7 min Security

Data breaches aren’t setting records anymore, but there are more victims than ever

Data breaches aren’t setting records anymore, but there are more victims than ever

The biggest data breaches of all time almost all took place between 2018 and 2020. Since then, no leak has managed to reach the top 20. Global regulations and the growing threat from cybercriminals are making organizations take the measures required. It’s very much needed, as there are more victims than ever before.

NinjaOne researchers recently compiled a top twenty list of the biggest data breaches of all time. Sixteen of them date from 2018-2020. Only two giant leaks from Yahoo (2013, 2014), one from Equifax (2017) and another from Friend Finder Networks (2016) are older, while no new incidents have been added to this list since 2020.

Yahoo ranks first, leaking 3 billion records a decade ago. The company was unable to protect countless users’ private data including email addresses, passwords, birth dates and phone numbers. Although the Yahoo data breach occurred in 2013 (with a second incident in 2014), the company did not disclose how much data had actually been up for grabs until October 2017. It’s a record-setting amount, even a decade later: First American Corporation is the runner-up (from 2019) with less than a third of that number of records at a ‘mere’ 885 million.

The biggest incident ever certainly took its toll on Yahoo: a class-action lawsuit led to a $117.5 million settlement, whereas the SEC imposed a $35 million fine because Yahoo had kept the breach a secret.

Companies from all kinds of industries hit

Records are a useful gauge of the severity of a data breach, as they are personal data that a malicious party can exploit. After all, pure gigabytes and terabytes are worth little if all the data is encrypted: the NinjaOne list is therefore specifically about concrete information.

Facebook, market researcher Exactis and telecom company Airtel, among others, also feature in the top ten of historically large data breaches. No sector is safe, this diverse list of victims shows. Despite the fact that all cases involved private data being breached, the ways in which the data was compromised varied considerably. In 2019, for example, security researcher Brian Krebs informed the insurance company First American Corporation that a huge amount of sensitive data could be obtained with some simple URL modifications. Driver’s licenses, mortgage information and Social Security numbers were all unsecured. At the Marriott hotel chain, hackers with Chinese state support allegedly infiltrated the servers and obtained unencrypted passport numbers.

Clearly, any organization of a significant size can be vulnerable to a major data breach. Still, we were wondering why there was such a significant clumping in 2018-2020. One might expect that the current explosion of ransomware would only create more and bigger leaks. Research conducted by MIT professor Dr. Stuart Madnick on behalf of Apple underscores the fact that data loss occurs more often than ever before. In addition, the data can swiftly be sold off to the highest bidder, should it be not a security researcher but a cybercriminal that discovers a leak.

More victims, more data, more important targets

The number of data breaches tripled between 2013 and 2022, according to the MIT study. 98 percent of all organizations have interacted with a vendor that has experienced a data breach. In recent years, we’ve seen critical vulnerabilities come along with an impact on countless organizations, including Log4Shell and MOVEit. In doing so, nobody can point to a single organization that has had billions of records breached due to such a vulnerability, but add up the total amount of data stolen because of such vulnerabilities and you get to a frightening statistic. As software such as Log4j is pretty much everywhere, organizations across the globe can be targeted en masse. Additionally, today’s cybercriminals tend to target critical infrastructure, such as hospitals, banks and educational institutions. The loss of records from such institutions could do a great amount of damage, for example, by enabling highly credible phishing emails. Since 80 percent of all cyber-attacks are enabled through phishing, this method of attack should never be underestimated.

The trend is starting to become clear by now: more victims, more data, and smaller targets. Within specific industries, that picture can be somewhat different. For example, within the U.S. healthcare industry, there has been a 15 percent decrease in the number of leaks, but a 31 percent increase in the number of victims. With critical infrastructure being targeted, no one can be happy with a decrease in the number of major leaks, as the disruptive impact to society is arguably a lot bigger when it’s hospitals and banks that are affected, rahter than a few major software players or social media platforms. CISO at consulting firm Presidio Dan Lohrmann speaks of a “new normal” in which society faces bodily harm by a thousand cuts rather than a single catastrophic “Cyber Pearl Harbor” incident.

There’s some good news at least

Despite the MIT report finding most organizations too vulnerable to data breaches, there is light at the end of the tunnel. After all, major technology platforms are at least now using as little unencrypted user data as possible. The tech giants of this world are increasingly adopting end-to-end encryption, which also protects data in transit. The survey lists Google and Meta, among others, but Microsoft and AWS are also promising more and more options that package data as securely as possible.

Organizations are also increasingly prepared, possibly because they hope to do everything they can to avoid being the next Yahoo. Even if some people are overly confident about their own cybersecurity, the adoption of approaches like the zero-trust architecture is making the risk of a data breach ever smaller.

There has also been a lot of legislative action in 2018-2020 and beyond. Since it takes a while for the impact of such legislation to really show up in the data, it can be argued that the EU’s GDPR and the New York SHIELD Act already serve as tools against data breaches. Brazil introduced the LGPD in 2020, modelled after the GDPR, while China has tightened its rules as well since enacting its Personal Information Protection Law.

More concrete is the Cyber Resilience Act, which addresses responsibility for data breaches a lot more clearly than before. Both software and hardware must be secure and provided with security updates. Major leaks should therefore be prevented by protecting equipment and frequently used applications as much as possible. Good patch management will still be necessary to reduce data breaches going forward, of course. In that regard, NinjaOne hopes to do its bit with cloud-based patch management.

The top ten data breaches of all time according to NinjaOne, incl. year and number of leaked records:

  1. Yahoo (2013) – 3 billion – originally this tech company claimed it “only” lost 1 billion records, but in October 2017, the company revealed that it had three times as much private data compromised, including email addresses, passwords and phone numbers.
  2. First American Corporation (2019) – 885 million – flawed security policies made this financial services company’s servers vulnerable, allowing transaction data and passport numbers to be viewed, among other things.
  3. Facebook (2019) – 540 million – third-party app developers had stored records on a public AWS cloud server, causing accounts, posts and comments to be compromised.
  4. Marriott International (2018) – 500 million – this hotel chain was allegedly attacked by a Chinese state actor, which obtained passport information and encrypted credit card data from its reservations database.
  5. Yahoo (2014) – 500 million – Yahoo again, which this time suffered an attack that also stole answers to security questions.