Is this in any way unusual? Hardly. Here’s “a list (from Wikipedia) of data breaches, using data compiled from various sources, including press reports, government news releases, and mainstream news articles. The list includes those involving the theft or compromise of 30,000 or more records, although many smaller breaches occur continually. Breaches of large organizations where the number of records is still unknown are also listed. The various methods used in the breaches are also listed, with hacking being the most common. Most breaches occur in North America. It is estimated that the average cost of a data breach will be over $150 million by 2020, with the global annual cost forecast to be $2.1 trillion. It is estimated that in first half of 2018 alone, about 4.5 billion records were exposed as a result of data breaches. In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale.”
- "21st Century Oncology
- Accendo Insurance Co.
- Adobe Systems
- Advocate Medical Group
- AerServ (subsidiary of InMobi)
- Affinity Health Plan, Inc.
- Ameritrade
- com
- Ankle & Foot Center of Tampa Bay, Inc.
- Anthem Inc.
- AOL
- AOL
- AOL
- Apple, Inc./BlueToad
- Apple
- Apple Health Medicaid
- Ashley Madison
- AT&T
- AT&T
- co.kr
- Australian Immigration Department
- Automatic Data Processing
- AvMed, Inc.
- Bailey's Inc.
- The Bank of New York Mellon
- Bank of America
- Barnes & Noble
- Bedford/St. Martin's
- Bell Canada
- Bell Canada
- Betfair
- Bethesda Game Studios
- Bethesda Game Studios
- Blank Media Games
- Blizzard Entertainment
- BlueCross BlueShield of Tennessee
- BMO and Simplii
- British Airways
- British Airways
- 2019 Bulgarian revenue agency hack
- California Department of Child Support Services
- Canva
- Capital One
- CardSystems Solutions (MasterCard, Visa, Discover Financial Services and American Express)
- Cathay Pacific Airways
- CareFirst BlueCross Blue Shield - Maryland
- Central Coast Credit Union
- Central Hudson Gas & Electric
- CheckFree Corporation
- China Software Developer Network
- Chinese gaming websites (three: Duowan, 7K7K, 178.com)
- CardSystems Solutions
- (MasterCard, Visa, Discover Financial Services and American Express)
- Cathay Pacific Airways
- CareFirst BlueCross Blue Shield - Maryland
- Central Coast Credit Union
- Central Hudson Gas & Electric
- CheckFree Corporation
- China Software Developer Network
- Chinese gaming websites (three: Duowan, 7K7K, 178.com)
- Citigroup
- Citigroup
- Citigroup
- City and Hackney Teaching Primary Care Trust
- Colorado government
- Community Health Systems
- Philippines Commission on Elections
- Compass Bank
- Countrywide Financial Corp
- Countrywide Financial Corp
- Centers for Medicare & Medicaid Services
- Cox Communications
- Crescent Health Inc., Walgreens
- CVS
- Dai Nippon Printing
- Data Processors International (MasterCard, Visa, Discover Financial Services and American Express)
- Defense Integrated Data Center (South Korea)
- Deloitte
- Democratic National Committee
- US Department of Homeland Security
- Desjardins
- Domino's Pizza(France)
- UK Driving Standards Agency
- Dropbox
- Drupal
- DSW Inc.
- Dun & Bradstreet
- eBay
- Earl Enterprises (Buca di Beppo, Earl of Sandwich, Planet Hollywood,
Chicken Guy, Mixology, Tequila Taqueria) - Educational Credit Management Corporation
- Eisenhower Medical Center
- Embassy Cables
- Emergency Healthcare Physicians, Ltd.
- Emory Healthcare
- Erie County Medical Center
- Equifax
- European Central Bank
- Evernote
- Excellus BlueCross BlueShield
- Experian- T-Mobile US
- EyeWire
- Federal Reserve Bank of Cleveland
- Fidelity National Information Services
- First American Corporation
- Florida Department of Juvenile Justice
- Friend Finder Networks
- Formspring
- Gamigo
- Gap Inc.
