HOME

TheInfoList



OR:

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak,
information leakage Information leakage happens whenever a system that is designed to be closed to an eavesdropper reveals some information to unauthorized parties nonetheless. In other words: Information leakage occurs when secret information correlates with, or can ...
and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice ( black hats),
organized crime Organized crime (or organised crime) is a category of transnational, national, or local groupings of highly centralized enterprises run by criminals to engage in illegal activity, most commonly for profit. While organized crime is generally th ...
,
political activist A political movement is a collective attempt by a group of people to change government policy or social values. Political movements are usually in opposition to an element of the status quo, and are often associated with a certain ideology. Some t ...
s or national governments, to poorly configured system security or careless disposal of used
computer A computer is a machine that can be programmed to Execution (computing), carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as C ...
equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak". Data breaches may involve financial information such as credit card and debit card details, bank details, personal health information (PHI),
Personally identifiable information Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates ha ...
(PII),
trade secrets Trade secrets are a type of intellectual property that includes formulas, practices, processes, designs, instruments, patterns, or compilations of information that have inherent economic value because they are not generally known or readily as ...
of corporations or
intellectual property Intellectual property (IP) is a category of property that includes intangible creations of the human intellect. There are many types of intellectual property, and some countries recognize more than others. The best-known types are patents, cop ...
. Data breaches may involve overexposed and vulnerable
unstructured data Unstructured data (or unstructured information) is information that either does not have a pre-defined data model or is not organized in a pre-defined manner. Unstructured information is typically text-heavy, but may contain data such as dates, num ...
– files, documents, and sensitive information. Data breaches can be quite costly to organizations with direct costs (remediation, investigation, etc) and indirect costs ( reputational damages, providing cyber security to victims of compromised data, etc.). According to the
nonprofit A nonprofit organization (NPO) or non-profit organisation, also known as a non-business entity, not-for-profit organization, or nonprofit institution, is a legal entity organized and operated for a collective, public or social benefit, in co ...
consumer organization Consumer organizations are advocacy groups that seek to protect people from corporate abuse like unsafe products, predatory lending, false advertising, astroturfing and pollution. Consumer Organizations may operate via protests, litigation, Adver ...
Privacy Rights Clearinghouse, a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the
United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...
between January 2005 and May 2008, excluding incidents where sensitive data was apparently not actually exposed. Many
jurisdiction Jurisdiction (from Latin 'law' + 'declaration') is the legal term for the legal authority granted to a legal entity to enact justice. In federations like the United States, areas of jurisdiction apply to local, state, and federal levels. Jur ...
s have passed
data breach notification laws Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, to notify their customers and other parties about the breach, as well as take ...
, which requires a company that has been subject to a data breach to inform customers and take other steps to remediate possible injuries.


Definition

A data breach may include incidents such as theft or loss of
digital media Digital media is any communication media that operate in conjunction with various encoded machine-readable data formats. Digital media can be created, viewed, distributed, modified, listened to, and preserved on a digital electronics device. ' ...
such as computer tapes,
hard drive A hard disk drive (HDD), hard disk, hard drive, or fixed disk is an electro-mechanical data storage device that stores and retrieves digital data using magnetic storage with one or more rigid rapidly rotating platters coated with magnet ...
s, or
laptop computer A laptop, laptop computer, or notebook computer is a small, portable personal computer (PC) with a screen and alphanumeric keyboard. Laptops typically have a clam shell form factor with the screen mounted on the inside of the upper li ...
s with
unencrypted In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...
information, posting such information on the
World Wide Web The World Wide Web (WWW), commonly known as the Web, is an information system enabling documents and other web resources to be accessed over the Internet. Documents and downloadable media are made available to the network through web se ...
without proper
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
precautions, transfer of such information to a system which is not completely open but is not appropriately or formally
accredited Accreditation is the independent, third-party evaluation of a conformity assessment body (such as certification body, inspection body or laboratory) against recognised standards, conveying formal demonstration of its impartiality and competence to ...
for security, such as unencrypted
e-mail Electronic mail (email or e-mail) is a method of exchanging messages ("mail") between people using electronic devices. Email was thus conceived as the electronic ( digital) version of, or counterpart to, mail, at a time when "mail" meant ...
, or transfer of such information to the
information system An information system (IS) is a formal, sociotechnical, organizational system designed to collect, process, store, and distribute information. From a sociotechnical perspective, information systems are composed by four components: task, people ...
s of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.
ISO/IEC 27040 ISO/IEC 27040 is part of a growing family of International Standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in the area of security techniques; the standard is be ...
defines a data breach as: ''compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed''.


Trust and privacy

The notion of a trusted environment is somewhat fluid. The departure of a trusted staff member with access to sensitive information can become a data breach if the staff member retains access to the data after termination of the trust relationship. In distributed systems, this can also occur with a breakdown in a
web of trust In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centr ...
.
Data quality Data quality refers to the state of qualitative or quantitative pieces of information. There are many definitions of data quality, but data is generally considered high quality if it is "fit for tsintended uses in operations, decision making and ...
is one way of reducing the risk of a data breach, partly because it allows the owner of the data to rate data according to importance and give better protection to more important data. Most such incidents publicized in the media involve
private Private or privates may refer to: Music * " In Private", by Dusty Springfield from the 1990 album ''Reputation'' * Private (band), a Denmark-based band * "Private" (Ryōko Hirosue song), from the 1999 album ''Private'', written and also recorde ...
information on individuals, e.g.
social security number In the United States, a Social Security number (SSN) is a nine-digit number issued to U.S. citizens, permanent residents, and temporary (working) residents under section 205(c)(2) of the Social Security Act, codified as . The number is issued to ...
s. Loss of corporate information such as
trade secret Trade secrets are a type of intellectual property that includes formulas, practices, processes, designs, instruments, patterns, or compilations of information that have inherent economic value because they are not generally known or readily asc ...
s, sensitive corporate information, and details of
contract A contract is a legally enforceable agreement between two or more parties that creates, defines, and governs mutual rights and obligations between them. A contract typically involves the transfer of goods, services, money, or a promise to tran ...
s, or of government information is frequently unreported, as there is no compelling reason to do so in the absence of potential damage to private citizens, and the publicity around such an event may be more damaging than the loss of the data itself.


