The biggest data breaches in history

Egress | 16th Nov 2023

A data breach can wreak havoc on an organization and can also have long-term consequences for those who have their personal information exposed.

In this article, we'll outline the biggest cybersecurity data breaches in history, as well as a rundown of some of the more recent notable cybersecurity breaches.

Data is the new currency, and cybersecurity breaches are a major threat to individuals and businesses. Major leaks can result in financial loss, damage to reputation, identity theft, and, in some cases, business closure. The CAM4, Yahoo, and Alibaba breaches, ranked in size order, are stark reminders of the vulnerability of personal data online and the importance of robust cybersecurity practices and transparent corporate communication.

CAM4 data breach

In March 2020, CAM4, an adult cam site, suffered a data breach that exposed 7TB of user data, which equates to over 10.88 billion records. These records featured private personal information, including full names, email addresses, chat transcripts, email correspondence transcripts, sexual orientation data, and payment logs.

Yahoo data breach

In 2013, Yahoo suffered what was, at the time, the biggest data breach on record. It came out in 2017 that all three billion of Yahoo’s users’ accounts had been compromised in the now-infamous 2013 data breach. What followed was years of litigation, diminished company valuations, and damaged customer relations as the longer-term effects began to show. Yahoo had to cut their asset valuation mid-way through a takeover negotiation with Verizon.

Yahoo maintained that the stolen data did not include passwords in clear text, payment card information, or banking details. However, the data did include security questions and answers, as well as recovery email addresses. The data was protected with outdated encryption software which meant it was easy to decrypt.

Alibaba data breach

In July 2022, the Wall Street Journal published the news that the Alibaba Group had suffered a substantial data breach which revealed the personal information of over 1.1 billion users. Over 23TB of data, including full names, phone numbers, and criminal records of Chinese citizens, were compromised.

The company faced harsh criticism for leaving critical servers without a password and therefore unprotected. The data was said to be housed on the company’s cloud platform, but without a password, the system was easily compromised.

A rundown of recent large cybersecurity breaches

Several recent cyberattacks have shown how vulnerable personal data is when managed incorrectly and how serious cyberattacks can be for both the business in question and the end user.

UK Electoral Commission

In August 2023, the Electoral Commission released a public notification of a cyberattack. The notification stated that an incident was identified in October 2022 following suspicious activity on the organization's systems. It was clear that attackers first accessed the systems in August 2021 and had been harvesting data ever since.

Attackers could access reference copies of electoral registers, which included personal information, including names and addresses of anyone registered to vote in the UK between 2014 and 2022.

The University of Minnesota

In July 2023, a hacker claimed to have accessed seven million unique social security numbers. The university has since confirmed the data breach in a statement that said the institution ‘determined that a person likely gained unauthorized access to a university database in 2021’.

The personally identifiable information that the hackers may have accessed included full names, social security numbers, passport information, and employment information.

MOVEit

MOVEit is a managed file transfer application used by thousands of organizations worldwide. It is estimated that over 2,000 organizations and over 60 million individuals were affected by the data breach that began in May 2023. Some of the publicly identified businesses include Nuance (Microsoft’s healthcare tech company), CareSource (a Medicare plan provider), and CCleaner (a system optimization, privacy, and cleaning tool).

Preventing data breaches

Reinforcing your cybersecurity defenses is imperative to keeping your data safe. Below are a few steps you can take to secure your data and ensure it’s protected.

Implementing multi-factor authentication (MFA)

A significant enhancement to security measures is the adoption of multi-factor authentication. MFA requires two or more verification factors to access resources such as applications, online accounts, or VPNs. MFA significantly reduces the risks of unauthorized access from compromised credentials by adding an extra layer of defense.

Keeping software up to date

Regularly updating software is critical in safeguarding against vulnerabilities. Cybercriminals exploit known weaknesses in software, and patches are often released in response to these security gaps. Ensuring all systems have the latest security patches can thwart many common cyberattack methods.

Employee cybersecurity training

Human error remains one of the largest security vulnerabilities. Training employees to recognize phishing attempts, use strong passwords, and follow company IT policies is essential. A cybersecurity-aware workforce is the first line of defense against cyber intrusions.

Successful phishing email campaigns depend on the human element – emails are designed to encourage users to forget their cybersecurity training and open an attachment, open a link or send a transfer. For traditional perimeter security, advanced phishing attacks are hard to detect. More advanced systems like integrated cloud email security (ICES) offer greater protection.

The adaptive security architecture with intelligent detection and real-time teachable moments offered by Egress results in tangible risk reduction. Egress Defend adds color-coded risk banners to all emails, as a teaching mechanism to help users recognize the signs of a phishing attack. Meeting people at the point of risk is one of the best tactics for keeping your business secure and ensuring that data is not leaked or stolen, which can take multiple forms. Egress Prevent allows organizations to monitor outbound email traffic and stop breach incidents before they happen by alerting users to the potential damage.

Mitigating cybersecurity breaches: The role of anti-phishing software

Anti-phishing software like Egress Defend can help protect against even the most advanced phishing emails. Cybercriminals today are using sophisticated techniques leveraging social engineering to reach their objectives. Once a threat actor gains access to your organization’s data infrastructure, they can exfiltrate information quickly and often without detection.

Combining ICES systems with robust user training can help your business avoid falling victim to cybercrime and advanced phishing attacks.