The worst data breaches of all time

Compromised records can be very costly during a data breach.

Data breaches are not new phenomena: Organizations have been at risk of having their information compromised ever since paper recordkeeping began, although the probability of such an incident dramatically increased with the invention of the telegraph, telephone and especially the internet. It is no surprise, then, that breaches have become progressively more expensive:

  • A 2016 Ponemon Institute study, sponsored by IBM, found that the average cost of a breach grew from $3.8 million to $4 million between 2015 and 2016. The cost per compromised record increased from $154 to $158 in that time.
  • However, the Rand Corporation has estimated that such incidents actually cost much less – about $200,000 apiece, or 0.4 percent of annual revenue. At that level, they are less expensive than billing misstatements and fraud (5 percent).
  • Either way, data breaches represent preventable costs. Many of them are triggered by carelessness or by being deceived by a phishing email, meaning that with better training, many of them can likely be avoided.
  • Javelin Research estimated that consumers spend an average of 20 hours as well as $700 on lost time and legal fees in the wake of having their personal information compromised.
Data breaches are often avoidable with the right precautions.Data breaches are often avoidable with the right precautions.

A good way to learn about data breach avoidance is to study some of the costliest incidents of all time. Let’s review a handful of them:

1. Target, 2013-2014

The breach at Target put the personal information (phone number, address, etc.) of at least 70 million of the store’s customers at risk, along with 40 million payment cards. The total number affected may have exceeded 110 million individuals.

The intrusion was enabled by multiple failures. Attackers gained access via a third-party vendor, undermined the company’s servers and captured data from its point-of-sale systems. Most of these missteps would have been avoidable with proper due diligence.

2. LinkedIn, 2012

In 2012, online professional networking platform LinkedIn sent password reset requests to more than 6 million accounts in the wake of a breach. However, eventually it became clear that 165 million accounts were affected.

One of the main issues here was the lack of password salting, which made these credentials easier to decipher. The event also underscored the risk of reusing the same password for multiple sites, something that 59 percent of consumers do, according to a 2015 survey by Password Boss. Someone with your compromised LinkedIn password could theoretically access other accounts protected by the same password.

“In 2016, Yahoo! disclosed a 2013 incident that affected 1 billion user accounts.”

3. Yahoo!, 2013

In terms of sheer numbers, this may be the biggest of them all. In 2016, Yahoo! disclosed a 2013 incident that affected 1 billion user accounts. Some of the passwords were hashed using MD5, a cryptographic standard that the U.S. government declared broken in 2008.

Yahoo users were encouraged to change their passwords and to enable two-factor authentication. This is good advice for virtually any online account. Tying your account login to another device is useful for preventing unwanted access attempts from unusual locations or IP addresses.

As a consumer, you have more control than you might think over your data security. Always make sure to create strong, unique passwords, use multiple factors and avoid giving away personally identifiable information over email or on social media.