The Top Five Data Breaches of All Time

Stories of the latest data breaches are the most common type of cybersecurity news. Many organizations collect large repositories of sensitive data, making them targets for cybercriminals. The value of the collected data makes it worth the hackers’ time and effort to identify and exploit holes in the organizations’ defenses and discover a way to exfiltrate the data for use or resale.
Different types of data hold different values to cybercriminals, but often the impact of the breach is decided by the size of the breach. The bigger the breach, the more money for the attackers, and some data breaches have been massive.

The Biggest Breaches

Data breaches have become a near-daily occurrence. Some breaches grab headlines despite their size (like the Equifax breach), but large counts of breached records always deserve attention. Here, we explore the five biggest data breaches of all time.

1. Yahoo – 3 billion

Yahoo is well-known for its poor data security, with multiple data breaches in recent years; however, the 2013 Yahoo breach takes the prize of the largest data breach of all time. In December 2016, when in negotiations for sale of part of the company to Verizon, Yahoo revealed the data breach. This was the first in a series of disclosures about the breach that eventually revealed the scope of the incident (all 3 billion users) and the breaches data (name, date of birth, email address, password and security questions/answers).

2. Marriott – 500 million 

The Marriott breach has recently been in the news due to the substantial 99 million Euro penalty that the UK’s Information Commissioner’s Office (ICO) has announced. The Marriott breach, which affected 500 million users, originated as a breach of the Starwood Hotels systems. The breach began in 2014, continued through Marriott’s acquisition of Starwood in 2016, and was finally discovered in September 2018. At a minimum, affected customers’ name and contact information was breached, but some parties lost significantly more data.

3. Adult Friend Finder – 412.2 million

The Friend Finder Network consists of a set of websites and was breached in October 2016. As a result of the vulnerability, 20 years of data (affecting 412.2 million accounts) was collected by the hackers, including names, email addresses and passwords. The passwords were poorly protected, making it easy for hackers to crack them and gain access to affected accounts.

4. Myspace 360 million

The early social media website Myspace was breached in 2016 to the tune of 360 million accounts. Like the Friend Finder breach, the passwords leaked during this attack were poorly protected, making them easy prey for hackers. As a result, email addresses, usernames and passwords were revealed in this breach.

5. eBay - 145 million

The final breach in this top-5 list involved eBay and was reported in May of 2014.  This attack took advantage of stolen employee credentials to steal the personal information of 145 million users of the online auction site. Attackers had internal access to the organization for a significant period of time (229 days) and gained access to names, addresses, dates of birth and encrypted passwords for all of its users. Fortunately, payment card information was stored separately and not leaked during the breach.


How did these big companies fail their customers?

Many organizations collect and store the personal data of their customers, and new privacy regulations like the EU’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are designed to hold them accountable for its protection. However, many organizations fail to do so properly, as demonstrated by the number and impact of data breaches in recent years.

Several of the top data breaches demonstrated significant failures of organizations in protecting their customers’ data. The Marriott breach continued through a merger and acquisition process, demonstrating a lack of due diligence during the process by Marriott, and multiple Yahoo breaches were only identified due to the acquisition by Verizon. Several of the breaches (Yahoo, Friend Finder and Myspace) involved the leakage of passwords that were inadequately protected, allowing hackers to learn the passwords and use them to attempt to gain access to other sites where their owners reused them.

Can you help companies protect sensitive data?

As data breach regulations grow more stringent and organizations continue to collect sensitive data from their users, the need for cybersecurity professionals capable of properly protecting their customers’ personal data will only grow. The SMU Online Master’s Degree in Cybersecurity offers a clear pathway to apply best cyber defense practices to real-world, complex cybersecurity challenges. 

Join the defense effort

Learn more about how the SMU Online Master's in Cybersecurity will equip you with the skills necessary to effectively prevent data breaches for your company.