- Gawker
- Global Payments
- Gmail
- Google Plus
- Greek government
- Grozio Chirurgija
- GS Caltex
- Gyft
- Hannaford Brothers Supermarket Chain
- HauteLook
- Health Net
- Health Net— IBM
- Health Sciences Authority(Singapore)
- Heartland
- Heathrow Airport
- Hewlett Packard
- Hilton Hotels
- Home Depot
- Honda Canada
- Hyatt Hotels
- Internal Revenue Service
- Inuvik hospital
- Iranian banks (three: Saderat, Eghtesad Novin, and Saman)
- Jefferson County, West Virginia
- JP Morgan Chase
- JP Morgan Chase
- Justdial
- KDDI
- Kirkwood Community College
- RU
- Korea Credit Bureau
- Kroll Background America
- KT Corporation
- LexisNexis
- Landry's, Inc.
- Lincoln Medical & Mental Health Center
- LinkedIn, eHarmony, fm
- Living Social
- com
- Mandarin Oriental Hotels
- Marriott International
- Massachusetts Government
- Massive American business hack
including 7-Elevenand Nasdaq - US Medicaid
- Medical Informatics Engineering
- Memorial Healthcare System
- Michaels
- com
- Ministry of Education (Chile)
- Ministry of Health (Singapore)
- com
- Morgan Stanley Smith Barney
- Mozilla
- MyHeritage
- NASDAQ
- Natural Grocers
- Neiman Marcus
- Nemours Foundation
- Network Solutions
- New York City Health & Hospitals Corp.
- New York State Electric & Gas
- New York Taxis
- NexonKorea Corp
- NHS
- Nintendo
- Nival Networks
- Norwegian Tax Administration
- Ofcom
- US Office of Personnel Management
- Office of the Texas Attorney General
- Ohio State University
- Orbitz
- Oregon Department of Transportation
- OVH
- Patreon
- Popsugar
- Premera
- Puerto Rico Department of Health
- Quest Diagnostics
- Quora
- ru
- RBS Worldpay
- Restaurant Depot
- RockYou!
- Rosen Hotels
- San Francisco Public Utilities Commission
- Scottrade
- Scribd
- Seacoast Radiology, PA
- Sega
- Service Personnel and Veterans Agency(UK)
- SingHealth
- Slack
- SnapChat
- Sony Online Entertainment
- Sony Pictures
- Sony Pictures
- Sony PlayStation Network
- South Africa police
- South Carolina Government
- South Shore Hospital, Massachusetts
- Southern California Medical-Legal Consultants
- Spartanburg Regional Healthcare System
- Stanford University
- Starbucks
- Starwood Hotels(including Westin Hotelsand Sheraton Hotels)
- State of Texas
- Steam
- Stratfor
- Supervalu
- Sutter Medical Center
- Syrian government(Syria Files)
- Taobao
- Taringa!
- Target Corporation
- com
- TD Ameritrade
- TD Bank
- TerraCom & YourTel
- Texas Lottery
- Ticketfly (subsidiary of Eventbrite)
- Tianya Club
- TK/TJ Maxx
- T-Mobile, Deutsche Telekom
- Tricare
- Triple-S Salud, Inc.
- Truecaller
- Trump Hotels
- Tumblr
- tv
- Typeform
- Uber
- Uber
- Ubisoft
- Ubuntu
- UCLA Medical Center, Santa Monica
- UK Home Office
- UK Ministry of Defence
- UK Revenue & Customs
- Under Armour
- University of California, Berkeley
- University of California, Berkeley
- University of Maryland, College Park
- University of Central Florida
- University of Miami
- University of Utah Hospital& Clinics
- University of Wisconsin–Milwaukee
- United States Postal Service
- UPS
- S. Army
- S. Army
(classified Iraq War documents) - S. Department of Defense
- S. Department of Veteran Affairs
- S. law enforcement (70 different agencies)
- National Archives and Records Administration(U.S. military veterans records)
- S. government (United States diplomatic cables leak)
- National Guard of the United States
- Verizon Communications
- Virginia Department of Health
- Virginia Prescription Monitoring Program
- Vodafone
- VTech
- Walmart
- Washington Post
- Washington State court system
- Weebly
- Wendy's
- Woodruff Arts Center
- WordPress
- com
- com
- Yahoo
- Yahoo
- Yahoo Japan
- Yahoo! Voices
- Yale University
- Zappos
- Westpac
- Australian National University"
How many of these breaches do you even remember?
