An increasing number of data breaches is sweeping the world. The number of incidents has increased, but so has the scale of data loss. Companies sometimes lose billions of data records in a single data breach.
While we know that even the most secure IT infrastructure won’t keep out a determined attacker, are these companies too lax with our data? Data loss can result in anything from identity theft to physical harm if it falls into the wrong hands.
Recent Data Breaches Encountered (2018 – 2022)
To give you an idea of the shocking scale of data loss, here are some of the most impactful data breaches over the past few years.
Medibank Data Breach – 9.7m Patient Records (October 2022)
Mediabank, an Australian health insurer, saw over 9.7 million past and current patient records stolen. Compromised information included not just personal details like names and addresses, but health claim data as well.
What makes the situation worse is that Medibank only discovered the compromise after it received a ransom note from attackers who threatened to release the data. Medibank refused to pay, citing its refusal was in line with government policies.
Thomson Reuters Data Leak – 3TB of Sensitive Data (October 2022)
Although not technically a data breach, Thomson Reuters suffered far worse. The company left open a database that contained customer and corporate information. The data includes some passwords that were stored in plain text format.
What boggles the mind is that Reuters was actively using the database, having written information to it as recently as October 2022. While actual theft (if any) is unknown, the potential exposure is more than 6.9 million unique logs occupying 3TB of disk space.
Crypto.com Breach – 483 Wallets (2022)
Data breaches are generally broad-scale which makes the Crypto.com data breach strangely targeted. Cybercriminals targeted the wallets of 483 users and made away with $18m in Bitcoin and $15m in other cryptocurrencies.
Even worse was the fact that the attackers somehow managed to bypass two-factor authentication (2FA) protocols to pull the hack off. Perhaps it just goes to show that stricter oversight of security measures is necessary, even at the user end of things.
Cognyte Data Breach – 5 Billion Data Records (2021)
In 2021, Cognate, a cybersecurity analytics firm, left exposed 5 billion records in its unsecured database. Information such as names, emails, passwords, and sources of leaks, was given full access to anybody; unfortunately, they were unprotected by passwords or any other authentication method.
The irony is that the database, created for cross-checking purposes (to check if any client in the database was involved in any data breach incidents), is instead breached, exposed, and not secured. Cognyte responded by stating that they managed to secure the said database fast enough to prevent “potential exposure.”
LinkedIn Data Breach – 700 Million Data Records (2021)
LinkedIn, the professional networking giant, was also not spared in its recent 700 million records breach. A total of 700 million user information was on sale in a Dark Web forum. Although the information sold did not include login and financial details, the amount of personal data for sale was staggering. It had names, physical addresses, emails, phone numbers, background information, and others.
However, LinkedIn refuted that this was not a data breach and it was merely a violation of their terms of service. That said, many believed that the nature of the leaked data was enough to facilitate cyberattacks on exposed users, leading this to be a data breach.
JustDial Data Breach – 100 Million Data Records (2021, 2019)
A local search service for India-based users, JustDial, had an unprotected database leak, resulting in over 100 million data records stolen containing a ton of information. The stolen info included names, email addresses, occupations, and more.
This leak is the second time such an incident of this scale hit JustDial. The same incident occurred in 2019 in an almost identical fashion. The database was left neglected, and nobody could even contact the company to inform them of the leak.
CAM4 Data Breach – 10.88 Billion Data Records (2020)
Owned by Granity Entertainment, CAM4 is an adult live streaming website where customers purchase virtual tokens to tip the performers and private shows. In 2020, their misconfigured Elasticsearch production database exposed almost 11 Billion data records. The employees used this database internally to scan user and activity logs.
An employee misconfigured Elasticsearch. As such, the database became exposed online without any password protection. Tons of personally identifiable information (PII), such as names, emails, sexual orientation, username, correspondence, IPs, payments logs details, and others, were exposed without sufficient security measures in place.
The risks of identity theft, financial fraud, website attacks, phishing scams, and even blackmail increased. Furthermore, this leaked backend could create a backdoor for further exploitation. The impacted audience mainly originated from the US, Brazil, and Italy.