Insider versus external threats

Those working inside an organization are a significant cause of data breaches. Estimates of breaches caused by accidental "human factor" errors is around 20% by the Verizon 2021 Data Breach Investigations Report. The external threat category includes hackers, cybercriminal organizations and state-sponsored actors. Professional associations for IT asset managers work aggressively with IT professionals to educate them o
best risk-reduction practices
for both internal and external threats to IT assets, software and information. While security prevention may deflect a high percentage of attempts, ultimately a motivated attacker will likely find a way into any given network. One of the top 10 quotes from
Cisco Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, ...
CEO John Chambers is, "There are two types of companies: those that have been hacked, and those that don't know they have been hacked." FBI Special Agent for Cyber Special Operations Leo Taddeo warned on Bloomberg television, "The notion that you can protect your perimeter is falling by the wayside & detection is now critical."


Medical data breach

Some celebrities have found themselves to be the victims of inappropriate medical record access breaches, albeit more so on an individual basis, not part of a typically much larger breach. Given the series of medical data breaches and the lack of public trust, some countries have enacted laws requiring safeguards to be put in place to protect the security and confidentiality of medical information as it is shared electronically and to give patients some important rights to monitor their medical records and receive notification for loss and unauthorized acquisition of health information. The United States and the EU have imposed mandatory medical data breach notifications. Reportable breaches of medical information are increasingly common in the United States.


Consequences

Although such incidents pose the risk of
identity theft Identity theft occurs when someone uses another person's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term ''identity theft'' was co ...
or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate
damages At common law, damages are a remedy in the form of a monetary award to be paid to a claimant as compensation for loss or injury. To warrant the award, the claimant must show that a breach of duty has caused foreseeable loss. To be recognised at ...
by providing to the victim's subscription to a
credit reporting agency A credit bureau is a data collection agency that gathers account information from various creditors and provides that information to a consumer reporting agency in the United States, a credit reference agency in the United Kingdom, a credit report ...
, for instance, new credit cards, or other instruments. In the case of
Target Target may refer to: Physical items * Shooting target, used in marksmanship training and various shooting sports ** Bullseye (target), the goal one for which one aims in many of these sports ** Aiming point, in field artillery, fi ...
, the 2013 breach cost Target a significant drop in profit, which dove an estimated 40 percent in the 4th quarter of the year. At the end of 2015,
Target Target may refer to: Physical items * Shooting target, used in marksmanship training and various shooting sports ** Bullseye (target), the goal one for which one aims in many of these sports ** Aiming point, in field artillery, fi ...
published a report claiming a total loss of $290 million to data breach related fees. The
Yahoo Yahoo! (, styled yahoo''!'' in its logo) is an American web services provider. It is headquartered in Sunnyvale, California and operated by the namesake company Yahoo! Inc. (2017–present), Yahoo Inc., which is 90% owned by investment funds ma ...
breach disclosed in 2016 may be one of the most expensive today. It may lower the price of its acquisition by Verizon by $1 billion. Verizon later released their renegotiation to Yahoo agreeing to lower the final price from $4.8 to $4.48 billion. Cybercrime cost energy and utilities companies an average of $12.8 million each year in lost business and damaged equipment according to DNV GL, an international certification body and classification society based in Norway. Data breaches cost healthcare organizations $6.2 billion in the last two years (presumably 2014 and 2015), according to a Ponemon study. In health care, more than 25 million people have had their health care stolen, resulting in the identity theft of more than 6 million people, and the out-of-pocket cost of victims is close to $56 billion. Privacy Rights Clearinghouse (PRC) has shown records from January 2005 to December 2018 that there has been more than 9000 breaches events. Also, what causes lead to each breach such as, insider attack, payment card fraud, lost or stolen portable device, infected malware and sending an email to the wrong person (DISC). This shows that many common mistake that leads to a data breach is humans who make mistakes allowing hackers to exploit it and perform an attack. It is notoriously difficult to obtain information on direct and indirect value loss resulting from a data breach. A common approach to assess the impact of data breaches is to study the market reaction to such an incident as a proxy for the economic consequences. This is typically conducted through the use of event studies, where a measure of the event's economic impact can be constructed by using the security prices observed over a relatively short period of time. Several studies such studies have been published with varying findings, including works by Kannan, Rees, and Sridhar (2007), Cavusoglu, Mishra, and Raghunathan (2004), Campbell, Gordon, Loeb, and Lei (2003) as well as Schatz and Bashroush (2017). Since data volume is growing exponentially in the digital era and data leaks happen more frequently than ever before, preventing sensitive information from being leaked to unauthorized parties becomes one of the most pressing security concerns for enterprises. To safeguard data and finances, businesses and companies often have to put in additional costs to take preventive measure on potential data breaches.Ryle PM, Goodman L, Soled JA. Tax consequences of data breaches and identity theft. ''Journal of Accountancy''. October 2020:1-6. From 2017 to 2021, the predicted global spending on internet security is to be over $1 trillion.


