Famous Data Breaches and What Your Business Could Learn From Them
A data breach can be a costly incident for any company. As IT expert Stephane Nappo once put it, “It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.” Indeed, years of hard work can wash away due to a data breach.
Thus, it’s important to protect your clients’ information and your company’s name. This article will analyze ten famous data breaches and what your business can learn from them. In particular, we will discuss the lessons learned so your business can prevent such unfortunate events.
Data Breach #10: NetEase
In October 2015, NetEase, an email supplier, suffered a cyber attack in which 235 million of its user accounts leaked into the public. The attack revealed real usernames and passwords on the dark web. The hackers commercialized the data on the dark web marketplace DoubleFlag.
To this day, the Chinese firm denies the breach ever happened. According to the company, the data is “unverified.” Nevertheless, DoubleFlag commercialized other company’s user data as well. This situation has received the moniker “The Big Asian Leak.”
Stonewalling a data breach is a dangerous approach. Of course, no company wants to admit a data breach occurred. Nevertheless, denying it only magnifies the problem.
Companies should acknowledge the possibility of an attack. Then, firms must reassure their users by outlining the steps they are taking to solve the matter.
Please keep in mind that trust can evaporate instantly.
Data Brach #9: MySpace
Before Facebook, MySpace was the go-to social media site around the world. However, its power slowly dwindled with the rise of other social media conglomerates. By 2016, MySpace was a shell of its once-dominant self.
Back in 2013, MySpace underwent a serious cyber attack. Information on roughly 360 million users hit a website called LeakedSource.com. Additionally, the user information went on sale on the dark web. The reported asking price was six Bitcoin (approximately $3,000 at that time).
MySpace executives later acknowledged the breach. They stated that the account information belonged to accounts created before June 2013. These accounts were part of a previous MySpace platform that lacked specific security protocols.
The company deactivated affected users’ accounts and passwords. Users would then need to authenticate their usernames and passwords before re-entering the site.
In this situation, MySpace was upfront about the situation. The company explained what happened and how it happened. It also took immediate action to remedy the situation.
It’s always a good practice to be transparent about a data breach. Most importantly, companies should take steps to explain what happened and how it affects its users. Ultimately, remedial measures can help restore confidence in the company.
Data Breach #8: Adult Friend Finder
Adult Friend Finder has become notorious as a casual hookup site. It quickly gained popularity, adding millions of users monthly—thecybercriminals site advertised across various adult-content sites and platforms.
In all, hackers stole more than 20 years of user information in 2016 using the rudimentary SHA-1 algorithm. The breach occurred in six different databases totaling 414 million user accounts.
The information breach exposed names and passwords, thereby compromising users’ true identities. The data found its way to LeakedSource.com. The weak algorithm broke through the site’s firewall to compound the issue, exposing the site’s flawed security system.
In November 2016, Adult Friend Finder’s vice-president Diana Lynn Ballou told the media that the company was investigating the breach and would notify affected users.
The company never did.
Users found out through the third-party site LeakedSource.com about the breach’s confirmation.
Adult Friend Finder failed to disclose the possible breach to its users. As such, users found out about the breach through third-party sites. As a result, all trust in the company evaporated. The generic response offered did little to reassure users.
Companies should immediately communicate with users as soon as there is reasonable suspicion of a breach. It’s always best to call a false alarm than to fall asleep at the wheel. Sites that collect user data must reassure their users before word gets out.
Ultimately, taking a proactive approach is the best way to maintain users’ trust despite a data breach.
Data Breach #7: Equifax
Credit rating agency Equifax handles millions of customers’ information daily. As such, that makes it a target for cybercriminals. In 2017, Equifax fell victim to hackers leading to a now-famous data breach case.
In September 2017, Equifax stated that it had suffered a data breach. The information of about 147 million users leaked into the public.
Following the breach, Equifax pledged to clear up the message. Former Equifax CEO Rick Smith publicly apologized in a video message. He vowed to “build a stronger company.” However, those actions remain unclear.
Equifax’s critics have blasted the company. Senator Elizabeth Warren stated, “Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information.”
In the end, Equifax settled with the Federal Trade Commission on restitution to affected users. In all, Equifax agreed to pay $425 million to users in the United States.
Equifax paid dearly for its lack of data security. Upon learning of the breach, they failed to take swift action. While the company issued an apology, it did little to rectify the situation. Ultimately, Equifax had to pay a sizeable settlement.
