EVeryone from entertaiment to critical infrastrcuture is a target

Since very few attacks have the same targets or tactics, it is difficult to rank them by impact. Who decides what is more impactful? Is impact determined by loss of access to data and services? Or by the loss of confidentiality of Personally Identifiable Information (PII) or Personal Health Information (PII)? Or is it determined by irreparable harm to critical infrastructure and hardware? We could not decide either. Here is a list of some of the most prominent information security breaches since 2008.

• Heartland Payment Systems (2008) – Heartland payment systems suffered an attack that resulted in a breach of critical customer payment information. The resulting fallout cost the company over $200 million, and the enterprise lost its PCI-DSS compliance status. Triage and analyze events to determine whether an incident is underway

• Sony (2011) – Account information of 77 million PlayStation network users was stolen after a prolonged (23 days) DDoS (Distributed Denial of Service) attack against Sony’s network infrastructure.

• Adobe (2013) – Encrypted credit card information and user passwords were stolen from over 150 million adobe customers.
• Target (2013) – Criminals stole nearly 40 million unique credit card numbers and 70 million account records from Target customers in attack during the 2013 holiday season.
• Yahoo (2013) – Account details and security questions of nearly 3 billion accounts compromised.
• Anthem (2015) – Anthem’s internal servers were compromised resulting in the disclosure of medical information / PII  of over 78 million individuals.

• River City Media (2017) – The email marketing group River City Media misconfigured its backup databases, this misconfiguration resulted in unsecured public access to its over 1.34 billion email records.

• Under Armor (2017) – Account information of nearly 150 million users was stolen via a breach of the MyFitnessPal nutrition app. Weak & incorrect hashing algorithms allowed the attackers the ability to decrypt the stolen user passwords.

• Equifax (2017) – Credit information (credit card numbers, driver’s license numbers, social security numbers, etc.) of nearly half of all Americans (147.9 million) compromised when attackers gained access to Equifax internal servers.

• Veam (2018) – An exposed database that contained over 200 gigabytes of sensitive customer information resulted in the theft of over 440 million email addresses.

• Facebook (2019) – Unsecure internal Facebook application leaked the personal information of over 500 million users.

• Capital One (2019)- Personal information of over 100 million credit applicants was disclosed as result of a successful breach conducted by a single attacker.
• Go Daddy (2020) – Unauthorized access to a GoDaddy managed WordPress application resulted in the theft of over 1.2 million individuals account information.
• TikTok (2020) – An unsecured database led to unauthorized third-party access to private account information of roughly 235 million social media profiles.
• SolarWinds (2020) – The 2020 supply chain attack on SolarWinds infrastructure resulted in the downstream compromise of multiple critical US governmental entities (Dept. of Treasury, Commerce, Defense, Energy, etc.). The attack was attributed to the Russian government. The extent of fallout from the attack is still being determined.
• LinkedIn (2021) – Data scrapped from unsecure API, affected nearly 700 million users.
• CAM4 (2021) – The adult media platform CAM4 exposed nearly 7 terabytes worth of data containing roughly 11 billion records (emails/passwords).
• CNA Financial (2021) – The financial company paid a $40 million ransom after their infrastructure was crippled by ransomware.
• Alibaba (2021) – 1.1 billion instances of personal information scrapped from with the help of malicious insiders.
• Colonial Pipeline (2021) – Fell victim to an attack by the ransomware group Darkside. Colonial paid the demanded ransom, but the fallout still led to widespread panic about fuel prices/availability on the east coast.
• JBS (2021) – The meatpacking company JBS was the victim of a ransomware attack by the criminal group REvil. The organization ended up paying the demanded $11 million ransom.
• T-Mobile (2021) – Weak security measures led to the compromise of sensitive information (names, addresses, Social Security numbers, driver’s licenses, IMEI and IMSI numbers, and ID information) on nearly 50 million current and prospective T-Mobile customers.
• Kronos (2021) – The payroll company Kronos suffered a ransomware attack that resulted in service outages and theft of critical information. Customer and employee PII was stolen as well as critical HKG intellectual property.
• Kaseya (2021) – A supply chain attack on the IT service provider Kaseya resulted in the downstream compromise of 800-1500 Kaseya managed customer environments.

If this could happen to these billion dollar companies, then it could happen to small to medium sized companies, as well. 

References

• https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

• https://threatpost.com/kronos-dragging-itself-back-ransomware-hell/178213/

• https://www.zdnet.com/article/the-biggest-data-breaches-of-2021/

• https://firewalltimes.com/tiktok-data-breach-timeline/

• https://online.maryville.edu/blog/the-top-cyber-security-breaches-of-the-last-decade/

• https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html