Major incidents

Notable incidents include:


2005

*
Ameriprise Financial Ameriprise Financial, Inc. is a diversified financial services company and bank holding company incorporated in Delaware and headquartered in Minneapolis, Minnesota. It provides financial planning products and services, including wealth manage ...
, stolen
laptop A laptop, laptop computer, or notebook computer is a small, portable personal computer (PC) with a screen and alphanumeric keyboard. Laptops typically have a clam shell form factor with the screen mounted on the inside of the upper li ...
, December 24, 260,000 customer recordsChronology of Data Breaches
, Privacy Rights Clearinghouse
*
ChoicePoint LexisNexis Risk Solutions is a global data and analytics company that provides data and technology services, analytics, predictive insights and fraud prevention for a wide range of industries. It is headquartered in Alpharetta, Georgia (part of ...
, February, 163,000 consumer recordsChoicePoint to pay $15 million over data breach
,
NBC News NBC News is the news division of the American broadcast television network NBC. The division operates under NBCUniversal Television and Streaming, a division of NBCUniversal, which is, in turn, a subsidiary of Comcast. The news division's var ...


2006

* AOL search data scandal (sometimes referred to as a "Data '' Valdez''", due to its size) *
Department of Veterans Affairs The United States Department of Veterans Affairs (VA) is a Cabinet-level executive branch department of the federal government charged with providing life-long healthcare services to eligible military veterans at the 170 VA medical centers and ...
, May, 28,600,000 veterans, reserves, and active duty military personnel *
Ernst & Young Ernst & Young Global Limited, trade name EY, is a multinational professional services partnership headquartered in London, England. EY is one of the largest professional services networks in the world. Along with Deloitte, KPMG and Pricewaterh ...
, May, 234,000 customers of
Hotels.com Hotels.com is a website for booking hotel rooms online and by telephone. The company has 85 websites in 34 languages, and lists over 325,000 hotels in approximately 19,000 locations. Its inventory includes hotels and B&Bs, and some condos and oth ...
(after a similar loss of data on 38,000 employees of Ernst & Young clients in February) *
Boeing The Boeing Company () is an American multinational corporation that designs, manufactures, and sells airplanes, rotorcraft, rockets, satellites, telecommunications equipment, and missiles worldwide. The company also provides leasing and product ...
, December, 382,000 employees (after similar losses of data on 3,600 employees in April and 161,000 employees in November, 2005)


2007

*D. A. Davidson & Co. 192,000 clients' names, customer account and social security numbers, addresses and dates of birth * The 2007 loss of Ohio and Connecticut state data by Accenture *
TJ Maxx TJ Maxx (stylized as T•J•maxx) is an American department store chain, selling at prices generally lower than other major similar stores. It has more than 1,000 stores in the United States, making it one of the largest clothing retailers in ...
, data for 45 million credit and debit accounts *
2007 UK child benefit data scandal The loss of United Kingdom child benefit data was a data breach incident in October 2007, when two computer discs owned by HM Revenue and Customs containing data relating to child benefit went missing. The incident was announced by the Chancellor ...
*
CGI Group CGI Inc. is a Canadian multinational information technology consulting and systems integration company headquartered in Montreal, Quebec, Canada. CGI has a market value of $21.8 billion, making it one of the top 30 companies in Canada. The co ...
, August, 283,000 retirees from
New York City New York, often called New York City or NYC, is the List of United States cities by population, most populous city in the United States. With a 2020 population of 8,804,190 distributed over , New York City is also the L ...
*
The Gap The Gap may refer to: Places Australia * The Gap, New South Wales, a locality near Wagga Wagga, New South Wales * The Gap, Northern Territory, a suburb of Alice Springs, Northern Territory * The Gap, Queensland, a suburb of Brisbane, Queensland ...
, September, 800,000 job applicants *Memorial Blood Center, December, 268,000
blood donor A blood donation occurs when a person voluntarily has blood drawn and used for transfusions and/or made into biopharmaceutical medications by a process called fractionation (separation of whole blood components). Donation may be of whole bloo ...
s *Davidson County Election Commission, December, 337,000 voters