Companies must ensure to make amends for any damage resulting from a data breach. These actions should strive to protect users. Additionally, firms must approach their customers with clear measures following the breach. In doing so, businesses can avoid extremely costly mistakes.
Data Breach #6: Marriot International
In November 2018, the hotel chain Marriot International announced a breach on its database. Specifically, the company indicated that about 500 million of its Starwood clients’ information suffered an attack.
The chain stated, “On September 8, 2018, Marriot received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to determine what occurred.”
Marriot would later disclose that it suffered an actual breach in 2014. However, the company had not learned of it until 2018 during its investigation. The New York Times attributed the attack to Chinese cybercriminals looking to get information on US citizens.
Marriot got it right by being forthcoming with the public. Moreover, the chain announced it had dropped the Starwood program and replaced it with a safer version. Most importantly, Marriot admitted its mistakes and laid out a plan to remedy the situation.
In the business world, there is nothing wrong with admitting a mistake. The problem lies in trying to cover it up or stand by idly. Instead, Marriot was transparent and publicly took the steps necessary to avoid another breach.
Data Breach #5: Facebook
Even corporate giants are susceptible to data breaches. In April 2019, reports surfaced indicating that two separate Facebook datasets were publicly available. These datasets included users’ personal information such as names and phone numbers.
In 2021, this information hit the web, posted for free.
Initially, Facebook did not disclose any information on the data breach. However, the company had no choice when rumors gained momentum on various sites. It became evident that Facebook was slow to react.
Since admitting the breach, Facebook has taken action to remedy the faulty apps responsible for the breach. Nevertheless, Facebook tried its best to ignore the problem hoping it would go away.
Large corporations often react slowly. Usually, their size makes it difficult to implement a quick response. Other times, massive firms believe they have the right systems in place. As a result, a data breach is the last thing they suspect.
It is crucial for all companies, big and small, to take data security seriously. Anyone can be vulnerable to a data leak. The Facebook hack proves that cybercriminals will find any means to exploit vulnerabilities. Therefore, routine surveillance is necessary to ensure appropriate data security.
Data Breach #4: Sina Weibo
Sina Weibo, with more than 600 million users, is a major social media company in China. This status also makes it a prime target for hackers.
In March 2020, the firm revealed that hackers had taken a large chunk of their database. In all, the usernames, passwords, real names, and phone numbers of some 538 million users became public. The cybercriminals sold the information for $250 on the dark web.
The firm acknowledged the hack in a statement. The company also indicated that their engineers noticed users uploading large batches of information attempting to match user accounts with phone numbers.
Later, Sina Weibo indicated it doesn’t store user passwords in plaintext format. Therefore, users should not worry about their accounts. Nevertheless, the second statement did not show how hackers got personal user information (gender, location, or real names).
Security experts criticized the company’s response. Experts claimed Sina Weibo sent mixed messages, particularly after users confirmed the data’s accuracy.
Admitting the data breach is a great first step. Nevertheless, the message must be consistent throughout the process. Conflicting messages may lead experts and the public to lose confidence in the company quickly.
In this case study, Sina Weibo failed to keep a constant narrative. As a result, security experts believed the firm didn’t have a clear picture of what truly happened.
Please bear in mind that confidence relies on consistent communication. Hence, firms must always communicate the truth as much as possible.
Communicating truthfully requires maintaining a consistent narrative. Nevertheless, future information updates should provide greater details. In doing so, the public can perceive the firm’s professionalism.
Data Breach #3: LinkedIn
One of the most recent, high-profile data breaches occurred to LinkedIn in June 2021. A reported 700 million user account information appeared on a dark web forum. This data corresponded to approximately 90% of its user base.
Reportedly, a hacker named “God User” employed scraping to exploit the site’s vulnerabilities. This approach led to 500 million users’ information going public. Then, the hacker leaked the remaining user information totaling 700 million users.
In response, LinkedIn stated that no sensitive information had leaked. However, the information obtained through the dark web forum revealed personal information such as gender, location, social media accounts, among other personal data.
An official statement from LinkedIn read, “this was not a LinkedIn data breach, and our investigation has determined that no private LinkedIn member data was exposed.” The result is an ongoing government investigation into the incident.
LinkedIn did not openly admit a data breach. Instead, the company attempted to pin the data leak on a malicious user who violated its service terms. Technically, no illegal activity took place. However, denying a data breach is never a good idea.
