20 Biggest Data Breaches of 2013

Year 2013. is definitely going to be remembered as "Year of The Breach" - a year with largest number of records lost due to 2.164 data breach incidents. Number of records exposed is quite amazing - 822 millions!

Yes, that's right - it means that only this year, personal data (mostly including emails, names, phone numbers, passwords, driver's license numbers, social security numbers, etc.) of every 9th person on the world was exposed!

Risk Based Security's newly released report shows that 96.8% of all exposed records involved outside the organization activity, with hacking taking the biggest percentage - almost 60%.

Largest number of incidents happened in United States - nearly 50%! That also resulted in largest number of records exposed - 540+ million data records were stolen in USA, accounting for 66.5% of ALL exposed records in 2013. Pretty impressive.

And what would you think about when I say "California"? Let me guess... Beaches? Palms? Good looking girls in bikinis? 2 Pac & Dr. Dre song? Well, let's try this: 369.000.000 records exposed in California this year!

So, what were the biggest breaches in 2013? Let's start!

1. Adobe - 152M

Adobe data breach involved 152+ millions of username and hashed password pairs (although Adobe is stating that number is "only" 38 millions). Maybe more important fact is that 2.8 million of that records were encrypted credit card details! Moreover, source code of Adobe Acrobat, Reader and ColdFusion leaked.

Adobe breach is considered to be biggest in history!

2. Target - 110M

USA retail giant "Target" was breached most probably during the biggest shopping day - Black Friday. And it really was black for the company: 110 million total exposed records of which 40 million credit/debit card details and 70 million customer details (names, emails, phones). Even worse is that it was not only Target's fault - hackers gained access to the data through credentials of Fazio Mechanical (HVAC company) by sending a phishing email containing Malware. Interesting fact is that Fazio released a statement saying "our IT system and security measures are in full compliance with industry practices" but investigators found that their only protection against malware was free version of Malware-bytes. Not enough for such a serious business, I would say.

3. UbiSoft - 58M

The third largest gaming company in both Europe and US had a data breach (unknown size) and their database is larger than 58M of records. Attackers gained access to user names, email addresses and encrypted passwords. Luckily, UbiSoft is not storing payment data, so no credit/debit card records or bank accounts were stolen.

4. Turkish Government - 54M

According to report, Russian hackers have possibly stolen personal details (Name, ID numbers and address) of 54 million Turkish citizens from vulnerable system of one political party. That's about 70% of whole Turkish population! Hacked system did not have any antivirus product installed and voter information was also uploaded online on a vulnerable website. Researchers said that in two hours hackers downloaded all the information".

5. Evernote - 50M

Popular online note-taking service requires it's 50M users to reset password, after company discovered unauthorized access to to Evernote user information, which includes usernames, email addresses and encrypted passwords.

6. Living Social - 50M

Daily deals website was breached and attackers managed to steal names, e-mails, birthdates, and encrypted passwords of what appears to be the vast majority of LivingSocial customers. Good news is that credit card information were stored on separate system but bad thing is that SHA1 hashing algorithm was used, which means seriously low protection of encrypted passwords!

7. Cupid Media - 42M

Popular dating service got breached and exposed more than 42 million consumer records, including names, email addresses, unencrypted passwords and birthdays. Quite interesting thing is that 56 Homeland Security Dept. employees records were stolen as well!

8. Yahoo Japan! - 22M

Most visited website in the country got breached but luckily - nothing serious. According to the company statement, hackers might have gained access to a file containing more than 22M of user ID's (login). This is not such a serious incident, except possible SPAM those users could expect to get in future.

9. CNWisdom - 20M

China's largest wireless Internet service provider for hotels was hacked by a group called “Harbors of Evil Goods” who stole more than 20M of hotel reservations, containing phone numbers, email addresses and physical addresses. And what about this? "A Chinese publication has reported that a woman has cancelled her wedding after using the leaked data to analyze her future husband’s hotel reservations". Oops!

10. Facebook - 6M

A bug in DYI (Download Your Information) feature allowed users who downloaded contact data for their list of friends to obtain additional information from people they were not supposed to have - phone numbers and email addresses (probably friends of friends).

11. Snapchat - 4.6M

One of the fastest rising companies of today has suffered a data breach - more than 4.6 million usernames and phone numbers were stolen and published online, shortly before New Year's eve. Probably not so sensitive data though many of users could now expect to experience stalking. More important is that Snapchat was warned by security researcher Chris Soghoian back in August 2013, which was ignored by Snapchat. There is also additional catch - Snapchat was hacked soon after declining Facebook's offer of $3 billion - any coincidence?