2008

* In January 2008,
GE Money GE Capital is the financial services division of General Electric. The company currently only runs one division, GE Energy Financial Services. It had provided additional services in the past; however, those units were sold between 2013 and 2018. ...
, a division of
General Electric General Electric Company (GE) is an American multinational conglomerate founded in 1892, and incorporated in New York state and headquartered in Boston. The company operated in sectors including healthcare, aviation, power, renewable energ ...
, disclosed that a magnetic tape containing 150,000
social security number In the United States, a Social Security number (SSN) is a nine-digit number issued to U.S. citizens, permanent residents, and temporary (working) residents under section 205(c)(2) of the Social Security Act, codified as . The number is issued to ...
s and in-store
credit card A credit card is a payment card issued to users (cardholders) to enable the cardholder to pay a merchant for goods and services based on the cardholder's accrued debt (i.e., promise to the card issuer to pay them for the amounts plus the o ...
information from 650,000 retail customers is known to be missing from an
Iron Mountain Incorporated Iron Mountain Inc. () is an American enterprise information management services company founded in 1951 and headquartered in Boston, Massachusetts. Its records management, information destruction, and data backup and recovery services are suppl ...
storage facility. J.C. Penney is among 230 retailers affected. *
Horizon Blue Cross and Blue Shield of New Jersey Horizon Blue Cross Blue Shield of New Jersey, headquartered in Newark, New Jersey, Newark, New Jersey is the only licensed Blue Cross and Blue Shield Association plan in New Jersey, providing health insurance coverage to over 3.2 million people thr ...
, January, 300,000 members *Lifeblood, February, 321,000
blood donor A blood donation occurs when a person voluntarily has blood drawn and used for transfusions and/or made into biopharmaceutical medications by a process called fractionation (separation of whole blood components). Donation may be of whole bloo ...
s *
British National Party The British National Party (BNP) is a far-right, fascist political party in the United Kingdom. It is headquartered in Wigton, Cumbria, and its leader is Adam Walker. A minor party, it has no elected representatives at any level of UK gover ...
membership list leak *In early 2008,
Countrywide Financial Countrywide is one of the UK's largest integrated property services group including residential property surveying, a collaboration of estate agents, and corporate services. It employs circa 8,500 personnel nationwide, working across 650+ estate ...
(since acquired by
Bank of America The Bank of America Corporation (often abbreviated BofA or BoA) is an American multinational investment bank and financial services holding company headquartered at the Bank of America Corporate Center in Charlotte, North Carolina. The bank w ...
) allegedly fell victim to a data breach when, according to news reports and court documents, employee Rene L. Rebollo Jr. stole and sold up to 2.5 million customers' personal information including social security numbers. According to the legal complaint: "Beginning in 2008 – coincidentally after they sold their mortgage portfolios under wrongful and fraudulent 'securitization pools,' and coincidentally after their mortgage portfolio went into massive default as a result thereof – Countrywide learned that the financial information of potentially millions of customers had been stolen by certain Countrywide agents, employees or other individuals." In July 2010,
Bank of America The Bank of America Corporation (often abbreviated BofA or BoA) is an American multinational investment bank and financial services holding company headquartered at the Bank of America Corporate Center in Charlotte, North Carolina. The bank w ...
settled more than 30 related class-action lawsuits by offering free credit monitoring, identity theft insurance and reimbursement for losses to as many as 17 million consumers impacted by the alleged data breach. The settlement was estimated at $56.5 million not including court costs.


2009

* In December 2009 a
RockYou! RockYou was a company that developed widgets for MySpace and implemented applications for various social networks and Facebook. Since 2014, it has engaged primarily in the purchases of rights to classic video games; it incorporates in-game ads an ...
password database was breached containing 32 million usernames and plaintext passwords, further compromising the use of weak passwords for any purpose. * In May 2009 the
United Kingdom parliamentary expenses scandal The United Kingdom parliamentary expenses scandal was a major political scandal that emerged in 2009, concerning expenses claims made by members of the British Parliament in both the House of Commons and the House of Lords over the previous year ...
was revealed by ''
The Daily Telegraph ''The Daily Telegraph'', known online and elsewhere as ''The Telegraph'', is a national British daily broadsheet newspaper published in London by Telegraph Media Group and distributed across the United Kingdom and internationally. It was fo ...
''. A hard disk containing scanned receipts of UK Members of Parliament and Peers in the House of Lords was offered to various UK newspapers in late April, with ''The Daily Telegraph'' finally acquiring it. They published details in instalments from 8 May onwards. Although it was intended by Parliament that the data was to be published, this was to be in redacted form, with details the individual members considered "sensitive" blanked out. The newspaper published unredacted scans which showed details of the claims, many of which appeared to be in breach of the rules and suggested widespread abuse of the generous expenses system. The resulting media storm led to the resignation of the
Speaker of the House of Commons Speaker of the House of Commons is a political leadership position found in countries that have a House of Commons, where the membership of the body elects a speaker to lead its proceedings. Systems that have such a position include: * Speaker of ...
and the prosecution and imprisonment of several MPs and Lords for fraud. The expenses system was overhauled and tightened up, being put more on a par with private industry schemes. The
Metropolitan Police Service The Metropolitan Police Service (MPS), formerly and still commonly known as the Metropolitan Police (and informally as the Met Police, the Met, Scotland Yard, or the Yard), is the territorial police force responsible for law enforcement and ...
continues to investigate possible frauds, and the
Crown Prosecution Service The Crown Prosecution Service (CPS) is the principal public agency for conducting criminal prosecutions in England and Wales. It is headed by the Director of Public Prosecutions. The main responsibilities of the CPS are to provide legal adv ...
is considering further prosecutions. Several MPs and Lords apologised and made whole, partial or no restitution, and retained their seats. Others who had been shamed in the media did not offer themselves for re-election at the
2010 United Kingdom general election The 2010 United Kingdom general election was held on Thursday 6 May 2010, with 45,597,461 registered voters entitled to vote to elect members to the House of Commons. The election took place in 650 constituencies across the United Kingdom unde ...
. Although numbering less than 1,500 individuals, the affair received the largest global media coverage of any data breach (as at February 2012). * In January 2009
Heartland Payment Systems Heartland Payment Systems, Inc. is a U.S.-based payment processing and technology provider. Founded in 1997, Heartland Payment Systems' last headquarters were in Princeton, New Jersey. An acquisition by Global Payments, expected to be worth $3.8 b ...
announced that it had been "the victim of a security breach within its processing system", possibly part of a "global cyber fraud operation". The intrusion has been called the largest criminal breach of card data ever, with estimates of up to 100 million cards from more than 650 financial services companies compromised.