The major incidents that occurred since 2005 include:
"2005
- Ameriprise Financial, stolen laptop, December 24, 260,000 customer records.
- ChoicePoint, February, 163,000 consumer records.
2006
- AOL search data scandal (sometimes referred to as a "Data Valdez",due to its size).
- Department of Veterans Affairs, May, 28,600,000 veterans, reserves, and active duty military personnel.
- Ernst & Young, May, 234,000 customers of com (after a similar loss of data on 38,000 employees of Ernst & Young clients in February).
- Boeing, December, 382,000 employees (after similar losses of data on 3,600 employees in April and 161,000 employees in November, 2005).
2007
- A. Davidson & Co. 192,000 clients' names, customer account and social security numbers, addresses and dates of birth.
- The 2007 loss of Ohio and Connecticut state data by Accenture.
- TJ Maxx, data for 45 million credit and debit accounts.
- 2007 UK child benefit data scandal.
- CGI Group, August, 283,000 retirees from New York City.
- The Gap, September, 800,000 job applicants.
- Memorial Blood Center, December, 268,000 blood donors.
- Davidson County Election Commission, December, 337,000 voters.
2008
- In January 2008, GE Money, a division of General Electric, disclosed that a magnetic tape containing 150,000 social security numbers and in-store credit card information from 650,000 retail customers is known to be missing from an Iron Mountain Incorporated storage facility. C. Penney is among 230 retailers affected.
- Horizon Blue Cross and Blue Shield of New Jersey, January, 300,000 members.
- Lifeblood, February, 321,000 blood donors.
- British National Party membership list leak.
- In Early 2008, Countrywide Financial (since acquired by Bank of America) allegedly fell victim to a data breach when, according to news reports and court documents, employee Rene L. Rebollo Jr. stole and sold up to 2.5 million customers' personal information including social security numbers.
2009
- In December 2009 a RockYou! password database was breached containing 32 million usernames and plaintext passwords, further compromising the use of weak passwords for any purpose.
- In May 2009 the United Kingdom parliamentary expenses scandal was revealed by The Daily Telegraph. A hard disk containing scanned receipts of UK Members of Parliament and Peers in the House of Lords was offered to various UK newspapers in late April, with The Daily Telegraph finally acquiring it. They published details in instalments from 8 May onwards. Although it was intended by Parliament that the data was to be published, this was to be in redacted form, with details the individual members considered "sensitive" blanked out. The newspaper published unredacted scans which showed details of the claims, many of which appeared to be in breach of the rules and suggested widespread abuse of the generous expenses system. The resulting media storm led to the resignation of the Speaker of the House of Commons and the prosecution and imprisonment of several MPs and Lords for fraud. The expenses system was overhauled and tightened up, being put more on a par with private industry schemes. The Metropolitan Police Service continues to investigate possible frauds, and the Crown Prosecution Service is considering further prosecutions. Several MPs and Lords apologised and made whole, partial or no restitution, and retained their seats. Others who had been shamed in the media did not offer themselves for re-election at the 2010 United Kingdom general election. Although numbering less than 1,500 individuals, the affair received the largest global media coverage of any data breach (as at February 2012).
- In January 2009 Heartland Payment Systems announced that it had been "the victim of a security breach within its processing system", possibly part of a "global cyber fraud operation". The intrusion has been called the largest criminal breach of card data ever, with estimates of up to 100 million cards from more than 650 financial services companies compromised.
2010
- Throughout the year, Chelsea Manning (then known as Bradley Manning) released large volumes of secret military data to the public.
2011
- In April 2011, Sony experienced a data breach within their PlayStation Network. It is estimated that the information of 77 million users was compromised.
