The Biggest Data Breaches in History & What We Can Learn From Them

Emma Dockerill Headshot
Written by Emma Dockerill  Marketing Executive

19/02/2021

History repeats itself

Data breaches are frightening because of our supposed inability to do anything about it - when we hear a large corporation's data has been breached, there is nothing for us to do other than wait for more news and to see if we're in the pool of people affected.

We don't have a choice when it comes to sharing our data - some of our most sensitive information is held under digital lock and key by a variety of corporations and groups - from banks and hospitals to our employers and insurance firms. Sometimes, we might not fully realize that a company has our data until a breach happens.

When our data is exploited, it can take years for us to get back to normal. Social security numbers, personal details, health records, and other sensitive data - this is just the tip of the iceberg. This type of online crime is lucrative because an average record can bring in about $148 on the black market. And if you manage to get your hands on millions of records, then it's like breaking into a bank and taking everything without even leaving your house. It's a risk many people are willing to take.

Here are some of the biggest data breaches in history - the ones that affected millions of user accounts, lives and cost companies billions of dollars. Like any other type of disaster, we can learn from them if we study them. What went wrong? Often, it's human error - systems that weren't as secure as people thought, poorly managed passwords, and not enough attention paid. Things that lead to a cyber-Titanic type of situation: remember that no system is "unhackable". Let's see what led to sensitive data being accessed and breached in these famous instances.

When we hear a large corporation's data has been breached, there is nothing for us to do other than wait for more news.
First American Logo

Data Breach: First American Financial Corp.

Reason - Poor security, ignoring failed security tests, continued unresponsiveness after the data breach was discovered

Year - 2019

Records Affected - 885 Million

Cost - The cost may be up to $1,000 per violation, setting the tab at $885 billion

Error - Insecure Direct Object Reference (IDOR)


What happened?

The First American Financial Corp. leaked digitised records of bank account numbers, tax records, Social Security numbers, images of drivers' licenses and IDs, and mortgage records. A truly vast amount of data was affected, going as far back as 2003.

This could not have been a surprise, given that this particular vulnerability was discovered as early as 2018, during security testing. So, what went wrong and why was it allowed to continue until the breach became public, published in industry journals? The case is so recent, that a lot of it is still in courts and responsibility is still to be determined. First American is likely to fight any court decision, as any acceptance of responsibility will cost them dearly.

What happened is the Insecure Direct Object Reference (IDOR) error - it's a common error, showing up regularly on penetration test reports, and it means that a link created to be seen by specifically authorised persons is able to be seen by anyone who has it. There is no password and the person trying to access the data has to figure out the pattern for all other sensitive files stored in the system. In the case of First American, there is no way of knowing who saw the data and how many files were compromised. It might take years to learn.


Lessons learned

Insecure Direct Object Reference (IDOR) errors are not uncommon, and has to be fixed when found. Otherwise, stockpiles of sensitive data might just be sitting out in the open, waiting to be harvested by bots, hackers, and just about anyone who's loose morals and technical know-how make them take interest in the profit that stolen data might bring.


Adult Friend Finder Logo

Data Breach: Adult Friend Finder

Reason - Poorly kept passwords, old safety protocols, and algorithms, poor data protection policy

Year - 2016

Records Affected - 412.2 Million

Cost - Unknown

Error - Weak SHA-1 hashtag algorithm password protection (or no protection at all)


What happened?

FriendFinder Networks Inc. had 6 databases that were breached - to the horror of the adult conglomerate's users who hoped to remain anonymous. As usual, the leak was first publicised not in a private email to users, but by a researcher on Twitter - with screenshots to prove a data breach.

The surprising thing was that a large portion of the data collected from FriendFinder Networks was clearly marked for deletion, with the records having an "rm_" next to them (removal marker) or email addresses clearly meant for deletion, like email.address@address.com@deleted1.com. This means that there was no "clean up" done in these servers, and some files that should have been long gone (and most importantly, users thought long gone) were still sitting in dusty corners of the servers, like overflowing wastebaskets left by a careless housekeeper. Overall, this particular wastebasket had over 15 million deleted accounts as well as logins for sites long sold to other people (Penthouse.com).