2010

*Throughout the year,
Chelsea Manning Chelsea Elizabeth Manning (born Bradley Edward Manning; December 17, 1987) is an American activist and whistleblower. She is a former United States Army soldier who was convicted by court-martial in July 2013 of violations of the Espionage A ...
released large volumes of secret military data to the public.


2011

*In April 2011,
Sony , commonly stylized as SONY, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan. As a major technology company, it operates as one of the world's largest manufacturers of consumer and professional ...
experienced a
data breach A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, info ...
within their
PlayStation Network PlayStation Network (PSN) is a digital media entertainment service provided by Sony Interactive Entertainment. Launched in November 2006, PSN was originally conceived for the PlayStation video game consoles, but soon extended to encompass smartp ...
. It is estimated that the information of 77 million users was compromised. *In March 2011,
RSA SecurID RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource. Description The RSA SecurID authentication mechanism consists of a " token"—either ...
suffered a breach of their SecurID token system seed-key warehouse, where the seed keys for their 2 Factor Authentication system were stolen, allowing the attackers to replicate the hardware tokens used for secure access in corporate and government environments. *In June 2011,
Citigroup Citigroup Inc. or Citi (Style (visual arts), stylized as citi) is an American multinational investment banking, investment bank and financial services corporation headquartered in New York City. The company was formed by the merger of banking ...
disclosed a data breach within their credit card operation, affecting approximately 210,000 or 1% of their customers' accounts.


2012

*In the Summer of 2012,
Wired.com ''Wired'' (stylized as ''WIRED'') is a monthly American magazine, published in print and online editions, that focuses on how emerging technologies affect culture, the economy, and politics. Owned by Condé Nast, it is headquartered in San Fran ...
Senior Writer Mat Honan claims that "hackers destroyed my entire digital life in the span of an hour” by hacking his Apple, Twitter, and Gmail passwords in order to gain access to his Twitter handle and in the process, claims the hackers wiped out every one of his devices, deleting all of his messages and documents, including every picture he had ever taken of his 18-month-old daughter. The exploit was achieved with a combination of information provided to the hackers by Amazon's tech support through social engineering, and the password recovery system of Apple which used this information. Related to his experience, Mat Honan wrote a piece outlining why passwords cannot keep users safe. *In October 2012, a law enforcement agency contacted the South Carolina Department of Revenue (DoR) with evidence that Personally Identifiable Information (PII) of three individuals had been stolen. It was later reported that an estimated 3.6 million Social Security numbers were compromised along with 387,000 credit card records.


2013

*In October 2013,
Adobe Systems Adobe Inc. ( ), originally called Adobe Systems Incorporated, is an American multinational computer software company incorporated in Delaware and headquartered in San Jose, California. It has historically specialized in software for the crea ...
revealed that their corporate database was hacked and some 130 million user records were stolen. According to Adobe, "For more than a year, Adobe’s authentication system has cryptographically hashed customer passwords using the
SHA-256 SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the United States National Security Agency (NSA) and first published in 2001. They are built using the Merkle–Damgård construction, from a one-way compression ...
algorithm, including salting the passwords and iterating the hash more than 1,000 times. This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used
Triple DES In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standa ...
encryption to protect all password information stored." *In late November to early December 2013,
Target Corporation Target Corporation (doing business as Target and stylized in all lowercase since 2018) is an American big box department store chain headquartered in Minneapolis, Minnesota. It is the seventh largest retailer in the United States, and a compon ...
announced that data from around 70 million
credit Credit (from Latin verb ''credit'', meaning "one believes") is the trust which allows one party to provide money or resources to another party wherein the second party does not reimburse the first party immediately (thereby generating a debt), ...
and
debit Debits and credits in double-entry bookkeeping are entries made in account ledgers to record changes in value resulting from business transactions. A debit entry in an account represents a transfer of value ''to'' that account, and a credit en ...
cards was stolen. It is the second largest credit and debit card breach after the TJX Companies data breach where almost 46 million cards were affected. *In 2013,
Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and su ...
published a series of secret documents that revealed widespread spying by the United States
National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
and similar agencies in other countries.


2014

*In August 2014, nearly 200 photographs of celebrities were stolen from
Apple An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple fruit tree, trees are agriculture, cultivated worldwide and are the most widely grown species in the genus ''Malus''. The tree originated in Central Asia, wh ...
iCloud iCloud is a Personal cloud, cloud service from Apple Inc. launched on October 12, 2011 as a successor to MobileMe. , the service had an estimated 850 million users, up from 782 million users in 2016. iCloud enables users to sync their data to t ...
accounts and posted to the image board website
4chan 4chan is an anonymous English-language imageboard website. Launched by Christopher "moot" Poole in October 2003, the site hosts boards dedicated to a wide variety of topics, from anime and manga to video games, cooking, weapons, television, ...
. An investigation by
Apple An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple fruit tree, trees are agriculture, cultivated worldwide and are the most widely grown species in the genus ''Malus''. The tree originated in Central Asia, wh ...
found that the images were obtained "by a very targeted attack on user names, passwords and security questions". However, Apple toughened iCloud security through an opt-in 2 factor authentication, after celebrity breac

*In September 2014,
Home Depot The Home Depot, Inc., is an American multinational corporation, multinational home improvement retail corporation that sells tools, construction products, appliances, and services, including fuel and transportation rentals. Home Depot is the l ...
suffered a data breach of 56 million credit card numbers. *In October 2014, Staples suffered a data breach of 1.16 million customer payment cards. *In November 2014 and for weeks after,
Sony Pictures Entertainment Sony Pictures Entertainment Inc. (commonly known as Sony Pictures or SPE, and formerly known as Columbia Pictures Entertainment, Inc.) is an American diversified multinational mass media and entertainment studio conglomerate that produces, ac ...
suffered a data breach involving personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of (previously) unreleased Sony films, and other information. The hackers involved claim to have taken over 100 terabytes of data from Sony.