Granity Entertainment took the database offline within the half-hour, switching to a Local Area Network (LAN) operation.
Sina Weibo Data Breach – 538 Million Data Records (2020)
Chinese microblogging platform Sina Weibo admitted to 538 million accounts leaked. The impacted information included names, usernames, phone numbers, and others. Weibo also announced that although passwords were not compromised, the leaked information could still trace accounts to any reused passwords. The leaked information was found available on the dark web for sale.
Since then, Weibo has been instructed by China’s Ministry of Industry and Information Technology (MIIT) to strengthen security measures. Since then, Weibo was instructed by China’s Ministry of Industry and Information Technology (MIIT) to heighten security measures.
Yahoo! Data Breach – 3 Billion Data Records (2017)
The 3 billion data breach in 2017 originated back in 2013 when Yahoo’s one billion users’ security questions and answers were compromised. Since then, Yahoo’s users have changed passwords and used encrypted security questions and answers. However, in 2017, the estimated damage increased and came to about 3 billion user accounts instead, with passwords in cleartext.
Since Yahoo claimed that there was no stolen information, this posed “no serious security impact.” However, this incident was still considered a data security breach.
Alibaba Data Breach – 1.1 Billion Data Records (2019)
An employee of a marketing consultant company used crawler software to scrape customer information from Taobao, Alibaba’s online shopping mall, in 2019. The employee was engaged to help merchants on Taobao.
The leaked information included usernames and mobile numbers and was reportedly not put on sale, instead used to serve the employee company's clients. Fortunately, Alibaba did not experience any financial loss. Taobao has since invested resources to strengthen its website against unauthorized scraping.
First American Financial Corp Data Breach – 885 Million Data Records (2019)
First American Financial Corporation, an insurance provider, was reported to have accidentally leaked 885 million user records. Records dating back to 2003 were also involved. Title and escrow document images containing members' bank accounts, social security numbers, statements, mortgage records, tax records, social security numbers, and other sensitive information leaked. Accordingly, the breach was caused by a reported design defect on its website.
Verifications.io Data Breach – 885 Million Data Records (2019)
In 2019, email service provider Verifications.io suffered a breach of 2 billion records. It first amounted to 763 million records exposed which later was estimated to amount to a little over two billion records.
The breach was due to an unsecured MongoDB instance with no password, which compromised almost all their customer information – names, IPs, birth dates, emails, genders, phone numbers, mortgage amounts, etc.
Facebook Data Breach – 533 Million Data Records (2019)
In 2019, a security researcher discovered a Facebook leaked database involving 533 million accounts. Users from all over the world had their personal information exposed – account names, Facebook IDs, comments, phone numbers, and others.
And in 2021, such information appeared on a hacking forum. Facebook downplayed the incident by claiming that the leaked information came from already available public information on the site.
Canva Data Breach – 140 Million Data Records (2019)
Canva is an online graphic design tool that lets users easily create compelling yet straightforward designs with a drag and drop interface. The company’s servers were attacked by a hacker who managed to steal over 140 million data records before the hack was detected and stopped.
TrueCaller Data Breach – 300 Million Data Records (2019)
TrueCaller is a call management mobile application most known for its comprehensive call-blocking features. Security experts claimed that the company lost millions of data records belonging to users in India. Although TrueCaller has denied these claims, other sources have stated that the data records have been found available for purchase on the web.
Flipboard Data Breach – 150 Million Data Records (2019)
Popular news aggregation site Flipboard managed to lose over 150 million records over two separate incidences in 2019. The company came clean and disclosed the information, although it claimed that passwords were encrypted and remained safe.
Aadhaar Data Breach – 1.1 Billion Data Records (2018)
In 2018, the government ID database, Aadhaar, reportedly was hacked, potentially compromising 1.1 billion citizens' information. The 12-digit identity numbers, bank details, biometrics data, photographs, and others leaked online. The data breach was due to a data leak on a system operated by a state-owned utility company.
