The 11 biggest hacks and breaches of the past decade that are still causing reverberating damage

The 11 biggest hacks and breaches of the past decade that are still causing reverberating damage

April 5, 2021
  • The past decade has marked a steady rise in mega-hacks affecting tens of millions of people’s data.
  • Researchers have logged more than 7,000 breaches including 4 billion stolen records since 2011.
  • The hacks are still doing damage as cybercriminals circulate stolen data online and use it for fraud.
  • See more stories on Insider’s business page.

Year after year, the number of records stored online grows — and hackers are getting better and better at stealing them.

The frequency of “mega-breaches” — in which the data of tens of millions of people is vulnerable — is steadily rising. More than 7,000 data breaches have occurred since 2011, according to data collected by Privacy Rights Clearinghouse, with over 4 billion total records stolen.

In the past year alone, sophisticated hackers have deployed new tactics to capitalize on the rise of cloud computing and target vulnerabilities in software supply chains in order to maximize the number of victims they can target. Each hack can have lasting consequences: Stolen records may be circulated online by cybercriminals and used for fraud, while hackers can use their access to companies’ systems to deploy ransomware or cause even more damage.

For example, the phone numbers and personal data of over half a billion Facebook users was leaked online this week, Insider reported. A Facebook spokesperson said the data was stolen years prior due to a vulnerability that let people scrape users’ data en masse in violation of Facebook’s terms of service. While that vulnerability was patched in 2019, the data’s sudden resurfacing shows how massive breaches can have lasting consequences.

Most of the biggest hacks in history stem from a handful of common issues. In their book “Big Breaches” published this month, cybersecurity experts Neil Daswani and Moudy Elbayadi note that all of the largest mega-hacks on record were caused by one of six recurring factors: phishing, malware, third-party compromise, unencrypted data, software vulnerabilities, and inadvertent employee mistakes.

“This is becoming more urgent than ever,” Daswani said during a press briefing Thursday. “Things seem to only be getting worse.”

Meanwhile, the cybersecurity industry is struggling to fill more than 500,000 open roles in the US alone. While lawmakers have been relatively slow to adapt to the need for more national cybersecurity, Congress is currently weighing several bills that would direct more federal cash towards cybersecurity.

Here are 11 of the most serious hacks in the US over the past decade that are still causing reverberating damage, ranked by the scale of the attacks and the severity of the data theft.

11. Hackers breached the insurance giant Anthem in 2015, stealing at least 78 million people's personal information.

The US’ second biggest health insurer disclosed in 2015 that hackers broke into its networks and stole personally identifying information of millions of current and former employees and customers.

Investigators suspected at the time that a hacking group backed by China could be responsible for the breach, Bloomberg reported.

9. JPMorgan Chase discovered a breach in 2014 that affected 83 million customers' personal information.

In one of the largest bank breaches in US history, hackers gained unauthorized access to JPMorgan Chase’s networks in 2014 after compromising Simmco, a separate web services firm that hosted one of the bank’s charity websites. 

Hackers didn’t steal any social security numbers or financial information, the bank said, but did make off with names, email addresses, home addresses, and phone numbers, raising concerns that the information could be abused for subsequent phishing scams or identity fraud.

Federal prosecutors later charged four people in connection to the breach — including two Israeli nationals and one American — and they are awaiting trial.

9. Throughout early 2021, hackers have exploited flaws in Microsoft Exchange Server to attack tens of thousands of companies — and we likely won't know the full scope of the attack for months.

Microsoft announced in March that hackers linked to the Chinese government were exploiting previously-undiscovered flaws in its Exchange Server email software to target thousands of companies across the US. Since then, security researchers say other cybercriminal groups with no connection to China have been exploiting the same flaws in a free-for-all of data theft.

While the full scope of the attack remains unknown, experts estimate that millions of people could be affected. There’s already evidence of second-order damage, like hackers deploying ransomware on victims who were already compromised and stealing information to use in phishing schemes.

8. Russian hackers infiltrated the networks of dozens of US agencies and major corporations in 2020 after compromising SolarWinds' Orion software.

Hundreds of organizations including major companies and the highest levels of the US government were breached in 2020 after hackers compromised software from IT firm SolarWinds and shipped malware to its clients through a software update.