2015

*In October 2015, the British telecommunications provider TalkTalk suffered a data breach when a group of 15-year-old hackers stole information on its 4 million customers. The stock price of the company fell substantially due to the issue – around 12% – owing largely to the bad publicity surrounding the leak. *In July 2015, adult website
Ashley Madison Ashley Madison, or The Ashley Madison Agency, is a Canadian online dating service and social networking service marketed to people who are Marriage, married or in relationships. The site has been widely condemned for being a "business built on t ...
suffered a data breach when a hacker group stole information on its 37 million users. The hackers threatened to reveal usernames and specifics if Ashley Madison and a fellow site, EstablishedMen.com, did not shut down permanently. *In February 2015,
Anthem An anthem is a musical composition of celebration, usually used as a symbol for a distinct group, particularly the national anthems of countries. Originally, and in music theory and religious contexts, it also refers more particularly to short ...
suffered a data breach of nearly 80 million records, including personal information such as names, Social Security numbers, dates of birth, and other sensitive details. *In June 2015, The
Office of Personnel Management An office is a space where an organization's employees perform administrative work in order to support and realize objects and goals of the organization. The word "office" may also denote a position within an organization with specific duti ...
of the U.S. government suffered a data breach in which the records of 22.1 million current and former federal employees of the United States were hacked and stolen.


2016

* In February 2016, the 15-year-old British hacker Kane Gamble leaked the personal details of over 20,000
FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and its principal Federal law enforcement in the United States, federal law enforcement age ...
employees, including employees' names, job titles, phone numbers and email addresses. The judge said Gamble engaged in "politically motivated cyber-terrorism." * In March 2016, the website of the
Commission on Elections An election commission is a body charged with overseeing the implementation of electioneering process of any country. The formal names of election commissions vary from jurisdiction to jurisdiction, and may be styled an electoral commission, a c ...
in the Philippines was defaced by hacktivist group, " Anonymous Philippines". A larger problem arose when a group called LulzSec Pilipinas uploaded COMELEC's entire database on Facebook the following day. * In April 2016, news media carried information stolen from a successful network attack of the Central American law firm,
Mossack Fonseca Mossack Fonseca & Co. () was a Panamanian law firm and Corporate services, corporate service provider.Panama Papers The Panama Papers ( es, Papeles de Panamá) are 11.5 million leaked documents (or 2.6 terabytes of data) that were published beginning on April 3, 2016. The papers detail financial and attorney–client information for more than 214,488 ...
” sent reverberations throughout the world. Perhaps a justified vindication of illegal or unethical activity, this nonetheless illustrates the impact of secrets coming to light. The Prime Minister of Iceland was forced to resign and a major reshuffling of political offices occurred in countries as far-flung as Malta. Multiple investigations were immediately initiated in countries around the world, including a hard look at international or offshore banking rules in the U.S. Obviously the implications are enormous to the ability of an organization—whether a law firm or a governmental department—to keep secrets. *In September 2016
Yahoo Yahoo! (, styled yahoo''!'' in its logo) is an American web services provider. It is headquartered in Sunnyvale, California and operated by the namesake company Yahoo! Inc. (2017–present), Yahoo Inc., which is 90% owned by investment funds ma ...
reported that up to 500 million accounts in 2014 had been breached in an apparent "state-sponsored" data breach. It was later reported in October 2017 that 3 billion accounts had been breached, accounting for every Yahoo account at the time.


