4 of the Biggest Company Data Breaches — and The Lessons We Can Learn

20 August 2019

For all the positives it provides, the internet can be a breeding ground for some less-than-ethical practices – with the dreaded data breach chief among them. An alarming, increasingly common thing in today’s digital age, data breaches have the potential to do some serious damage to a business’ financial cache and public reputation.

Whether it’s impersonation, fraud, blackmail or power cuts, system and network vulnerabilities can easily be exploited by all manner of breaches, putting even the most globally-renowned businesses at risk.

To illustrate how much a data breach can impact a business – and how frequently they occur – we’ve created a list of the biggest company data breaches from the past few years. While they’re not necessarily the biggest in terms of records, we’ve opted to go for the largest in terms of how much risk they posed or the damage caused. 

And IT professionals take heed: this collection of cautionary tales also features some lessons you can apply to prevent similar breaches from taking place.

Yahoo

Yahoo headquarters

What happened?

Occurring over the course of 2014, the erstwhile internet mega power was the victim of the biggest data breach in history. The hack compromised the real names, email addresses, dates of birth and telephone numbers of 500 million users. As an added bonus, this was preceded by an earlier hack in 2013 by another group of hackers that compromised the passwords and security questions – among other things – of 1 billion accounts.

How did it impact them?

Coming in the midst of negotiations to sell itself to Verizon, the timing of Yahoo’s breach wasn’t ideal. Years later, Yahoo stated that, all told, 3 billion user accounts had been compromised, and further figures paint a stark image of the impact:

  • An estimated $350 million was knocked off Yahoo’s sale price
  • As a result, Verizon paid $4.48 billion for their core internet business
  • As part of a settlement, Yahoo was ordered to pay $117.5 million

Its slow-to-report heel-dragging was, to put it mildly, a bit of a blunder. Yahoo developers knew about the breaches as they happened, but failed to report it, according to an internal investigation. So, not only did they have a breach to contend with, but the shoddy handling of the response didn’t exactly show themselves in the best light prior to a negotiation.

What lessons can we learn?

If your company has experienced a data breach, then it’s a good idea to have it investigated as soon as possible. It’s not worth the PR nightmare if you’re slow to react.

In Yahoo’s case, it would’ve paid to be transparent with Verizon, too. So, a culture of openness and honesty with regards to clients and/or partners is a good idea.

Marriott International 

Marriott hotel

What happened?

The largest known breach of personal data conducted by a nation-state; Marriott International announced in 2018 that cyber thieves (later attributed to a Chinese intelligence group) had stolen the data of approximately 500 million customers.

How did it impact them?

The breach occurred on systems supporting Starwood hotel brands starting in 2014. The attackers remained in the system after Marriott acquired Starwood in 2016, and were only discovered in September 2018.

  • Names, contact information, passport numbers and travel information were all stolen
  • Credit card numbers and expiration dates of more than 100 million customers were also compromised
  • Found in breach of GDPR, Marriott was faced with a nearly £100 million fine

What lessons can we learn? 

If anything, this underlines the importance of GDPR. Even huge businesses like Marriott aren’t exempt from adhering to its requirements. Additionally, when dealing with other businesses in the way that Marriott and Starwood worked together, it’s important to carry out the appropriate due diligence to ensure all IT systems are secure.

Uber 

Uber Taxi

What happened?

Uber was taken for a ride in late 2016 when hackers gained access to the company’s GitHub account, finding username and password credentials that should never have been there in the first place.

How did it impact them?

Although the worst was yet to come for Uber, the two hackers made out like bandits. As a result of the breach, the following was compromised:

  • Names, email addresses and mobile phone numbers of 57 million users of the app.
  • The driver license numbers of over 600,000 Uber drivers 

While the hack was bad enough, Uber’s response to the breach was about as poorly handled as it gets. Not content with only revealing the hack to the public a year later, they actually paid the hackers $100,000 to destroy the data. Risky enough, but there was no way to verify that the hackers even would go ahead with the destruction – a foolish move on Uber’s part.

One fired Chief Security Officer later, and Uber’s reputation was no longer as squeaky clean as it once was. Another example of bad timing, they were in talks to sell a stake to Softbank. Once sitting pretty with a valuation for $68 billion, by the time the deal was closed in December 2017, its valuation dropped by $20 billion. Throw in a £385,000 fine and things got about as bad as they could for the ride-sharing titans. 

Cab hailing

What lessons can we learn? 

The compromising data was found in a place it really shouldn’t have been, so if anything, the hack shows the importance of keeping information in the right place and safeguarding it properly.

And once more, it shows how important the value of clear, prompt communication can be with regards to your public perception.  

Stuxnet 

Stuxnet

What happened? 

A data breach with a difference, Stuxnet actually refers to a malicious computer worm that was first uncovered in 2010, though it’s thought to have been in development since at least 2005. Designed to target Siemens SCADA systems, it was used to cause massive damage to Iran’s nuclear programme.

Though neither country has admitted responsibility, the worm is believed to be a joint American-Israeli cyberweapon. 

How did it impact them?

The worm targeted programmable logic controllers, which allow the automation of electromechanical processes such as those used to control machinery, as well as the use of centrifuges to separate nuclear material. As a result, Stuxnet caused: 

  • The destruction of approximately 984 uranium enrichment centrifuges, almost a fifth of what was in Iran
  • The infection of over 200,000 computers
  • The physical degradation of 1000 machines

Because of this damage, the use of Stuxnet is said to have resulted in one of the biggest large-scale breaches that yielded physical results. 

What lessons can we learn?

Aside from not developing nuclear weapons, this instance can be applied to any number of computer machinery and software to show why it’s essential that the appropriate security measures are in place. Though we aren’t dealing with anything on the same scale, the need to safeguard our respective properties and assets is deeply apparent in this particular occurrence.

Offering collection from anywhere in the UK, CDL specialise in the secure disposal and recycling of computers, laptops and other electronic equipment. Call us today on 01925 7330033 to speak to a member of our team or fill out our online quote tool to obtain a free quote for your recycling and disposal needs.

 


Back to News

Instant Quotation