Biggest cybersecurity mistakes by large organizations
History has proven that no company is too big, financially well-off or sophisticated to suffer the wrath of a cybersecurity attack. Large organizations have unique vulnerabilities they need to protect themselves against, from vendors with dodgy cybersecurity practices to foreign espionage teams — and one of the best ways large businesses can safeguard themselves from future attacks is by studying what’s gone wrong in the past.
Here are some of the biggest cybersecurity mistakes experienced by organizations, what we can learn from them and why every employee needs security education.
Phishing simulations & training
1. Yahoo
When it happened: August 2013
Who it impacted: 3 billion users
In 2013, Yahoo announced that all 3 billion of its accounts had been hacked — whoa! News of the hack came to light during the sale of Yahoo to Verizon, and the revelation nearly derailed the deal and, in the end, lowered the sale price by $350 million. Thieves snatched a wealth of personal information from billions of users, including names, phone numbers, birth dates, passwords, backup email addresses and security questions. Although the information was encrypted, the protections were weak and easily cracked by hackers. The theft of backup email addresses and security questions was particularly dangerous because it could allow hackers to commit email fraud and account takeovers.
2. LinkedIn
When it happened: June 2012
Who it impacted: 117 million users
LinkedIn is well-known as a popular platform for job seekers and professional networkers, but in 2012 the site also became a victim of a massive Russian hack. The exact number of passwords the attackers got ahold of is unknown, but it’s estimated to be in the ballpark of 6.5 million. Interestingly, this number didn’t come to light until 2016, when a cache of stolen passwords was discovered on a dark web marketplace. It’s believed the hackers were able to quickly process the password data because LinkedIn neglected a crucial security feature: it didn’t use “salting,” a process that injects random data into credentials so that even if passwords are stolen and cracked, the additional random text in each still makes the passwords functionally unusable. Reportedly, LinkedIn has begun using this security trick to prevent future attacks.
3. Equifax
When it happened: September 2017
Who it impacted: 148 million users
With its reputation as a respected consumer credit reporting agency, it shocked many when Equifax announced it had been hacked in 2017. Hackers could break in via a vulnerability in an open-source application called Apache Struts. They stole personal data for more than 148 million consumers, including social security numbers. It was later determined that the hack was made possible by a failure to patch Apache Struts. Let this remind you that regularly updating applications should be at the top of every business’s to-do list! (See how the Equifax exploit work happened.)
4. Facebook
When it happened: April 2019
Who it impacted: 533 million users
In April 2019, datasets belonging to two third-party Facebook apps found their way onto the dark web. In total, 533 million records were stolen from users in 106 countries. The data included a treasure trove of Facebook user information like account names, phone numbers, locations, birthdates and other profile information. The datasets also included user activity like comment history, likes and reactions. Facebook took some heat following the hack because they decided not to inform the 533 million users affected by the breach.
5. Heartland Payment Systems
When it happened: March 2008
Who it impacted: 134 million cards
Malware allowed hackers to steal credit card data from more than 134 million customers of Heartland Payment Systems, leaving them vulnerable to identity theft. Heartland served as a payment processor for 175,000 retail stores, meaning any customer who swiped their card at a shop partnered with Heartland was suddenly at risk. Visa and Mastercard discovered the breach when they noticed a flurry of fraudulent transactions from accounts connected to Heartland. An investigation revealed that a team of hackers could breach Heartland’s unencrypted network with an SQL injection attack. Unfortunately, Heartland’s cybersecurity mistakes do not end there. Another attack hit Heartland in 2015 after thieves stole laptops containing unencrypted passwords from their Santa Ana, California office.
See Infosec IQ in action
6. Marriott Hotels
When it happened: November 2018
Who it impacted: 5.2 million guests
Guests of the popular Marriott Hotel chain were dismayed to learn that the company’s reservation system had been hacked and the personal information of more than 5 million people revealed. The Marriott hack is interesting because it began not with Marriott itself but with a company they acquired in 2016 called Starwood Hotel Group. When Marriott took over Starwood, it also inadvertently absorbed Starwood’s cyber vulnerabilities. State-sponsored hackers in China gained unauthorized access to Starwood’s reservation system years prior and were able to sneak into Marriott’s network as well. Ultimately, Marriott was fined $123 million — 3% of the hotel chain's total revenue. Luckily for Marriott, the fine was later reduced to $23.8 million.
7. JP Morgan Chase
When it happened: 2014
Who it impacted: 83 million accounts
JP Morgan Chase is one of the world's largest financial services and investment banking institutions, which is why it shocked many when it announced it had been hacked. Over 83 million accounts were compromised in 2014 when attackers breached JP Morgan’s servers and operated for over two months before they were detected. During those two months, personal information for two-thirds of American households were stolen. JP Morgan Chase is a prime example that no business is too big to be hacked.
8. Deep Root Analytics
When it happened: June 2017
Who it impacted: 198 million users
Do you ever wonder where all those targeted political ads come from around election time? Marketing companies like Deep Root Analytics bring those campaigns to life using data and analytics to identify the “right” audience for the campaign. The nature of their work means they compile a ton of personal information about each audience member, from birth dates and phone numbers to opinions on specific issues like gun ownership. Back in 2017, the company lost the public’s vote of confidence when that information was exposed via a publicly accessible Amazon server. The data loss resulted in a class-action lawsuit arguing that it failed to protect their subjects’ personal information and left them open to identity theft.
9. eBay
When it happened: February 2014
Who it impacted: 145 million users
In the winter of 2014, a group of hackers used Ebay to score much more than antiques and knickknacks: they also grabbed customer data from more than 145 million eBay users. In this sophisticated attack, hackers impersonated three corporate employees and used their credentials to crack into eBay’s user database, where they found usernames and encrypted passwords. In the end, more than 145 million eBay users had their names, email addresses, birthdates and physical addresses stolen. Luckily, the stolen information did not appear to include credit cards or bank accounts.
See Infosec IQ in action
10. Target data breach
When it happened: 2013
Who it impacted: 60 million users
The Target hack of 2013 is the perfect example of a third-party vendor turning into an unintentional Trojan horse. The attack began when intruders stole credentials belonging to Target’s HVAC vendor. The attackers then used this information to access a customer service database and upload malware. After the dust settled, it was determined that the names, phone numbers, email addresses and credit cards of more than 60 million users had been stolen. The attack cost Target more than $28 million after a multi-state class action lawsuit was filed.
Subscribe to the Infosec newsletter to stay up to date on the latest cybersecurity news and career information.