2017

*
Vault 7 Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency to perform electronic surveillance and cyber warfare. The files, dating fr ...
,
CIA The Central Intelligence Agency (CIA ), known informally as the Agency and historically as the Company, is a civilian intelligence agency, foreign intelligence service of the federal government of the United States, officially tasked with gat ...
's hacking techniques revealed in data breach. Leaked documents, codenamed Vault 7 and dated from 2013–2016, detail the capabilities of the CIA to perform electronic surveillance and cyber warfare, such as the ability to compromise the operating systems of most
smartphone A smartphone is a portable computer device that combines mobile telephone and computing functions into one unit. They are distinguished from feature phones by their stronger hardware capabilities and extensive mobile operating systems, whic ...
s (including
Apple An apple is an edible fruit produced by an apple tree (''Malus domestica''). Apple fruit tree, trees are agriculture, cultivated worldwide and are the most widely grown species in the genus ''Malus''. The tree originated in Central Asia, wh ...
's
iOS iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also includes ...
and
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
's Android), as well as other operating systems such as
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...
,
macOS macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and lapt ...
, and
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...
. Joshua Adam Schulte, a former CIA employee, has been convicted of leaking CIA hacking secrets to WikiLeaks. *
Equifax Equifax Inc. is an American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion (together known as the "Big Thr ...
, July 2017, 145,500,000 consumer records, the largest known data breach in history at the timeMathews, Lee
"Equifax Data Breach Impacts 143 Million Americans"
''
Forbes ''Forbes'' () is an American business magazine owned by Integrated Whale Media Investments and the Forbes family. Published eight times a year, it features articles on finance, industry, investing, and marketing topics. ''Forbes'' also re ...
'', September 7, 2017.
leading to the potential for the largest class action lawsuit in history.Mills, Chris
"Equifax is already facing the largest class-action lawsuit in US history"
BGR, September 8, 2017.
As of early October 2017, the cities of
Chicago (''City in a Garden''); I Will , image_map = , map_caption = Interactive Map of Chicago , coordinates = , coordinates_footnotes = , subdivision_type = Country , subdivision_name ...
and
San Francisco San Francisco (; Spanish language, Spanish for "Francis of Assisi, Saint Francis"), officially the City and County of San Francisco, is the commercial, financial, and cultural center of Northern California. The city proper is the List of Ca ...
and the Commonwealth of
Massachusetts Massachusetts (Massachusett language, Massachusett: ''Muhsachuweesut assachusett writing systems, məhswatʃəwiːsət'' English: , ), officially the Commonwealth of Massachusetts, is the most populous U.S. state, state in the New England ...
have filed enforcement actions against
Equifax Equifax Inc. is an American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion (together known as the "Big Thr ...
following the July 2017 data breach, in which hackers allegedly exploited a vulnerability in the open-source software used to create Equifax's online consumer dispute portal. The hackers had not only information of U.S. residents but also U.K. and Canadians as well. *
United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...
-
South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia, constituting the southern part of the Korea, Korean Peninsula and sharing a Korean Demilitarized Zone, land border with North Korea. Its western border is formed ...
classified military documents, October 2017. A South Korean lawmaker claimed that North Korean hackers stole over 235
gigabytes The gigabyte () is a multiple of the unit byte for digital information. The prefix ''giga'' means 109 in the International System of Units (SI). Therefore, one gigabyte is one billion bytes. The unit symbol for the gigabyte is GB. This definiti ...
of military documents from the Defense Integrated Data Center in September 2016. Leaked documents included South Korea-U.S. wartime operational plans. *
Paradise Papers The Paradise Papers are a set of over 13.4 million confidential electronic documents relating to offshore investments that were leaked to the German reporters Frederik Obermaier and Bastian Obermayer, from the newspaper'' Süddeutsch ...
, November 2017.


2018

* Facebook and Cambridge Analytica data scandal in March. * In March, Google identified a vulnerability exposing the personal information of nearly half a million users. While they patched the vulnerability, they did not disclose the exposure to users until the issue was reported on by The Wall Street Journal 6 months after the fact. * On 29 March,
Under Armour Under Armour, Inc. is an American sports equipment company that manufactures footwear, sports and casual apparel. Under Armour's global headquarters are located in Baltimore, Maryland, with additional offices located in Amsterdam (European hea ...
disclosed a data breach of 150 million accounts at
MyFitnessPal MyFitnessPal is a smartphone app and website that tracks diet and exercise. The app uses gamification elements to encourage adherence to exercise and diet goals. To track nutrients, users can either scan the barcodes of various food items or ...
, with compromised data consisting of user names, the users' e-mail addresses and hashed passwords. Under Armour were notified of the breach on the week of 19–25 March, and that the leak happened sometime in February. * It was reported on 1 April that a data breach occurred at
Saks Fifth Avenue Saks Fifth Avenue (originally Saks & Company; Colloquialism, colloquially Saks) is an American Luxury goods, luxury department store chain headquartered in New York City and founded by Andrew Saks. The original store opened in the F Street and ...
/
Lord & Taylor Lord & Taylor was the oldest brick and mortar department store in the United States, in business from 1826 to 2020. The brand was purchased during former owner Le Tote's 2020 liquidation bankruptcy and relaunched by new owner, Saadia Group, as ...
. About 5 million credit card holders may have had their data compromised in stores in North America. * It was reported on 20 July that a
data breach A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, info ...
on
SingHealth Singapore Health Services (SingHealth) is Singapore's largest group of healthcare institutions. The group was formed in 2000 and consists of four public hospitals, three community hospitals, five national specialty centres and a network of eig ...
, one of Singapore's largest health organisations, happened on 4 July, with about 1.5 million personal data (including data of some ministers, including Singapore's Prime Minister
Lee Hsien Loong Lee Hsien Loong (; born 10 February 1952) is a Singaporean politician and former brigadier-general who has been serving as Prime Minister of Singapore and Secretary-General of the People's Action Party since 2004. He has been the Member of Par ...
) being compromised. Ministers on a press conference dubbed the data breach as the "most serious breach of personal data". * On 1 August,
Reddit Reddit (; stylized in all lowercase as reddit) is an American social news aggregation, content rating, and discussion website. Registered users (commonly referred to as "Redditors") submit content to the site such as links, text posts, images ...
disclosed they were hacked. The
hacker A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...
was able to compromise employees accounts even though they used
SMS Short Message/Messaging Service, commonly abbreviated as SMS, is a text messaging service component of most telephone, Internet and mobile device systems. It uses standardized communication protocols that let mobile devices exchange short text ...
based
Two-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...
. Reddit refused to disclose the number of affected users. * On September 7 it was reported that British Airways experienced a data theft of about 380,000 customer records including full bank details. *On October 19, the US
Centers for Medicare & Medicaid Services The Centers for Medicare & Medicaid Services (CMS), is a federal agency within the United States Department of Health and Human Services (HHS) that administers the Medicare program and works in partnership with state governments to administer M ...
(CMS) reported a data breach that exposed files of 75,000 individuals. *On December 3,
Quora Quora () is a social question-and-answer website based in Mountain View, California. It was founded on June 25, 2009, and made available to the public on June 21, 2010. Users can collaborate by editing questions and commenting on answers that ...
reported a data breach that affected its 100 million users data. *In late 2018, the
Epic Games Epic Games, Inc. is an American video game and software developer and publisher based in Cary, North Carolina. The company was founded by Tim Sweeney as Potomac Computer Systems in 1991, originally located in his parents' house in Potomac, M ...
Fortnite ''Fortnite'' is an online video game developed by Epic Games and released in 2017. It is available in three distinct game mode versions that otherwise share the same general gameplay and game engine: ''Fortnite Battle Royale'', a free-to-p ...
game was discovered to have a security vulnerability which would have allowed an attacker to use victims' payment card data. That and other breaches are estimated to have led to stolen Fortnite accounts being illegally sold to a value of over a million US dollars a year in underground forums. A class action lawsuit against Epic Games was forming in 2019.