- In March 2011, RSA suffered a breach of their SecurID token system seed-key warehouse, where the seed keys for their 2 Factor Authentication system were stolen, allowing the attackers to replicate the hardware tokens used for secure access in corporate and government environments.
- In June 2011, Citigroup disclosed a data breach within their credit card operation, affecting approximately 210,000 or 1% of their customers' accounts.
2012
- In the Summer of 2012, Wired.com Senior Writer Mat Honan claims that "hackers destroyed my entire digital life in the span of an hour” by hacking his Apple, Twitter, and Gmail passwords in order to gain access to his Twitter handle and in the process, claims the hackers wiped out every one of his devices, deleting all of his messages and documents, including every picture he had ever taken of his 18-month-old daughter. The exploit was achieved with a combination of information provided to the hackers by Amazon's tech support through social engineering, and the password recovery system of Apple which used this information. Related to his experience, Mat Honan wrote a piece outlining why passwords cannot keep users safe.
- In October 2012, a law enforcement agency contacted the South Carolina Department of Revenue (DoR) with evidence that Personally Identifiable Information (PII) of three individuals had been stolen. It was later reported that an estimated 3.6 million Social Security numbers were compromised along with 387,000 credit card records.
2013
- In October 2013, Adobe Systems revealed that their corporate database was hacked and some 130 million user records were stolen. According to Adobe, "For more than a year, Adobe’s authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than 1,000 times. This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored."
- In late November to early December 2013, Target Corporation announced that data from around 70 million credit and debit cards was stolen. It is the second largest credit and debit card breach after the TJX Companies data breach where almost 46 million cards were affected.
- In 2013, Edward Snowden published a series of secret documents that revealed widespread spying by the United States National Security Agency and similar agencies in other countries.
2014
- In August 2014, nearly 200 photographs of celebrities were posted to the image board website 4chan. An investigation by Apple found that the images were obtained "by a very targeted attack on user names, passwords and security questions".
- In September 2014, Home Depot suffered a data breach of 56 million credit card numbers.
- In October 2014, Staples suffered a data breach of 1.16 million customer payment cards.
- In November 2014 and for weeks after, Sony Pictures Entertainment suffered a data breach involving personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of (previously) unreleased Sony films, and other information. The hackers involved claim to have taken over 100 terabytes of data from Sony.
2015
- In October 2015, the British telecommunications provider TalkTalk suffered a data breach when a group of 15-year-old hackers stole information on its 4 million customers. The stock price of the company fell substantially due to the issue – around 12% – owing largely to the bad publicity surrounding the leak.
- In July 2015, adult website Ashley Madison suffered a data breach when a hacker group stole information on its 37 million users. The hackers threatened to reveal usernames and specifics if Ashley Madison and a fellow site, EstablishedMen.com, did not shut down permanently.[
- In February 2015 Anthem suffered a data breach of nearly 80 million records, including personal information such as names, Social Security numbers, dates of birth, and other sensitive details.
- In June 2015, The Office of Personnel Management of the U.S. government suffered a data breach in which the records of 22.1 million current and former federal employees of the United States were hacked and stolen.
2016
- In February 2016, the 15-year-old British hacker Kane Gamble leaked the personal details of over 20,000 FBI employees, including employees' names, job titles, phone numbers and email addresses. The judge said Gamble engaged in "politically motivated cyber-terrorism."
- In March 2016, the website of the Commission on Elections in the Philippines was defaced by hacktivist group, "Anonymous Philippines". A larger problem arose when a group called LulzSec Pilipinas uploaded COMELEC's entire database on Facebook the following day.
- In April 2016, news media carried information stolen from a successful network attack of the Central American law firm, Mossack Fonseca, and the resulting “Panama Papers” sent reverberations throughout the world. Perhaps a justified vindication of illegal or unethical activity, this nonetheless illustrates the impact of secrets coming to light. The Prime Minister of Iceland was forced to resign and a major reshuffling of political offices occurred in countries as far-flung as Malta. Multiple investigations were immediately initiated in countries around the world, including a hard look at international or offshore banking rules in the U.S. Obviously the implications are enormous to the ability of an organization — whether a law firm or a governmental department—to keep secrets.
