The Independent’s journalism is supported by our readers. When you purchase through links on our site, we may earn commission. Why trust us?
Data breaches have become a common occurrence, especially as many of our interactions are situated online, sprinkling our browsing habits across the web. In recent years, large companies and corporations have fallen victim to hacks or data leaks and, unfortunately, hackers have been able to adapt and evade security measures.
There have been a number of times where a company’s security precautions aren’t up to scratch and a hacker will exploit it, compromising customer data. This is what’s known as a data breach; it typically consists of a third-party accessing confidential or sensitive information, such as names, addresses, payment information or data that reveals political or religious opinions.
We’ve rounded up the top 10 data breaches since 2000, which include a large number of stolen user data, potentially damning information and a large sum of settlements paid by companies to rectify the data breaches.
Top 10 data breaches | Affected |
---|---|
Yahoo! | 3 billion accounts |
700 million records | |
Marriott International | 500 million customers |
Adult FriendFinder | 412 million users |
MySpace | 360 million accounts |
Equifax | 163 million records |
eBay | 145 million users |
Heartland Payment Systems | 130 million records |
Target | 110 million customers |
TJX Companies | 94 million customers |
Date: August 2013 Company type: Web service Affected: 3 billion accounts
Yahoo announced in 2016 that it had suffered a breach in 2013, exposing personal information – including names, email addresses, phone numbers, birthdates and, in some cases, unencrypted security questions and answers – of 3 billion user accounts.
Initially, it was reported that the breach was estimated to have affected over one billion Yahoo accounts while in the process of being acquired by Verizon. After the acquisition by Verizon was complete in 2017, Yahoo declared that the 2013 breach affected 3 billion users in October that year. Yahoo claims the previous estimate did not take into account a new security issue and emails were subsequently sent to the additional affected user accounts.
The deal with Verizon was completed, despite the breach, but this did negatively affect the price. Verizon’s CISO stated that: “Verizon is committed to a high standard of transparency and accountability and will work tirelessly to provide a safe and secure service.” Following the attack, it was discovered that no payment card or bank data was stolen.
Yahoo also suffered a data breach in 2014, affecting 500 million accounts, and cookie-based attacks through 2015 and 2016. In 2016, around 200 million further Yahoo! accounts were leaked, including names and passwords.
Date: 2021 Company type: Professional networking platform Affected: 700 million user accounts
Professional networking platform LinkedIn announced that a collection of data had been scraped – imported from the website into files – from its archives in June 2021. The scraped data involved nearly approximately 700 million LinkedIn users, estimated to be around 90 per cent of the platform’s users. Included in the archive of stolen data were users’ IDs, email addresses, phone numbers, full names and workplace information.
LinkedIn’s Application Programming Interface (API) was exploited by a third party in order to gain access to the personal data of LinkedIn users. The hacker’s username, TomLiner, publicised the stolen data, which they confirmed was scraped using API, and put it up for sale on the darknet forum, where it’s believed to be marketed for $5,000.
Of the stolen data, no passwords were included. LinkedIn has stated that it takes user’s privacy and security seriously and it will continue to invest in the safety of its users.
Date: 2014 – 2018 Company type: Hospitality Affected: 500 million
The Marriott International data breach was a cyberattack that affected approximately 500 million customers. The breach took place in 2014, but wasn’t discovered until 2018 when an internal security tool noticed a suspicious attempt to access the guest reservation database for Marriott’s Starwood brand.
The Starwood Hotels were acquired in 2016 by Marriott, but an internal investigation revealed the Starwood network was compromised in 2014, before it was acquired. Starwood was still using its legacy IT infrastructure and was yet to be fully integrated with the Marriott system – this flaw was exploited. The breach involved hackers encrypting data from the Starwood systems, which included 500 million guests’ records, including guest names, mailing addresses, passport numbers, email addresses, phone numbers, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.
Following the internal investigation assisted by security experts, Marriott announced plans to phase out the Starwood systems and tighten security measures within its network. Marriott was fined £18.4 million (reduced from £99 million) by the Information Commissioner’s Officer (ICO), UK’s data governing body, in 2020.
Date: 2016 Company type: Adult entertainment Affected: 412 million users
The FriendFinder network owns six databases, including the adult entertainment site, Adult FriendFinder. The network suffered one of 2016’s worst data breaches, where cybercriminals stole data from more than 412 million users’ accounts – including historical data from 15 million accounts. The breach involved email addresses, passwords, names and sexual preferences from the 414 million user accounts.
Following the breach, FriendFinder notified users about the attack by email, but not until one week later. The company advised users to change their passwords, but the site’s passwords are not case-sensitive, which makes it easier for hackers to decrypt.
The site was previously hacked in 2015 exposing 3.5 million user’s information. If security protocols were not updated, this would make the FriendFinder network an easy target for subsequent attacks.
