Data breaches can have devastating results, not just for those whose personal data has been compromised but also for the party at fault. In recent years, there has been an increase in regulation that seeks to minimise data breaches with new guidelines and new penalties for those that fail to comply. However, even with these new laws, such as the GDPR, data breaches are still very much reality. But which have been the biggest data breaches discovered by cyber security researchers, and what can we learn from past mistakes? Let’s take a look.
Largest Data Breach in History
An 87GB package of 12,000 files comprising of 772 million email addresses and 21 million passwords. This massive data breach was served on a plate to data hackers when the package was dumped on a popular hacking website – the perfect recipe for a cyber attack. The package was discovered by Troy Hunt, owner of Have I Been Pwned in mid-December 2018. This data breach was actually a series of different breaches from nearly 3,000 websites. Dan Pitman from Alert Logic suggests that hackers use these kinds of lists for either login credential stuffing, or identity theft, using all of the available user data to build up profiles for individuals.
Marriott Hotels Data Breach
A 2018 data breach by Marriott hotels, lead to the compromise of over 300 million guests’ personal data. While the leak of payment card numbers and expiry dates posed the most immediate risks, passport numbers, dates of birth and email addresses were among other sensitive information left open to cyber attackers. It was apparent that there had been unauthorised access to this account information since 2014- years before it came to light.
Marriott did respond quickly when the breach became public knowledge. It released a statement that outlined the action the company was taking and confirming that security experts would help determine how the data breach might have occurred. It was soon revealed that it was the Starwood hotel network to which hacker had access. While the hotel group did report the breach to ICO itself, it still faces a fine of over £99 million for failure to comply with the General Data Protection Regulation (GDPR).
CV Leak by UK Recruitment Firm
UK recruitment agency, Sonic Jobs made over 29,000 of its applicants’ CVs available for public viewing. This leak occurred when the firm made their Amazon Web Services (AWS) cloud storage public, meaning that anyone with access to the URL could view candidates’ CVs. Of course, by the very nature of these documents, this left personal data, such as phone numbers and email addresses, as well as detailed employment history, open to all.
Unfortunately, the argument that this was a mistake- albeit a serious one- doesn’t stand up here. According to Outpost24’s Cloud Security Director, “there is no excuse for such misconfiguration”. He says that the default settings for AWS are good enough and points out that there are tools that check for any misconfiguration, which the firm should have used.
The breach, discovered in October 2019, led to the review of AWS security, given that a number of organisations, including Verizon, GoDaddy and WWE have also had misconfiguration issues.
As part of the company’s move to the cloud, there was a software change. However, this wasn’t as straightforward as it should have been and resulted in users logging in to strangers’ accounts when they went to use the platform. This wasn’t a short and isolated event, either – this happened to users that logged in between 2pm on 5th February 2019 and 9am on 7th February 2019. While a statement on the site that 4,000 users were logged in during this time, it is unclear how many of these were affected by the breach. Those who were affected had access to a range of personal information, including the email address, account details and personal messages of the person’s accounts that they had logged into. Passwords, however, were encrypted.
Mumsnet responded, once they had been informed by 14 affected users, by reversing the software change that had caused the mishap. The platform also forced logout for all user accounts to prevent any more users from being affected. It also took the appropriate action of reporting the event to the Information Commissioner within 72 hours of the discovery, and said that it would work quickly to understand how the breach happened and use these learnings to improve its processes.
Unfortunately, this wasn’t Mumsnet’s first experience of a data breach – it was affected by the “Heartbleed” bug in 2014, which required a reset of all 1.5 million user accounts on the platform.
Facebook’s Unprotected Server
Leaving a data server without a password, Facebook exposed 419 million of its users phone numbers, 18 million of whom were British. Having initially confirmed the breach in March 2019, the platform later admitted that the number of users was much higher than it first thought. This meant that anyone that came across the server would be able to access this information. These records also offered potential hackers the chance to access other personal information about users’ names, gender and country location.
In this case, there was no evidence that any accounts were compromised as a result of these failures, but Facebook has now removed the data set.
While the GDPR has introduced tougher penalties for companies that do experience a security breach, many of the UK’s biggest data breaches happened under the introduction of tighter regulation. This means that, while organisations are likely to act faster to report a breach, this doesn’t reduce the likelihood of a breach. If these breaches teach organisations anything, it’s that they should pay even closer attention to their cyber security processes, ensuring that passwords are secure and files are encrypted to protect user data.
With over 23 years industry experience, EOL IT Services are proud to be the UK’s most accredited ITAD supplier. We possess the skills, accreditations and experience to handle our clients’ data with the care they deserve, and to dispose of it responsibly and legally.
Contact us today on 0845 600 4696 or visit https://www.eolitservices.co.uk/services/it-asset-disposal/ to find out how we can help you dispose of your data safely and reliably.