The Aadhaar ID numbers are issued by the Unique Identification Authority of India (UIDAI), a statutory authority in India. Aadhaar is a tool to standardize data collection and ease the process of managing finances from the government to the citizens. Hence, it became one of the biggest biometric databases.
There were reported criticisms regarding the system's security, making it vulnerable to data leaks. Also, around 200 government websites accidentally exposed such personal data from Aadhaar. Additionally, cybercriminals sold Aadhaar card details via WhatsApp.
How Costly is a Data Breach?
Data Breaches are incidents in which information is stolen or taken from a computer. It can range from a few records to millions of customer contact lists. They are a significant threat to businesses. In addition to substantial financial loss, companies often suffer irreparable damage to their brands and reputations.
Incidents involving the loss of data are now happening at an alarming rate. According to the Verizon 2021 Data Breach Investigations Report, the number of reported security incidents has increased from 3,950 in 2020 to 5,258 in 2021.
The average cost of a data breach for companies around the world is $3.86 million, according to a new report from IBM Security and the Ponemon Institute. The study, which includes responses from 2,000-plus professionals across 16 countries and various industries, found that the per capita cost of a data breach has increased by 6.4% since last year.
The average total cost has increased from $3.52 million in 2018 to $4.24 million in 2021 — a 20.4% increase in three years. In the United States alone, the cost of a data breach hit $161 per record, up 20.3% from 2020.
Minimizing the Impact of Data Breaches
If by now you’re shocked at not just the numbers of data records lost, you’ll probably also be speechless at how it happened. The cause isn’t just hackers, but data is being lost through sheer negligence, like in the case of Facebook and JustDial.
To take things a step further, data provided to financial institutions aren’t safe either. Banks and other financial institutions are even higher up the list of hackers and are constantly under close scrutiny. The problem is that hackers seem to be succeeding when they care to try.
While we as consumers can’t do much about how the companies store and protect our data, it doesn’t mean that we are blameless. Careless attitudes towards our personal information contribute more to the situation than we think.
By taking personal cybersecurity into our own hands, we can at the very least ensure that our data is safe in our own hands. At least until the onus of security is transferred over to the companies or services we use.
What to Do if You’re a Victim of a Data Breach
The first thing you can do is to check if you’ve been the victim of one of the numerous data breaches that have already occurred. HaveIBeenPwned is a great resource to do this. Simply visit the site and enter the email address you’ve been using to register your accounts online.
The site will search its database and tell you if your information is at risk and from what source.
Aside from that;
- If you’ve previously signed up for services you no longer use, make sure you delete those accounts. Email site administrators and request that they also remove all your account records that they can.
- Always use strong and unique passwords for all your accounts. Where possible, ensure that your passwords are at least 8 to 10 characters long and include a combination of upper and lowercase characters, digits, and special characters.
- Never provide information to a website that doesn’t have an SSL certificate installed. Many browsers recognize this and identify insecure websites somewhere in the browser address bar.
- Install an Internet security application from a reputable provider. Many reputable internet security brands, including Norton, Kaspersky, ESET, and F-Secure, are available.
- Try to be cautious about what information you share online, especially with social media sites.
- Continually monitor your bank accounts or those you have involving financial investments or otherwise. Notify the banks quickly if you notice any unusual account activity.
- Use a VPN service like NordVPN to encrypt your web traffic and ensure that site has more difficulty tracking your data. To learn more about VPNs read our Comprehensive VPN Guide or check out our Best VPN Deals page to see what offers are ongoing now. (You can read our NordVPN Review here)
Conclusion: Take Security into Your Own Hands
The age of digital means that we are more connected now than at any time before. Everything we use, from smartphones to new IoT devices like intelligent home systems, communicates and exchanges data. Much of it is about our unique behavior and preferences.
At the same time, companies have increasingly shown that they are unable (and in some cases, unwilling) to secure their users' data. This means that all our data, yours and ours isn’t safe in their hands. While we can only hope that regulators and heavy fines will change their minds and attitudes, we need to take security into our own hands.