Date: 2013 Company type: Social media site Affected: 360 million accounts
Popular noughties social media site MySpace was the go-to place online before losing out to sites like Facebook and Instagram. Although its usage had dwindled, in 2016 it was reported that 360 million accounts were leaked onto LeakedSource.com, as well as being shared on the dark web market, The Real Deal. Accounts could be purchased for 6 bitcoin (around $3,000 at the time).
MySpace revealed the lost data, including passwords, email addresses and usernames for some accounts, was created before June 2013 on the old MySpace platform – a new version of MySpace went live in October 2013. To protect users, the social media platform invalidated passwords for the affected accounts. This meant these users would need to authenticate their accounts and reset passwords.
Date: 2017 Company type: Credit reporting agency Affected: 163 million people
One of the largest credit reporting agencies in the United States, Equifax, experienced a large-scale data breach involving 163 million people. In 2017, personally identifying data was stolen from Equifax, which included hundreds of people’s names, social security numbers, birth dates and addresses.
An investigation into how the breach occurred highlighted a number of security issues that allowed hackers to enter secure systems and extract terabytes of data. The initial attack came from a consumer complaint web portal using a widely known vulnerability that should have been protected by Equifax. From here, hackers could move between servers to locate usernames and passwords that were stored in plain text. Data was stolen over a period of months undetected by Equifax due to the company failing to renew an encryption certificate on a crucial security tool.
It wasn’t until a month after the breach was identified that Equifax publicised it. Infosec experts began monitoring dark websites waiting for large quantities of data to be dumped but, fortunately, this never happened. This spurred on a widely accepted theory that Equifax was breached by Chinese-state-sponsored hackers whose purpose was not theft, but espionage.
Date: 2014 Company type: eCommerce Affected: 145 million users
A cyberattack compromised the customer data of 145 million eBay users in 2014, which prompted the online commerce site to ask customers to change their passwords.
The breach occurred in the February and March of 2014; hackers were able to compromise a few of eBay’s employee’s log-in credentials allowing unauthorised access to eBay’s network. The stolen data included names, addresses, dates of birth and encrypted passwords, but the company stated that no financial information, including credit card numbers, was stolen.
A hacking group named the Syrian Electonic Army claimed it had access to the names, telephone numbers and passwords of its 128 million users and it was one of the most significant data breaches at that time. It took eBay two months to discover the attack and a further two weeks to disclose this information to its users.
Date: 2008 Company type: Credit card processor Affected: 134 million
Heartland Payment Systems, a processing company, suffered a cyberattack in 2008 that exposed the credit and debit card details of around 134 million individuals. It was one of the most significant data breaches that resulted in some of the most sensitive data being stolen and then used in a negligent way such as identity theft.
The payment processing company’s breach, which has loyalty cards, mobile payments and payment processing products affected a number of merchants and this resulted in Heartland paying out roughly $140 million in fines and other penalties. The breach also resulted in one person’s imprisonment; Albert Gonzales was arrested, found guilty in the cyber attack and was sentenced to 20 years in federal prison.
Date: 2013 Company type: Major retail corporation Affected: 110 million customers
During one of the busiest times of the year in the United States, major retailer Target suffered a large-scale data breach. Between Thanksgiving and Christmas 2013, approximately 110 million customers’ credit and debit card information was compromised.
Throughout an investigation, it was discovered that hackers accessed Target’s gateway server using credentials stolen from a third-party vendor. Target began to notify its customers around 20 days after the breach and also issued new chip-and-pin cards in a bid to ramp up security measures.
In total, it’s estimated the Target data breach cost $200 million pounds. On top of the hefty cost of the breach, Target’s earnings took a beating too; it’s believed revenue fell by around 46 per cent which was most likely caused by customers unwilling to hand over confidential information in case the retailer suffered another breach.
Date: 2005 Company type: Retail Affected: 94 million customers
Multinational clothing and home goods retailer, TJX companies – the parent company of T.J Maxx and Marshalls – was involved in one of the biggest hacks of its time. Although the hack took place in 2005, it was not discovered until 2007. Hackers were able to expose confidential and personal information which included credit and debit cards of TJX customers over an 18-month period.
Initially, the hackers accessed the TJX network in 2005 via a wifi connection at a real store and, eventually, were able to install a sniffer program to capture cardholder data when it was transmitted over the network unencrypted.
The hackers compromised 10 individuals who were based all over the world and led by Albert Gonzalez, who was working as a secret informant for the secret service. Gonzalez went on to be involved in several other attacks, including the Heartland Payments Systems attack.
TJX paid $9.7 million to 41 American States in a settlement and the attack resulted in bureaus seeking legislation to require retail companies to be responsible for compromised customer data that was created in their systems. TJX denies being negligent, but the company was accused of being non-compliant with nine out of 12 Payment Card Industry Data Security Standards (PCI DSS) in court.