- In September 2016 Yahoo reported that up to 500 million accounts in 2014 had been breached in an apparent "state-sponsored" data breach. It was later reported in October 2017 that 3 billion accounts had been breached, accounting for every Yahoo account at the time.
2017
- Vault 7,CIA's hacking techniques revealed in data breach. Leaked documents, codenamed Vault 7 and dated from 2013–2016, detail the capabilities of the CIA to perform electronic surveillance and cyber warfare,such as the ability to compromise the operating systems of most smartphones (including Apple’s iOS and Google's Android), as well as other operating systems such as Microsoft Windows, macOS, and Linux. Joshua Adam Schulte, a former CIA employee, has been accused of leaking CIA hacking secrets to WikiLeaks.
- Equifax, July 2017, 145,500,000 consumer records, the largest known data breach in history at the timeleading to the potential for the largest class action lawsuit in history. As of early October 2017, the cities of Chicago and San Francisco and the Commonwealth of Massachusetts have filed enforcement actions against Equifax following the July 2017 data breach, in which hackers allegedly exploited a vulnerability in the open-source software used to create Equifax's online consumer dispute portal. The hackers had not only information of U.S. residents but also U.K. and Canadians as well.
- United States-South Korea classified military documents, October 2017, South Korean lawmaker claimed that North Korean hackers stoles over 235 gigabytes of military documents were taken from the Defense Integrated Data Center in September 2016. Leaked documents including South Korea-U.S. wartime operational plan.
- Paradise Papers, November 2017.
2018
- Facebook and Cambridge Analytica data breach in March.
- In March, Google identified a vulnerability exposing the personal information of nearly half a million users. While they patched the vulnerability, they did not disclose the exposure to users until the issue was reported on by The Wall Street Journal 6 months after the fact.
- On 1 August, Reddit disclosed they were hacked. The hacker was able to compromise employees accounts even though they used SMS based Two-factor authentication. Reddit refused to disclose the number of affected users.
- On 29 March, Under Armour disclosed a data breach of 150 million accounts at MyFitnessPal, with compromised data consisting of user names, the users' e-mail addresses and hashed passwords. Under Armour were notified of the breach on the week of 19–25 March, and that the leak happened sometime in February.
- It was reported on 1 April that a data breach occurred at Saks Fifth Avenue/Lord & Taylor. About 5 million credit card holders may have had their data compromised in stores in North America.
- It was reported on 20 July that a data breach on SingHealth, one of Singapore's largest health organisations, happened on 4 July, with about 1.5 million personal data (including data of some ministers, including Singapore's Prime Minister Lee Hsien Loong) being compromised. Ministers on a press conference dubbed the data breach as the "most serious breach of personal data".
- On September 7 it was reported that British Airways experienced a data theft of about 380,000 customer records including full bank details.
- On October 19, the US Centres for Medicare & Medicaid Services (CMS) reported a data breach that exposed files of 75,000 individuals.
- On December 3, Quora reported a data breach that affected its 100 million users data.
2019
- On July 16 Bulgaria’s National Revenue Agency, a branch of the country’s Ministry of Finance.
- Capital One (pending)."
The long lists are presented to make a point: data security is incredibly weak – and getting weaker. According to the US Department of Homeland Security (DHS), threats are everywhere and growing. DHS believes that the US should “reduce threats from cyber criminals. In partnership with other law enforcement agencies, DHS must prevent cyber crime and disrupt criminals and criminal organizations who use cyberspace to carry out their illicit activities and leverage identified threat activity and trends to inform national risk management efforts.” The problem is enormous and growing faster than anyone can measure. No system is completely safe. Breaches are frequent – and frequently under-reported.
As more and more activities, processes and assets move to the cloud, it will become increasingly difficult to secure transactions, especially since general awareness of the breadth, depth and severity of threats is ill-defined and underappreciated, and because cybersecurity funding is incredibly inadequate. Expect more data breaches and the monetization of compromised data in ways that will make individuals and governments “uncomfortable,” liable and much more.
Open question: is this a solvable problem?