Data breach stories have become the norm in present-day news headlines. However, we also remember a time when this wasn’t always the case.
And just like other phenomena in our daily lives, it is constructive to examine the history of data breaches. Although they first started as something spontaneous and rare, they soon turned into carefully organized, mass-scale operations.
Starting from its emergence, we discover the history of data breaches can be separated into three different periods:
- ‘infancy’ phase
- ‘blooming’ phase
- ‘mass production’ phase
Numbers show the growing value of personal data and online privacy. To attain personal information, cybercriminals target small and large companies alike. Still, the biggest data breaches inevitably happen when the most famous online brands fall victim to such offenders. Marriott International, Facebook, Equifax, and other popular companies have all suffered the consequences of these attacks.
The following statistics show how far-reaching this issue has become:
- Almost 15 billion records have gone lost or been stolen since 2013 because of data breaches.
- In 2017, 85% of all data breaches around the globe happened in North America.
- Over 5 billion records have been compromised in the first half of 2018 alone.
What is a data breach?
A data breach occurs when a hacker steals or uses sensitive information from a system without the authorization or knowledge of the system’s owner.
Since we are currently in the ‘mass production’ phase of data breaches, it stands that at least some of your personal data could have been exposed in at least one breach. Such exposure ultimately leads to identity theft.
This is, perhaps, the most important reason why breaches should concern you, especially if you’ve shared your data with a company that suffered a data breach. When your identity gets exposed due to a data breach, you have all the rights to feel angry.
The origins of data breach
When did data breaches become pandemic? The matter of fact is, data doesn’t need to be and hasn’t always been stored in a digital form. However, digitalization has certainly made breaches a lot more damaging. Prior to digitalization, thieves and spies stole or took photos or paper documents to obtain information.
But throughout history, valuable information often couldn’t be found in written form. For instance, did you know there were no written documents about catapults? Since catapults were like nuclear weapons in medieval times, all knowledge about their construction was communicated verbally.
However, once businesses and governments moved to storing and recording information digitally, things changed enormously. As a result, the ‘blooming’ phase of data breaches started sometime in 2005. It was a time when Privacy Rights Clearinghouse started its chronology of data breaches, but that year was significant for other reasons as well.
Namely, 1.5 million records containing credit card names and numbers were stolen in 2005 from customer accounts of the online retailer DSW.
Additionally, the same year, the first ever college data breach occurred. In January 2005, pictures, names, and Social Security numbers of over 30,000 students and staff were hijacked from George Mason University.
Biggest data breach in history
The biggest data breach in history involved Experian, one of the top three credit reporting agencies in the US. In March 2012, Experian acquired a company called Court Ventures, which collects and aggregates data from public records.
At the time of the acquisition, Court Venture was a client of an enterprise called U.S. Info Search. The contract allowed Court Venture to access U.S. Info Search’s data and discover personal addresses that would help find which court records to review.
As a result, Court Venture sold such data to multiple third-party companies, including a Vietnamese fraudster service. The service allowed its own customers the opportunity to find personal data of various American citizens, including personal financial data and SSNs which were then utilized for identity theft.
Experian stated that after its acquisition of Court Ventures, the U.S. Secret Service informed them that Court Ventures had been reselling data from the U.S Info Search database to different third parties, some of which were likely engaged in illegal activities.
The suspects posed as legitimate business owners and obtained access to U.S. Info Search data via Court Ventures even prior to the time Experian bought the company. Experian also added that none of its own databases were breached. In fact, U.S. Info Search databases were the actual source of the stolen consumer data.
News headlines cited that a staggering 200 million records were breached in this incident, which continued for more than 10 months after Experian bought Court Ventures. Although databreaches.net claimed 200 million was the total amount of records stolen, the true number of records exposed is yet to be determined.
Other notable data breaches
Apart from the infamous Experian data breach, there have been quite a few breaches in history that compromised the personal information of millions of people.
The list of breaches continues with the case of Marriot International. In November 2018, the company stated that cybercriminals stole data from approximately 500 million of their clients. The breach actually happened on systems supporting Starwood hotel brands in 2014. The hackers crawled into the system after Marriot bought Starwood in 2016 and remained undiscovered until September 2018.
While some victims only lost contact information and names, the attackers also took passport numbers, travel information, Starwood Preferred Guest numbers, and other personal data.
Marriot International confessed that credit card numbers and expiration dates of more than 100 million individuals were taken, although the enterprise isn’t sure whether the criminals were able to decrypt the data. The most interesting thing about the incident is that some attribute it to a Chinese intelligence group looking to gather data on U.S. citizens.
Heartland Payment Systems
During 2008 and 2009, Heartland Payment Systems experienced a data breach that consequently compromised over 130 million records. This New Jersey payment processor company had its data exploited via a malware which was planted in its network. It recorded credit card data as it came from retailers.
Data from more than 250,000 companies was then acquired by illegal third parties. The breach itself is considered the biggest credit card scam in history.
In 2013 and 2014, 3 billion Yahoo user accounts were compromised as a result of data breaches. What’s more, the incident wasn’t discovered until 2016.
During their negotiations to merge with Verizon in September of 2016, the internet giant announced it had suffered the biggest data breach in history, likely by “a state-sponsored party”.
The breach exposed email addresses, real names, dates of birth, and phone numbers of over a half billion users. The organization stated the “vast majority” of the passwords involved were hashed utilizing a robust bcrypt algorithm.
However, three months later, an earlier record of a breach from 2013 by a different group of cyber-criminals was discovered. This breach compromised 1 billion accounts. Besides names, email addresses, and passwords, the security questions and answers were also exposed.
Then, a year later, Yahoo revised its estimate and admitted that, in fact, all 3 billion accounts were compromised.
Along with TransUnion and Experian, Equifax is one of the largest credit agencies in the US. In late July 2017, Equifax stated it had suffered a data breach which caused a leak involving the data of over 140 million Americans.
Although most of the exposed information was limited to dates of birth, names, and addresses, almost 210,000 credit card numbers were stolen as well. The hackers gained access by targeting one of the business’s US-based servers.
Surprisingly, it turned out the vulnerabilities of the web app from ten years ago are still some of the primary entry points for cybercriminals in modern data breaches. The breach was a major scandal, and the company’s CEO had to testify before Congress four times.
Facebook came under media fire in 2018 over a scandal involving Cambridge Analytica and what the company does with its users’ data. Then, Facebook technicians found a data breach in September 2018 and patched it two days later. Apparently, criminals managed to take access tokens – a type of digital security key.
The security keys enabled the attackers to take full control of 50 million user accounts. Moreover, they also logged in to third-party apps that use Facebook Login. According to the company, the breach exploited three bugs that were present in the platform’s View as feature.
Additional notable data breaches include:
- JP Morgan Chase, 2014 – Over 75 million households and over 7 million small companies were exposed, including their addresses, customer names, phone numbers, and email addresses
- Anthem, 2015 – Approximately 80 million customers were exposed, with names, Social Security numbers, and employment information
- Friend Finder Networks, 2016 – Over 410 million accounts, including passwords and email addresses
- eBay, 2014 – At the time of the breach, the company stated that the number of exposed accounts was unknown but asked all of its 145 million active users to switch their passwords
- U.S. Office of Personnel Management, 2015 – Over 21 million federal employees’ personal data was compromised, along with sensitive information, including fingerprints and Social Security numbers