With several data breaches incidents around the world, we bring you some of the biggest data breaches in U.S and U.K.
It’s important to know that large data breaches happen in the U.S and U.K and the figures tend to bear that out. The US accounts for the overwhelming majority of the really big data breaches that have been made public, some of them absolutely vast.
Below we have listed what we believe are the most significant data breaches to have happened in U.S and U.K. The listings are classified based only on large basis in addition to type of attack, vulnerability involved and the sensitivity of the data compromised.
Under Armour/MyFitnessPal – 2018
Roughly 150 million users of the MyFitnessPal app owned by Under Armour have had their personal details leaked in a data breach including usernames, email addresses and passwords.
In a written statement issued on 29 March, Under Armour said that it became aware of the breach on 25 March, though it actually occurred in late February 2018.
A joint investigation with law enforcement and data security firms revealed that the affected information includes usernames and email addresses, as well as passwords, but these were hashed with bcrypt encryption. Payment card data was not affected, and neither were government-issued identifiers like driver’s licenses or social security numbers.
The app is predominantly used in the USA but the odds are that some of the 150 million users affected will be in other regions.
Although health and running activity data was not specifically accessed, the hack opens up the possibility of attackers gaining access to this – and in theory being able to collate highly personal profiles of affected individuals.
FedEx – 2009
A subsidiary of delivery and logistics multinational FedEx has stored extremely sensitive customer data on an open Amazon S3 bucket, essentially making all the information public.
The tranche of data was discovered by Kromtech security researchers on 5 February. The culprit looks like it was a company called Bongo International LLC, a package-forwarding business set up to make buying American goods easier for global customers, which was bought by FedEx in 2014.
It included thousands of scanned documents for citizens in America and globally – with passports, driving licenses and security IDs all open for access in the bucket, as well as home addresses, postal codes and phone numbers.
Researchers pointed out that the data seems to have been from 2009 to 2012, before the company was bought out.
Yahoo, 2013 – 3 billion 1 billion user accounts compromised
In a truly remarkable turn of events, Yahoo in 2016 not only claimed the crown of Biggest Data Breach Ever with the September disclosure of a 2014 breach that affected 500 million users. It came back in December to disclose a breach from 2013 that compromised a whopping 1 billion user accounts. That’s one for every seven or eight people on Earth.
The unidentified 2013 hackers, said to be unconnected to those behind the 2014 break-in, got the whole shebang: names, dates of birth, email addresses, security questions and answers and weakly protected passwords. (The passwords in the 2014 breach had better protection.)
It gets worser in October 2017, Yahoo’s new owner Verizon discovered that 3 billion, not 1 billion, accounts had been compromised in the 2013 breach. That’s every single account on Yahoo, Flickr, Tumblr and dozens of other Yahoo-owned online properties had at the time.
Yahoo, 2014 – 500 million accounts compromised
The massive Yahoo breach revealed in late September 2016 not only capped a summer of huge data-breach disclosures, but was the biggest data breach on record until another Yahoo breach doubled it. Yahoo, in the middle of selling itself to Verizon, said “a state-sponsored actor” instead of a regular cybercriminal was likely behind the theft, said to have occurred in late 2014.
Compromised information included real names, email addresses, dates of birth and telephone numbers, helpful to spammers and identity thieves. The good news is that the “vast majority” of the passwords were hashed (run through a irreversible mathematical algorithm) using the so-far-uncrackable Bcrypt method.
LinkedIn, 2012 – 165 million accounts compromised
The world’s top business-networking website disclosed its 2012 data breach soon after it happened, but password-reset notifications at the time indicated that only 6.5 million user accounts had been affected. LinkedIn never confirmed the actual number, and in 2016, we learned why: A whopping 165 million user accounts had been compromised, including 117 million passwords that had been hashed but not “salted” with random data to make them harder to reverse.
That revelation prompted other services to comb the LinkedIn data and force their own users to change any passwords that matched. Netflix has to be complimented for this. Left unanswered is why LinkedIn did not further investigate the original breach, or to inform more than 100 million affected users, in the intervening four years.