Every day, billions upon billions of pieces of personal data fly across the Internet. We trust the companies we do business with, our governments, our utility companies, our employers, and our health care providers to govern our data religiously, keeping it safe from prying eyes and would-be cybercriminals. We like to believe it’s safe because the organizations we trust are masters of security. They spend enormous sums of money to protect our data as securely as possible.
Except when they don’t.
Trusting the wrong third-party vendor, being oblivious to hacks, and a laundry list of other reasons makes your data exceptionally vulnerable. The power of data is off the charts; so when that power falls into the wrong hands, it takes millions of dollars and years upon years to sort out.
What stagecoach robbery was to the Wild West, data hacking is to the 21st century. Companies operating digitally face the daily threat of data breaches, stolen passwords, inside jobs, and more that can ruin their profit margins, expose their data, and destroy their branding. Without top-flight security systems that evolve at the same rate – or faster- as the hackers that they are seeking to keep out, companies run the risk of losing everything.
About the only silver lining for the hacked is the realization that there are flaws in the system that need to be fixed so it doesn’t happen again. For everyone else, it’s a bit like watching a train wreck. You know it’s going to be terrible but you just can’t look away. What have been the consequences of the worst data breaches in history? Here’s a look at five of the all-time worst and what we can learn from them for the future of data security.
Equifax (2017)
The facts: The company people trust with their credit reports came off looking like the ultimate sleazeball. In May 2017, hackers broke into Equifax’s database and exposed the name and date of birth of 146.6 million people. Of those, 145.5 million also had their Social Security number exposed.
Those three pieces of data are easily enough to have a cybercriminal began making fake IDs and applying for credit cards in someone else’s name. The hack as not discovered until July 29th and the company decided not to mention it to the public until September 7th.
In between the hack being discovered and the public announcement, three Equifax executives – John Gamble, Rodolfo Ploder, and Joseph Loughran, combined to sell $1.8 million of their personal shares of the company.
Lesson Learned: Update your security! The Apache Foundation made Equifax aware of a security vulnerability in a web app in March 2017, two months before the hack occurred. Equifax ignored the patch, even when the fix was shared with it. Trading at $141/share the day before the announcement was made, Equifax’s stock prices dropped 35% over the next 12 days. Even nine months later, it has not returned to the original mark.
JP Morgan Chase (2014)
The Facts: Incredibly, 83 million individuals and businesses had their information compromised because of one JP Morgan employee having their login credentials stolen by a hacker. Normally that wouldn’t have been a big deal because JP Morgan was using two-step authentication, but it had not made that update to all of its servers.
Despite spending $250 million a year on digital security, the company was oblivious as hackers logged in and set up malware that devoured gigabytes of information. It was only discovered by a routine security check months later.
Lesson Learned: Throwing money at a problem isn’t going to solve it if you don’t know what you’re doing. Spend one-quarter of a billion dollars a year didn’t help JP Morgan realize that it was lacking updates on one of its servers.
Also, change your passwords! Three months passed between theft and detection during which time the same username and password got the hackers into the system day after day.
Yahoo! (2013-2014)
The Facts: Once king of the Internet, Yahoo fell on hard times once Google entered the fray. Things got even worse in 2016 when the Yahoo passwords of 200 million people appeared for sale on the Dark Net. Yahoo did not make an announcement about the hack until two media outlets questioned it.
That September, Yahoo announced it believed the hack to be state-sponsored and that 500 million accounts had been compromised. A few months later, it admitted another hack had occurred three years earlier. Verizon was in the process of buying Yahoo for $4.8 billion, but shaved $350 million off its offer after the reveal.
In 2017, Verizon had the tough job of revealing that in fact all 3 billion Yahoo accounts had been compromised during the 2013 hack. Four Russian hackers were eventually charged with the crime.
Lesson Learned: Just like Enron’s “too big to fail” mantra of the early 2000s, Yahoo thought itself too big to get hacked. Yahoo was so out of the loop that it took media requests for comments on the back for the company to even realize there was a hack. No matter what size your company, hackers can and will find you if your security is lacking.
Target (2013)
The Facts: Allowing a third-party vendor to access its enormous database was Target’s death knell during the 2013 holiday shopping season. In just 19 days, hackers stole the credit card of 40 million Target customers who had used credit or debit cards at the store’s physical locations.
The breach cost the CEO and CIO their jobs and the company lost $202 million. A lengthy investigation saw the company pay out an additional $18.5 million in claims, then spend millions more developing a completely new security system to protect customer information.
Lesson Learned: Be careful who you let in the door. Target had great security set up to keep out hackers, but gave its third-party vendors a complete run of the place and it cost them dearly. Two top-level executives lost lucrative jobs and Target, one of the more popular American retailers, saw its brand recognition plummet.
Heartland Payment Systems (2008)
The Facts: Heartland Payment Systems was processing about 100 million payment card transactions a month as late as March 2008, but nine months later both Visa and Mastercard warned the company of suspicious transactions being recorded on accounts the company was running.
The truth came out shortly thereafter that hackers had been in Heartland’s system since 2006. The criminals in question had used an SQL injection to access information from back-end databases using destructive code. From there, the hackers installed spyware to steal credit card and social security numbers.
The lack of security protocol meant Heartland was out of compliance with the Payment Card Industry Security Standard (PCI DSS). It was ruled ineligible to process major credit card transactions for an entire year and paid an estimated $145 million in compensation.
Lesson Learned: Listen to the experts. Up until Heartland’s nightmare scenario, SQL injection was an old wives’ tale for corporations. It was a theory of how hackers could break into companies, but nobody had ever seen it done on such a large scale.
Security experts had warned about it, but most firms didn’t see the point in investing the budget in it. Heartland was the wake-up call that data security and cybercriminals were not just something that made for a good movie and TV show plots, put a real danger that needed a real solution.
