While this misses the “top 10” list by a few thousand voters (it rubs shoulders with our number 10 data breach), it's worth noting that the information of 93.4 Mexican voters was found just floating around the Internet late last month, in what nearly counts as a tie for the #10 spot. The information was just sort of sitting, unprotected, on one of Amazon's cloud servers and was found there by security expert Chris Vickery, who doesn't even speak Spanish, and only clicked it in the first place because the document title "sounded like the tequila, Patrón."
Considering security issues in various parts of the country, leaking voter info for 72% of the country's population could be dangerous for people among those named. But what's really scary was the difficulty that Vickery got while trying to get anyone to take him seriously, even though it's 2016. In addition to having all sorts of trouble getting Amazon to take the document down, and then while trying to alert people, got no response from the U.S. State Department, Homeland Security, or the Mexican Embassy in Washington, which apparently deleted his email from their spam folder. It wasn't until a Mexican student at a Harvard lecture told him which specific group within the Mexican government to call that he got anywhere.
TJX is the parent company of TJ Maxx/TK Maxx, Marshalls, HomeGoods, and more. In 2007, they lost the information of a record (at the time) 94 million customers. Initially, they didn't realize how severe the breach was, claiming losses of 45 million records. Of course in 2007, even that was enough to put them in the upper stratosphere of data losses.
When something like this happens and your info is involved, you need to follow some steps. Change all of your passwords, let your bank and credit card companies know, and file a police report, a fraud alert, and an identity theft affidavit. You also may consider signing up for an identity theft protection service. At the time, most people just got angry and sued TJX -- like we'd even have time to sue every time this happens nowadays.
It's tough to know exactly what the story is on this because Target revised it so many times. Initial claims were around 40 million credit card numbers, then 70 million "customer records," then finally 100 million records, in what was either one massive breach or a slow data leak over time, but nobody seemed quite sure. Perhaps the most striking thing about this is that Target had no Chief Information Security Officer or Chief Security Officer, which is completely unacceptable, and was even unacceptable two years ago.
This was closely followed by The Home Depot's card breach, which lasted five months and was thought at the time to be even bigger than the Target breach -- since, again, they initially reported only 40 million records lost. Today, the Home Depot breach doesn't even rate on a top 10 list, but at the time, the one-two punch in the news terrified customers.
Heartland Payment Systems isn't exactly a household name -- at least, it wasn't until 2009. The company was responsible for processing debit and credit card transactions for 250,000 businesses, handling over 100 million transactions a month involving Visa, MasterCard, American Express, and Discover cards. Starting in May 2008, a malware program had been infecting their system, letting thieves steal the unencrypted card data while their system was authorizing the cards. They stole card numbers, expiration dates, and in some cases, names.
To their credit, the company notified authorities as soon as they suspected a breach, and notified the public as soon as they confirmed it, shortly thereafter. While pundits accused them of burying the news on Obama's Inauguration Day, they made the announcement as soon as the investigators finished their initial assessment. They also set up an entire website to provide information about what happened and how to deal with it. Between their forthright response and their hands-on customer care -- they visited or called 150,000 of the 250,000 businesses involved within weeks -- they were held up as an example of the best way to handle a worst-case scenario.
Sometime between late February and early March of 2014, hackers stole encrypted passwords and all sorts of personally-identifiable information from 145 million eBay users, including names, email addresses, physical addresses, phone numbers, and more. About a month later, the company recognized the breach and announced it to the public mere weeks later, following the precedent laid out by Heartland. The company asked users to change their passwords, especially if they were using those passwords elsewhere.
News sites also warned eBay users to be ready for phishing attacks, which is good advice to use, following a breach. Once people have a little bit of your personal info, they'll use it to buy your confidence, and trick you into giving away more. Of course, even though we've given it a fancy name when it happens online, that's not really hacking -- just a good, old-fashioned con.
In 2009, Dun & Bradstreet bought the Chinese marketing services company Roadway. In 2011, they were bringing in a healthy profit. In 2012, it came to light that the company had leaked info for 150 million Chinese citizens -- including name, gender, age, phone number, monthly income, and even the car they drove. Well, "leaked" may not be the right word. When Chinese police raided the building, they expressed concern that the breach was an inside job, with people from within the company selling info on its own customers.
Of course, if you're familiar with what Dun & Bradstreet does in the first place, this is sort of hilarious. They sell leads to sales groups. Meaning that this branch was basically doing exactly what D&B as a company already does, just...in ways that violated Chinese privacy law and went into terrifying detail. Speaking of terrifying details, China may have privacy laws in place, but the U.S. Constitution actually doesn't. In case you were wondering about that. How much of a "right to privacy" Americans can expect or feel entitled to is one of the most contested issues in American courts, and it's a fascinating one.
