Cybersecurity, Emerging Issues in Security, Policies and Training

The Largest Cyberbreaches of All Time: What Can They Teach Us Today?

In 2021, the number of cyberattacks and data breaches in the U.S. increased by 15.1% from the previous year. And the cost of being victimized by cybercrime rose, as well. According to a study by IBM, on average, a single data breach in the U.S. costs a business $9.44 million.

In the first half of 2022 alone, some 53 million Americans had their personal data compromised in a breach. If you shop or manage your financial affairs online, chances are, you’re one of them. You’re probably not aware of every cybersecurity incident that has touched you. Businesses that have been victimized are often lax in notifying individuals when their data have been exposed. That leaves it up to you to stay informed, protect yourself, and take care of your digital life.

Let’s take a look back in time at some of the largest breaches to hit the online community—which, nowadays, includes pretty much everyone—and examine the effect they had on ordinary people. We’ll also recommend ways to find out whether you’ve been affected by a cyber breach, what to do if you’ve been compromised, and how to protect yourself from further exposure in the future.

Yahoo! (2013 through 2016)

Founded in 1994, Yahoo! grew into one of the largest web service providers in the world, offering a web portal, a search engine, email services, financial information, and more to internet users. The company no longer occupies the dominant position it assumed as one of the pioneers of consumer web services, but is still a formidable competitor in its business arena. The bigger they are, the harder they fall, though: Over a three-year period, Yahoo! was victimized by a series of cyberattacks.

The first attack was massive and perpetrated by a team of Russian hackers. The company reported that about 1 billion users were affected by it. Later, however, when Yahoo! was purchased by Verizon, we learned that some 3 billion users had actually had their data compromised. Users had their names, email addresses, phone numbers, birthdates, passwords, and security questions stolen, which, in turn, put them at risk for all kinds of fraud, including bogus credit card charges and identity theft. 

In the end, the breach cost Yahoo! $500 million by some estimates. Most significantly, the company was forced to slash its selling price when it was acquired by Verizon by a whopping $350 million. Its reputation was severely damaged as customers lost faith in the brand and Yahoo! simply couldn’t command a premium price in the market.

In addition to the loss Yahoo! suffered during its sale to Verizon, the company was also socked with a $35 million fine for its lack of transparency after a 2014 attack. More than 40 class action lawsuits against the company also ensued. 

Microsoft (2021)

In January of last year, Microsoft experienced a data breach of its email servers. Outlook, the company’s signature email app, which is the cornerstone of the company’s Office 365 suite of tools, is the most widely used globally, with more than a million enterprise users. The breach affected 60,000 companies worldwide. In total, some 250,000 servers were compromised over four days.

Hackers gained access to the data held by a wide variety of organizations, from small businesses to government entities. Any company that had an internet connection and locally managed servers was vulnerable to attack. Microsoft was able to provide a patch to fix the flaw in its system, but businesses were on their own when it came to implementing the correction. Those who didn’t act remained vulnerable to repeated attacks. Moreover, since these systems were not housed in the cloud, Microsoft couldn’t seal the leaks immediately. Reparation was slow and businesses remained at risk for an extended period.

The 2021 Microsoft data breach was notable because its perpetrators began ransoming businesses’ data. Hackers were able to encrypt data held on the victimized servers, rendering systems inoperable and crippling the affected businesses. They then demanded money from the businesses that attacked to return servers to normal. 

Equifax (2017)

Equifax is one of the “big three” among credit monitoring bureaus. As such, the company collects a tremendous amount of information about consumers. When you apply for a credit card, mortgage, or even a job, there’s an excellent chance that the person or company evaluating your eligibility will “pull” your credit report and look at how well you handle your debt.

In 2017, the company experienced a data breach that exposed the records of some 147 million citizens. Their names, Social Security numbers, birth dates, addresses, and, in some cases, drivers license numbers and credit card information were exposed. Cyberthieves were able to access records due to a vulnerability in an application attached to one of the company’s websites.

After the breach was investigated, Equifax was forced to reach a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories. According to the company, it suffered losses of $1.4 billion. The settlement included up to $425 million to help victims of the breach recover from such damages as fraudulent credit card charges and identity theft. Consumers who were affected by the breach are eligible to apply for relief until January 2024. Like many companies who experience data breaches, Equifax was not entirely transparent about the extent of the danger posed by the breach and was faulted for its slow response in addressing the security risks posed by the breach.