Companies should go as far as they can to expose the true cause of a data breach. In this situation, LinkedIn failed to hold the cyber attacker publicly accountable. Ultimately, it only makes LinkedIn seem like a sloppy operation.
Additionally, LinkedIn has done little to address the breach publicly. Legal action is not enough to restore confidence in a company. As such, it’s important to address the matter publicly whenever appropriate openly.
Data Breach #2: Alibaba (Taobao)
Chinese e-commerce giant Alibaba faced a serious data breach on its Taobao shopping site. In November 2019, a total of 1.1 billion bits of user data leaked.
Like LinkedIn, Taobao suffered a scraping attack perpetrated by an affiliate marketer. Ultimately, the cyber attacker did not commercialize the data or publicly post it. Nevertheless, they received a three-year prison sentence.
Taobao released the following statement, “Taobao devotes substantial resources to combat unauthorized scraping on our platform, as data privacy and security is of utmost importance. We have proactively discovered and addressed this unauthorized scraping. We will continue to work with law enforcement to defend and protect the interests of our users and partners.”
Taobao got it right by bringing the responsible party to justice. They were swift in identifying the source of the breach and those responsible. Then, the company publicly exposed the case. Moreover, the firm was forthright with its investigation.
Ultimately, having a conviction in connection to the case provides public closure. While the sentence does not remedy the site’s vulnerabilities, it shows the company takes data security seriously.
Data Breach #1: Yahoo
Unfortunately, Yahoo has made this top ten twice. In August 2013, Yahoo suffered a data breach leading to three billion customers’ account information exposure.
As with its 2014 hack, Yahoo didn’t make the details public until 2016. At the team, Yahoo was negotiating its sale to Verizon. As a result, Yahoo tried its best to cover up any news of the hack.
The sale went through. Verizon was aware of the situation. As a result, Verizon’s CISO Chandra McMahon stated, “Verizon is committed to the highest standards of accountability and transparency.” She would go on to say, “Our investment in Yahoo is allowing that team to continue to take a significant step to enhance their security, as well as benefit from Verizon’s experience and resources.”
Ultimately, the investigation should that hackers did not access sensitive information such as passwords, bank, or credit card details.
While Yahoo failed gloriously, Verizon got it right. Verizon publicly acknowledged the situation and announced steps to remedy the situation. Moreover, Verizon stepped in to take control of the problem.
Often, companies need to bring in third-party consultants and experts to help quell public concerns. Naturally, external experts provide security and reassurance. After all, if the company itself made a mistake, enlisting competent third-party support makes sense.
Data breaches can easily destroy a company’s reputation. However, attempting to hide the fact can make matters worse. Throughout this article, companies have gotten it wrong by dismissing a data breach.
In contrast, companies have gotten it right by addressing the issue directly. Moreover, admitting a data breach and announcing steps to remedy the situation can help restore confidence.
Additionally, firms that take legal action to prosecute cybercriminals show they take data security seriously. Nevertheless, some companies may need to hire third-party experts to investigate the breach. In the end, external experts allow companies to begin rebuilding their public data security image.
- Companies must be transparent about data breaches. Attempting to deny or dismiss a data breach can lead customers and the public to lose confidence in the company. As a result, the firm’s reputation may suffer irreparable damage.
- Admitting a data breach is necessary to ensure transparency. Additionally, companies must provide publicly disclose remedial measures to rectify vulnerabilities. These corrective measures may include hiring external experts to help secure faulty security systems.
- Affected companies should try their best to expose cybercriminals. Often, this approach implies prosecuting hackers. Taking legal action is an important step in reassuring customers and investors.
- Companies must strive to be as forthcoming as possible. This approach often calls for notifying users of a potential data breach. Ultimately, it’s better to call a suspicious event a false alarm than to execute damage control after disregarding or ignoring a data breach.
Zach Richter has been writing professionally for just shy of 20 years. Typing that sentence made him feel old. He lives in Arizona with his wife and too many dogs and cats.
The Most Popular Employee Benefits for Service Indus...
Attracting and retaining talent is an important part of any successful business. For businesses in the service industry, hiring and...
Be Skeptical of Traditional Burials: Alternative Bur...
While many people still participate in traditional funerals and ceremonies, there are plenty of other choices to choose from. More...