The news of this breach was probably extra worrisome for people whose email addresses ended with .gov (5,650) and .mil (78,301).

What sealed their fate was weak password protection. Some user passwords weren't protected at all and stored in plaintext, or hashed using SHA1 which was already known to be very weak.


Lessons learned

While some data breaches may come as a surprise, keeping your records clean might prepare for the unexpected. If you're in charge of millions of people's sensitive data, it's also a good idea to use the newest and most secure technology to prevent data breaches. Good record-keeping (including deleting data) is also a core component of GDPR compliance. Organisations should treat users and their data with the respect they deserve - after all, they trust you to keep their information secure, especially in a sensitive niche like dating and adult webcam access!


Facebook Logo

Data Breach: Facebook

Reason - User data was too easily accessible on public profiles, leading to the possibility of being collected by bots

Year - 2019

Records Affected - 267 million

Cost - Unknown

Error - Security hole in Facebook's API


What happened?

This is another example of data sitting out for weeks before the data breach is discovered. Meanwhile, the user IDs, phone numbers, and names of hundreds of millions of users were left out in the open. It meant anyone could use it for further attacks, and scams. What's worse, this data was posted on a hacker forum free for the taking. Facebook looked into the matter, and decided that this breach isn't in fact a breach at all - but a mass scraping action of data that was publicly available before security measures were put into place.


Lessons learned

While we trust in large companies like Facebook to guard our personal data, we must also remember that data breaches might come as an organised mass attack on data that we make public on such social platforms. Always read the privacy notice and what you're agreeing to share when you sign up for a platform like Facebook, Linked In, or Twitter. Who is going to have access to your data? Who is going to be authorised to use it? While your phone number, name, or email might not be of significance to your uncle Jerry when he's looking at your profile, and you may post it so people can contact you - it can do a whole lot of harm when it falls into the hands of those who know how to use personal information against you.

Let's remember that the election-swaying Cambridge Analytica scandal wasn't caused by a data breach - if it were, it would have been the greatest data breach in history. Instead, it was caused by millions of people unknowingly yet legally giving their personal information to people with malicious intent.


Marriott International Logo

Data Breach: Marriott International

Reason - Marriott International failed to check basic cyber safety after purchasing another hotel brand - and failed to discover an ongoing problem

Year - 2019

Records Affected - 339 million

Cost - Fined $23.98 million in the UK

Error - Security hole in Facebook's API


What happened?

Hotel guest names, contact information, and even passport details might have gotten out - and what's worse - have been out over a period of four years. The first cyber attacks on Marriott happened in 2014 and were only discovered in 2018. The first target was the Starwood Hotels Group, and you can say that Marriott acquired the problem when they acquired Starwood in 2016. That being said, they had plenty of time to do a deep safety audit - and by not doing enough to protect their guests.

The biggest problem was that the cyber attacks were a known problem - but Marriott never checked it out enough. The breach of customer data at Marriott International is one of the largest in the hotel industry. Hotels are especially sensitive businesses to run when it comes to data protection because they often gather large amounts of very personal details about their clients.


Lessons learned

These days, when becoming a partner or an owner of an existing business, you have to check out every part of it - and cyber security due diligence is just as important as checking the physical assets, bank accounts, and tax records of your new venture.

When our data is exploited, it can take years for us to get back to normal.

Final Thoughts

In the end, when you look at the biggest data breaches that happened in the last decade, the reasons always seem to revolve around preparedness, ignoring the newest technology, and human error. There are several ways to prevent breaches like this, and lessons we can learn from the past. Some precautions we can take personally are:

  • Protect your credit card information - don't send them to anyone or post them anywhere. Auto-fills are only as safe as the safety protocol that guards them.
  • Read user agreements - make sure no third party has access to your sensitive data unless necessary.
  • Use good passwords - generated passwords for email addresses and other logins are so much safer than "Dognamedateofbirth" - those are easy to guess by someone with no hacking experience - just look at Guccifer.
  • Be responsible about data protection - especially when it comes to others' data. If you are in a position of assuming control over a database, make sure it is fully protected and do a thorough audit before you start.

We hope that we gave you enough insight into the causes of the biggest breaches in history - and hopefully, you can rest easier knowing that they can be prevented or at least deterred.


Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.