Facebook (2019)

Love it or hate it, Facebook is a social media powerhouse, attracting nearly 3 billion users at present. In 2019, the company suffered a data breach that exposed 540 million records. Information compromised in the breach included phone numbers, user names, genders, and locations. The crime was never attributed to a specific perpetrator. The FTC assessed Facebook a $5 billion penalty for its failure to protect its users’ privacy. The government says it is the largest fine it has ever assessed: 20 times higher than any previously imposed in a data breach worldwide.

In addition to the penalty assessed, the government order required that Facebook entirely restructure its privacy practices. It also included provisions to make Facebook’s corporate leaders personally accountable for protecting the privacy of its users. It instituted greater oversight of the social media giant’s affairs. Facebook must now submit quarterly reports to demonstrate that it is complying with the rules set out by government order.

Target (2013)

According to the National Retail Federation, Target rates seventh among the largest retail brands. The company is fortunate to have maintained its customers’ trust and affection, despite a 2013  data breach that affected some 60 million customers whose names, email addresses, phone numbers, payment card numbers and verification codes, and more were compromised.

Target escaped its breach relatively unscathed. The company reached a multi-state settlement of $10.5 million, a class action lawsuit settlement of $10 million, and was forced to make $10,000 payments to customers who could demonstrate they’d suffered losses due to the breach. Target estimated that it lost about $300 million due to the breach. The perpetrator of the data theft was never identified. The case was notable for how cybercriminals gained access to customer data. Credentials were stolen from one of Target’s third-party vendors—an HVAC contracting company—when malware was uploaded to its systems.

Key Takeaways: What We’ve Learned from History’s Largest Data Breaches

Let’s start with a startling statistic: A whopping 80% of data breaches are caused by human error. Weak or compromised passwords account for many of these losses. Whether you’re a consumer or a business owner, practicing excellent password hygiene is essential. It’s incumbent on business owners to make sure employees are complying with established password protection protocols and limit permissions. Employees should have access to information strictly on a need-to-know basis.

As a consumer, it’s tough to keep track of all of our passwords: Most of us have about a hundred of them. It’s too time-consuming to change them all monthly as suggested by cybersecurity experts, and it’s very tempting to reuse passwords across accounts. Password managers, which are available for a nominal cost or even for free, can alleviate the burden of practicing good password hygiene.

We’ve also learned that large companies that invest millions of dollars in cybersecurity are hardly immune from cyberattacks. And the larger the company, the more user information is exposed in the breach.

Businesses understand that customers will lose faith in them if they allow customer data to be compromised. As a result, they are not always quick to report breaches. They want to have their public relations strategies in order and their executives trained to deliver approved messages before telling the unfortunate truth. That means that users remain unaware and unprotected for longer than necessary.

How to Protect Yourself from Data Breach Damage

  • Consumers can start by following best practices for password protection. Never share your passwords with anyone, even your best friend. You can’t trust anyone to be as careful as you are. Don’t store passwords where they can easily be stolen—for example, on your cellphone or desk drawer.
  • Read your bank and credit card statements thoroughly each month. If you recognize any fraudulent withdrawals or charges, report them immediately and change your password on any affected accounts.
  • You can’t fix a problem if you don’t know it exists. Follow the press for news of new data breaches. Some people decide to purchase identity theft protection services, which routinely monitor new data breaches and will alert subscribers whose data is compromised. They also monitor customers’ credit scores and reports for any evidence of fraud or identity theft. There are free credit monitoring services you can employ, as well, including Credit Karma and Credit Sesame.
  • If you discover your data has been compromised in a breach, don’t just change one password. Daunting as it sounds, change them all, beginning with any passwords that you have reused across accounts.
  • When shopping, make use of third-party payment apps like Paypal and Venmo whenever possible. You can often use these apps when paying for purchases online and in-store. That way you can limit the number of accounts you have open. The fewer places your personal data appears, the safer you’ll be.

Nothing and no one can keep you entirely safe from data breaches. Recent legislation, including the Data Breach Notification Act, is incentivizing businesses to protect consumer privacy more diligently, lest they suffer expensive penalties and other financial losses. But as a consumer, you play a part in your own cyber safety. Learn more by consulting trusted resources, including the federal government, for tips on how you can protect yourself from the consequences of data breaches. Their number continues to break records and will likely increase as we become more dependent on digital services.

Susan Doktor is a widely published author who writes primarily on personal finance topics, including cybersecurity and credit markets. Her contribution comes to us courtesy of Money.com.