2019

*In May, personal data of roughly 139 million users of the graphic design service
Canva Canva is an Australian graphic design platform that is used to create social media graphics and presentations. The app includes readymade templates for users to use, and the platform is free and offers paid subscriptions such as Canva Pro and ...
were exposed, including real names of users, usernames, addresses and geographical information, and password hashes. * On July 16 Bulgaria’s National Revenue Agency, a branch of the country’s Ministry of Finance. *In September, personal data of Ecuador's entire population of 17 million along with deceased people was breached after a marketing analytics firm Novestrat managed unsecured server leaked out full names, dates, places of birth, education, phone numbers and national identity numbers.


2020

* On July 7, the writing site
Wattpad Wattpad is an online literature platform intended for users to read and write original stories. The founders Allen Lau and Ivan Yuen say that the platform aims to create social communities around stories and remove the barriers between readers a ...
suffered a major data breach by
ShinyHunters ShinyHunters is a criminal black-hat hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web. Name and alias The name of the group i ...
, involving over 270 million users; users' data were sold on a forum in the
darknet A dark net or darknet is an overlay network within the Internet that can only be accessed with specific software, configurations, or authorization, and often uses a unique customized communication protocol. Two typical darknet types are social ne ...
, including password hashes. * In mid December 2020, it was reported that multiple US federal government entities and many private organizations across the globe that were using
SolarWinds SolarWinds Corporation is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. It is headquartered in Austin, Texas, with sales and product development offi ...
,
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
and
VMWare VMware, Inc. is an American cloud computing and virtualization technology company with headquarters in Palo Alto, California. VMware was the first commercially successful company to virtualize the x86 architecture. VMware's desktop software ru ...
products, became victims of an extensive data breach and hack.


2021

*
2021 Microsoft Exchange Server data breach A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, admini ...
* 2021 Epik data breach *
Pandora Papers The Pandora Papers are 11.9 million leaked documents with 2.9 terabytes of data that the International Consortium of Investigative Journalists (ICIJ) published beginning on 3 October 2021. The leak exposed the secret offshore accounts of 3 ...


2022

* March:
Anonymous Anonymous may refer to: * Anonymity, the state of an individual's identity, or personally identifiable information, being publicly unknown ** Anonymous work, a work of art or literature that has an unnamed or unknown creator or author * Anonym ...
leaked the contents of a database from
Roscosmos The State Space Corporation "Roscosmos" (russian: Государственная корпорация по космической деятельности «Роскосмос»), commonly known simply as Roscosmos (russian: Роскосмос) ...
amidst the
2022 Russian invasion of Ukraine On 24 February 2022, in a major escalation of the Russo-Ukrainian War, which began in 2014. The invasion has resulted in tens of thousands of deaths on both sides. It has caused Europe's largest refugee crisis since World War II. An ...
. * July: Leak of
Shanghai National Police Database The Shanghai police database leak refers to the unauthorized disclosure of sensitive personal information and police case data from the Shanghai National Police Database, also known as the SHGA Database, in early July 2022. The leaked data, totalin ...
. * September: a ''GTAForums User Leaked the footage of 90 videos of
Gta 6 ''Grand Theft Auto VI'' is an upcoming action-adventure game in Video game development, development by Rockstar Games. It is due to be the eighth main ''Grand Theft Auto'' game, following ''Grand Theft Auto V'' (2013), and the sixteenth entr ...
''


See also

*
Full disclosure (computer security) In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is sh ...
*
List of data breaches This is a list of data breaches, using data compiled from various sources, including press reports, government news releases, and mainstream news articles. The list includes those involving the theft or compromise of 30,000 or more records, al ...
*
Surveillance capitalism Surveillance capitalism is a concept in political economics which denotes the widespread collection and commodification of personal data by corporations. This phenomenon is distinct from government surveillance, though the two can reinforce each ...
*
Data breaches in India Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in ...


References


External links

*
Data Loss Database
is a research project aimed at documenting known and reported data loss incidents world-wide. *

, Breaches reported to the
U.S. Department of Health and Human Services The United States Department of Health and Human Services (HHS) is a cabinet-level executive branch department of the U.S. federal government created to protect the health of all Americans and providing essential human services. Its motto is " ...
by ( HIPAA-covered) entities {{Authority control Data security Secure communication Data laws Security breaches