A year can’t go by without adding to the list of biggest data breaches in history, and 2016 was no different. ZDNet is reporting an estimated 2.2 billion records were exposed in 2016, with almost 3,000 public data breaches occurring during 2016 alone. As we close out the year, we examine some of the biggest recent cyber security breaches that took place, how they happened and what companies can do to prevent them from occurring again.
Yahoo (500 million accounts compromised)
What Happened: The Yahoo breach actually occurred in 2014, but it reared its big ugly head in September 2016 when the company confirmed the largest data breach in history. At stake in this data breach were names, email addresses, phone numbers, date of birth, hashed passwords and in some cases, encrypted or un-encrypted security questions and answers. Thankfully, no credit card information was leaked as a result of the security breach. According to CNN, U.S. Senator Richard Blumenthal called for tougher legislation regarding prompt notification of security breaches in the wake of the attack, as it is assumed Yahoo knew about the attack as early as August.
LinkedIn (167 million accounts compromised)
What Happened: This was another story that goes back a few years. Back in 2012, it was believed a Russian hacker stole 6.5 million encrypted passwords from the professional networking site. Unfortunately, that wasn’t the end of the story. Turns out, 167 million additional email and password combinations were leaked four years later. By this time, LinkedIn had already urged users to change their passwords and another prompt was given in 2012. Just to stay on the safe side, users were asked again to change their passwords in 2016.
Trump Hotels (70,000 Credit Cards compromised)
What Happened: Just months before being elected President of the United States, Donald Trump’s hotel chain agreed to pay a $50,000 settlement penalty and revamp data security policies following a massive breach which exposed 70,000 credit card numbers and other customer information. The breach which actually occurred in May of 2014 went unnoticed for over a year until hundreds of fraudulent credit card transactions were uncovered by the banks of former Trump Hotel guests.
Wendy’s (Credit Cards at 1,025 Restaurants)
What Happened: Point of Sales Systems were infected with malware during a 5-month period. Unusual credit card activity began to occur in February while the malware that caused the breach wasn’t disabled until May. In June, additional malicious activity was discovered and removed. The malware was used to steal cardholder names, card numbers, expiration dates and other data. CVV codes were not at risk.
Weebly (Over 43 million accounts compromised)
What Happened: Weebly, a web hosting and drag-and-drop website builder had 43 million accounts compromised in February, with knowledge of the attack surfacing in October. Weebly does not believe that financial information was stolen because it does not store credit card data on its servers, however, hackers were able to obtain usernames, passwords, email addresses and IP information. Bycrypt hashing password protection prevented the hackers from being able to directly login to customer websites, however.
AdultFriendFinder (412 million accounts compromised)
What Happened: 412 million people have some explaining to do after the X-rated hookup site was targeted by hackers for a second time making last year’s Ashley Madison breach (which only affected 32 million accounts) look as innocent as a kiss. AFF had stored user passwords in a plain visible format with a secure hash algorithm (SHA-1) which is ironically not very secure.
The hack not only revealed the website’s vulnerabilities and user names and emails but just how dumb many people are about passwords – evidence by the fact that “123456” was used as a password over 1 million times by site users.
The Internal Revenue Service (Information on 700,000 Tax Payers)
What Happened: In February, the IRS announced that the breach they uncovered in May 2015 was much larger than they anticipated. Originally estimated to affect 100,000 taxpayers, it was announced that information on 700,000 was compromised when the IRS “Get Transcript” system was hacked. The IRS believes a sophisticated Russian criminal operation was responsible for the breach which was conducted to file fraudulent tax returns.
SnapChat (700 Current & Former Employees Affected)
What Happened: While it was not a large attack by any means, the way it was carried out compels us to include SnapChat on this list. Employees had their personal information stolen through a phishing scam which tricked users into emailing private data. The hacker poses as a Snapchat executive, simply requesting SSN and wage/payroll data. It is unclear who is responsible for the attack or how they plan on using this information.
How Companies can be Smarter About Data Protection in 2017
Recent cyber security breaches can teach us a lot about what companies need to do to protect their own confidential data and the data of their customers. Trust is something that is hard to re-establish, and many consumers will opt to stay away following a breach even if necessary steps are taken to resolve the problem.
In the case of Snapchat – NEVER send confidential information like your social security number or credit card number to anyone via email even if you know and trust the source. Adultfriendfinder can teach companies to use more secure password encryption while better Antivirus and monitoring on all connected network devices can prevent a situation like Wendy’s encountered. Also, end users need to realize that 123456 or qwerty is no long an acceptable password.
Hackers just have it too easy when you’re careless about data.
Together in 2017, we can do our part to help prevent data breaches from occurring. Learn more about our Managed Network services and the solutions we provide small and medium-sized businesses in St. Louis. Contact us today.