In 2012, Adobe announced the launch of the "Creative Cloud," which basically meant that instead of paying once for programs like Photoshop, you pay them forever and your programs would live on their computers instead of yours. In May of 2013, they announced that no new versions of the classic Creative Suite would be released in the future and that the Cloud was the only way forward. In October, they announced that their computers were subject to a massive breach, some 3.8GB of data with over 150 million usernames and passwords, all taken from Adobe, which just sort of showed up on the Internet shortly thereafter where anyone could see them. The stolen information also included part of the code that makes up Adobe Reader and Photoshop, although that just hurts Adobe more than anyone else.
At the time, they were using the same encryption key for all of its passwords, and holding onto an outdated backup server. That's the sort of security shortcuts that happen when companies are trying to save money, but after 1.2 million in legal fees alone and undisclosed restitution to 38 million users, they're probably wishing they had just shelled out for a better server.
In 2013, the U.S. Department of Justice unsealed an indictment that accused five Russian and Ukraine nationals of a global data breach that stretches back six years. The hackers targeted NASDAQ, Visa, Discover Financial Services, 7-Eleven, JetBlue, the Dow Jones, and more. They ultimately ended up stealing credit card numbers, usernames, passwords, and personally identifiable information for over 160 million people, then turned around and sold the credit card numbers. (Worth noting is that American credit cards were only worth $10 while European ones were worth $50, because American credit cards are terrible.
The group was led by Alexandr Kalinin and Vladimir Drinkman (which sounds more like an Archer character than a real person's actual name). The two were also behind the Heartland Payment Systems breach, which was the largest data breach ever until this one came to light. All in all, the attack cost hundreds of millions of dollars, mostly to credit card companies and corporations, but also to individuals. $300 million in losses was sustained by three corporate victims alone.
This one is a little harder to talk about. This wasn't the result of a hack, but it was a massive breach of private data. The information was given out as part of a Freedom of Information Law request about the comings and goings of New York taxicabs. This was a legal request to make and an understandable one. You're allowed to ask about public services. That's what the FOI Law is for. But with that, the government has an obligation to maintain the privacy of the workers involved.
So the New York Taxi and Limousine Commission tried to make certain information anonymous, like the names of the taxi drivers, and information about the customers. Unfortunately, they did a terrible job of it. That link has some very technical details in it, but the bottom line is that it takes no effort to connect the report's "anonymous" info with real cab driver licenses. And with that information -- and the GPS coordinates associated with it -- you can do some terrifying things.
That wasn't the only time a government organization leaked a ton of private information to the public, though. Last December, security researcher Chris Vickery found a database online -- publically available, and visible to anyone -- containing the personal information of 191 million American voters. The information included names, home addresses, voter IDs, birthdates, phone numbers, party affiliations, and perhaps most upsettingly, voting histories dating back 15 years.
Voter registration information is considered public record in many states (not all), and it's often collected by market research companies to help political campaigns, along with information about your probable opinions on key political issues. Companies usually hold this close to the vest, but a misconfigured database on someone's part led to all of that information being dumped onto the Internet, violating what many people assumed was privileged information about who they voted for, and breaking numerous state laws, including California's. To be clear: this wasn't a "hack." This was just a really, really big mistake. And while the government has been hacked before, the damage outsiders have done is nothing compared to what they've done to themselves.
Experian is one of the three major credit reporting bureaus in the United States, so everyone from loan companies to landlords trust them to know fiscal and personal responsibility when they see it. Yet they themselves had a massive failure of due diligence when they purchased Court Ventures, a data company that collected and sold court records. That part is legal. They were also working in conjunction with a company called US Info to help verify the court data's relevance to a given party. That's legal, too. But then they turned around and sold US Info's personally identifiable information about 200 million people to a Vietnamese criminal named Hieu Minh Ngo. That was a lot less legal. News outlets called Ngo a "hacker," but most of what he did simply involved posing as a private investigator, buying the records, and then selling them. Not a lot of hacking there.
Experian has done a lot of hand-wringing and disclaimers about how they aren't responsible, but considering that they bought Court Ventures right as it was hemorrhaging the personal records of 200 million Americans -- and made a healthy buck doing so -- that suggests they didn't exactly do their homework. It's like someone e-mailed your grandmother claiming to be a Nigerian prince who needed to wire her money, and not only did she send her bank info, she hired the guy to do her taxes. At least they learned their lesson, right? I mean, unless you count the 15 million T-Mobile customer records that Experian also leaked, just last year.