The SolarWinds hack was carried out by a single sophisticated group with no profit motive other than spying on its victims, according to FireEye researchers who first uncovered the hack.

The full extent of organizations affected by the SolarWinds hack is still being determined. But the hack is notable for the high-profile organizations that fell victim – and researchers warn that the hackers are still active on victims’ networks, spying on their emails and developing new ways to evade detection.

7. Yahoo disclosed in 2016 that it had previously suffered two breaches that could have affected personal information of all of its 3 billion users.

Hackers compromised Yahoo’s networks in 2013 and 2014, stealing the names, birthdates, email addresses, and hashed passwords of all 3 billion of its users, the company first disclosed in 2016. It’s the largest data breach in history in terms of the number of people affected.

The hackers likely first gained access by sending an employee a phishing link, the FBI later concluded, but many details of the hack remain unclear because the attackers downloaded a “log cleaner” onto Yahoo’s networks that erased evidence of their activities.

The US Department of Justice later charged four Russians — two intelligence officials and two “freelance” hackers — with carrying out the attack. The Kremlin has denied that it had any involvement.

6. Target was hacked in 2013, exposing 40 million credit and debit card accounts.

Target was breached by cybercriminals who targeted a third-party heating and air conditioning contractor that the company had hired, according to independent cybersecurity journalist Brian Krebs.

After compromising that Target’s systems, the attackers were able to push malware to Target’s point of sale systems, collecting the records of over 40 million credit and debit cards that customers swiped at checkout.

The breach occurred in 2013 and was disclosed in 2014, launching a Secret Service investigation.

5. Hackers breached Equifax in 2017, stealing highly sensitive information on 143 million customers.

Equifax disclosed in 2017 that it suffered a massive data breach impacting 143 million people.

Hackers stole their names, social security numbers, birth dates, addresses, drivers license numbers, and some people’s passport data. The company was forced to pay a $575 million settlement for failing to protect sensitive data.

Federal prosecutors later charged four Chinese military officers of carrying out the hack and stealing data, a claim that the Chinese government denied.

4. Marriott was hacked in 2018, with cybercriminals stealing over 500 million guests' personal information.

Half a billion former hotel guests’ names, addresses, credit card numbers, and phone numbers were stolen by hackers, as well as information on travel itineraries, like passport numbers and arrival and departure dates.

The FBI launched an investigation, with experts warning at the time that the hospitality industry was a top target for cyberattacks from state-backed hackers seeking travel information on high-profile guests. Details on the perpetrators of the hack remain scant, but unnamed security officials told The New York Times that they suspect China is behind it.

3. A hacker breached Capital One, stealing over 100 million people's personal info including social security numbers and bank account numbers

A hacker stole millions of credit card applications from Capital One after breaching its systems. 

The breach included highly sensitive data, including social security numbers and bank routing details. Federal prosecutors ultimately charged a Seattle software engineer who previously worked for Amazon Web Services in connection with the hack. 

2. A Facebook vulnerability made half a billion users' personal data up for grabs

Researchers revealed in April 2019 that a vulnerability in Facebook’s server configuration made it possible to scrape the personal data of users — like their phone numbers, names, Facebook IDs, likes, comments, and posts — in violation of Facebook’s terms of service.

Facebook patched the vulnerability in 2019, but the data has resurfaced in various forms since. In January, cybercriminal created a bot that sold access to Facebook users’ phone numbers in exchange for a price, Motherboard reported.

Then, in April, the data of 533 million Facebook users was dumped en masse in a low level hacking forum, making it free for anyone to access.

1. The real estate insurance giant First American accidentally leaked 885 million records from 2017 to 2019 including people's social security numbers and drivers license photos, resulting in criminal charges.

Real estate giant First American left social security numbers, tax documents, and more highly sensitive personal information exposed on publicly accessible web pages from 2017 until 2019, when Brian Krebs first reported the exposure, after which the company took the records down.

First American later determined that bots run by cybercriminals had scraped a large amount of the personal information before it was removed from the open internet. While the total number of customers impacted remains unclear, there were 885 million records exposed, all of which could have been accessed by cybercriminals.

The following year, New York Department of Financial Services regulators announced charges against First American for failing to protect the data, the agency’s first-ever cybersecurity enforcement action. First American has argued that the charges are “unfair” and that it will fight them in court.

 

Source: Read Full Article