With an increasing number of products and services being dependent on the internet, consumers entrust more and more of their personal information to businesses online. However, businesses don’t often see the vulnerabilities of their cybersecurity systems which lead to devastating data breaches.
Data breaches are costly for companies, and many are realizing the need to ramp up their investments in the field of cybersecurity. The last decade has seen a lot of notable data breaches that businesses these days can learn from. In this article, we’ll look at cybersecurity lessons from the biggest data breaches of the decade. To train on the leading security tools and learn best practices to prevent destructive data compromises, check out Cloud Academy’s Security Training Library.
Impact: 3 billion user accounts
In 2016, two years after the breach, Yahoo announced that it had been the victim of the biggest data breach in history. The cyber-attack was said to compromise 500 million users’ personal information including real names, e-mail addresses, birthdates, and telephone numbers. A couple of months later, Yahoo issued another statement talking about a separate breach in 2013 by a different group of hackers that compromised 1 billion accounts. Aside from personal information, passwords, security questions and security answers were also compromised. Fast-forward to 2017, and the former internet giant revised its estimate saying that all 3 billion user accounts had been compromised as a result of the data breaches. Yahoo, which had once been valued at $100 billion, was bought by Verizon for $4.48 billion following the aftermath of the scandal.
One of the most notable lessons to be learned from how Yahoo approached the situation is not to downplay the risk of breaches. Inc noted how Yahoo discussed in its press release that the stolen passwords were “hashed passwords (the vast majority in bycrypt)” without explaining in layman’s terms what that exactly means and how people can protect their passwords from being stolen. Furthermore, the Yahoo team seemed to be releasing the information slowly, perhaps as a way to soften the blow. However, that strategy just made them seem like they were hiding something, which added to the decrease in people’s trust in the brand. What would have helped instead is if they had been honest with their customers from the start, owning up to the situation and communicating what they’re doing to fix the problem.
Date: July 29, 2017
Impact: Personal information of 143 million consumers and credit card information of 209,000 consumers
On September 7, 2017, Equifax, one of the largest credit bureaus in the U.S., announced that an application vulnerability on their website led to a data breach that exposed almost 143 million consumers. While the data breach was discovered in July, the company admits that it likely started as early as mid-May. The personal information that was stolen included names, birthdates, addresses, social security numbers, driver’s license numbers, and credit card information. Their ex-CEO Richard Smith also admitted that the entire data breach was caused by the neglect of just one employee. To make matters worse, it was revealed that Equifax had hired a music major as their Chief of Security.
In the case of Equifax, one lesson we can learn is to hire the right people when it comes to cybersecurity. It’s important to look for candidates with the right track record and experience. Furthermore, businesses need to offer attractive salaries in order to attract the best people in the industry. Maryville University claims that the demand for cyber security professionals nearly doubled from 2013 to 2019. One report found that there are almost 3 million unfilled job openings across the world for cyber security experts. This means that skilled cyber security professionals are able to negotiate for a higher salary given the increasing demand. If you’re really invested in keeping your businesses afloat, don’t be afraid to pay a premium. Hire the best and most skilled professionals to avoid catastrophic security breaches.
Impact: 500 million customers
In late 2018, Marriott International issued a press release saying that cyber criminals stole data on around 500 million customers. The breach had occurred as early as 2014, and the attackers had remained in the system until 2016. However, they weren’t discovered until 2018. The hackers stole names and contact information as well as passport numbers and travel information. The breach was attributed to a Chinese intelligence group that was trying to gather data on U.S. citizens.
On discussing lessons learned from the Marriott breach, Nick Wyatt from data analytics company GlobalData said that “In the more immediate term, Marriott must show that it is employing post-breach consultants to help take all actions possible to protect digital assets.” Employing post-breach consultants helps companies identify the characteristics of the hackers to ensure it doesn’t happen again. Aside from taking a pre-emptive measure to ward off future attacks, it also shows to their customers that they are taking measures to reverse their mistake.
Date: May 2014
Impact: 145 million users
In May 2014, the online auction giant reported that a cyber attack led to exposing names, addresses, birthdates, and encrypted passwords of all of its 145 million users. eBay stated that the hackers breached the company network by using the credentials of three corporate employees. The hackers had complete access for more than 200 days, which allowed them to make their way into the user database. While the company asked its customers to change their passwords, they reassured them that financial information was stored separately and wasn’t compromised.
An important lesson businesses should learn from the eBay data breach is to control employee access. Chester Avey notes that insider attacks account for 43% of all data breaches, thus strong cybersecurity measures within the organization are necessary as well. Have multiple levels of authentication in place for employee access, most especially for employees who have access to sensitive data. Multi-factor identification through one-time passwords that are sent to phones or other mobile keys would be a great way to go about this. Another strategy would be to restrict sensitive data within the company to only those who really need it. Access to data should correspond to an employee’s specific role in the company and nothing more.