the social security numbers and personal information, but it’s unclear what her motivation was.
7. US Office of Personnel Management
The United States Office of Personnel Management (OPM) had 20 million people’s personal data stolen from its servers in 2015. While the number of records accessed is low compared to other large-scale breaches, the contents of the data contributed to its severity. The files were SF-86 forms, which are used in the process of gaining security clearances with the federal government. They contain a significant amount of sensitive information, including applicants’ fingerprints.
The OPM’s IT department discovered signs of a breach in March 2014. However, they were unable to determine how the hackers broke into the system, or who was involved. Signs point to state-sponsored attackers from China, due to the malware used to create the backdoor. At the time of the first discovery, no personnel files were accessed. OPM officials decided to monitor the activity of the hackers to learn more about the incident. Unfortunately, this approach backfired and the attackers established a backdoor that survived the system reset. The attacks and access to the data spanned from November 2013 to April 2015 and spilled over to the Department of the Interior’s servers.
The impact following this hack included a Congressional investigation, union lawsuits, and multiple resignations among OPM leadership. Some undercover intelligence officers working for the CIA were recalled as their records were compromised. A lack of two-factor authentication is considered one of the biggest security best practices failures in this breach.
Uber suffered a data breach that compromised 57 million customer and driver records, including 600,000 driver's licenses in 2016. A two hacker team conducted the attack on Uber and later targeted other technology companies. They gained access to a third-party server that contained Uber user data. What makes this case notable is that Uber's former CSO chose to pay the hackers' blackmail demand of $100,000 through the organization's bug bounty program. Following that payoff, he allegedly obstructed the FTC investigation in an attempt to cover up the breach. The former CSO was criminally charged with obstruction and the legal case is ongoing.
The Yahoo data breach took place in 2013 and remains the most extensive when it comes to the volume of records. The company’s entire userbase of three million accounts was part of the attack. Yahoo did not go public with the breach until 2016, and the full scope of affected users wasn’t announced until 2017. Security questions and answers and hashed passwords were among this information, which also included dates of birth, names, and email addresses. Yahoo believes that the state-sponsored hackers created web cookies using the data, which allowed them access into user accounts without having the password. The company learned about the breach two years after it occurred when a portion of this data was advertised for sale on the Darknet.
Address Your Cybersecurity Gaps with Integrate.io
Even the largest companies can fail to get cybersecurity best practices right. Many of these data breaches and others can be addressed through a comprehensive data security plan that offers proactive,multi-layered protection.
What is your organization doing now to minimize the damage of a future data breach? One way to get started is to protect your data integrations with a secure and robust platform. Demo Integrate.io for seven days to explore the ways we keep your data safe.