12. Groupon Taiwan - 4.1M

Popular group buying website was hacked and attackers gained access to file containing username and passwords but company released a statement saying that no credit/debit card details were stolen.

13. Advocate Medical Group - 4M

This is a second-largest HIPAA violation ever reported to the Department of Health and Human Services (HHS) in which 4 unencrypted computers were stolen from administrative building. Though no health data was compromised, patient names, addresses, Social Security numbers and dates of birth were exposed. The administrative building had a security camera and panic button, but didn’t have an alarm or security personnel. But my question here is: how can you leave 4M of patient records unencrypted?!

14. Maricopa Community Colleges - 2.4M

Very serious data breach in which attackers gained access to very vulnerable information like Social Security numbers, driver’s-license numbers and bank-account information from employees and vendors. Students academic information has also been exposed but not their personal data. Maricopa already spent several millions of dollars and on Tuesday agreed to spend up to $7 million more for notifying people and further strengthening system.

15. Schnucks - 2.4M

Supermarket chain suffered a data breach in which full credit/debit card details were accessed by attackers for almost 4 months (Between December 1, 2012 and March 28, 2013.)!!! I really cannot imagine what attackers could do for 4 months! And yes, it is going to be quite expensive for Schnucks (not mentioning the brand damage): up to $10,000 for each related identity theft loss, with the total capped at $300,000; up to $635,000 for the plaintiff and settlement attorney’s fees; and $500 to each of the nine named plaintiffs in the lawsuit. And it was a big punch for Schnucks CEO, so he stepped up and gave his title to younger brother.

16. Vodafone Germany - 2M

In so called "insider" data breach, more than 2 million of customer data records containing names, addresses, bank account numbers and birth dates were stolen from company internal network.

17. Ubuntu Forums - 1.82M

Usernames, emails and passwords stolen from one of most popular Linux OS.

18. Washington Courts - 1M

Serious data breach exposed more than 1 million driver's license numbers and 160.000 Social Security numbers!

19. Drupal - 1M

More than 1 million records stolen (username, email, country info and hashed password) via a known vulnerability inside third-party software that was installed on the Drupal.org server infrastructure.

20. Corporate Car Online - 850.000

Popular limo service experienced a serious hack where attackers gained full credit/debit card details (credit card numbers, expiry dates and associated names and addresses) of more than 850.000 customers. Some of those customers are Fortune 500 CEO's and A-list celebrities, like LeBron James, Tom Hanks or Donald Trump.

If you prefer visual rather than text, you can slide through my presentation on SlideShare:

You can also visit a quite nice web page which visualizes all the World's biggest data breaches: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

As you can notice from the list, everyone is a potential target!

Victor Dudemaine

Executive | CDO | Data Leader | People & Team Builder | Value & Client-Obsessed

10y

Great article. As an Information management professional, this is my biggest fear. What if data is lost. The potential reputational risk is staggering. The actual compensation to customers/clients could earnings issues in some cases. Either way I agree, that we need to find a way to manage in a way to benefit the business but be cautious about risk.

Paul Kaspersma 波尔

Freelance Senior RPA Consultant + Algorithmic Trader

10y

I wonder how many of these 2.164 data breaches have actually been useful. In general, it tells us how many “bank robbers” got into a bank, but it does not say anything about the actual profit they made. I understand it is hard to get these results, but I do find them essential. Because this information is missing, I find this article a bit unfair... although I do think you did a great job on getting the data. What I mean to say is that the contribution to the perception that people have or get that cloud services are not being safe. Often people seem to approach it as a one way view. To me this is the main reason for cloud services not being "safe". For example: Often store owners have cameras to avoid goods to be stolen within the store. However, they don’t focus on the warehouse where the goods are actually taken by employees. The same situation holds with cloud services and its security system. The owner of the store is blaming the security company for the goods to be stolen. To what extend can providers be held responsible if the customer only wants to focus on its store and not the warehouse. It comes both ways. I think it’s essential for all parties involved to raise awareness of the key factors why the criminals succeed so easily.

James McDonald

Programmer — I design, write, test, and deploy software integrating databases and web APIs. And it works!

10y

Echoing Greg L., the amount of compromised data would be given better context if we knew how much personal information these companies collect. I'd also like to see data about the general nature of the exposed information, as not all information is created equal (illustrated by HIPAA). The scale and duration of some breaches is quite shocking. I wonder how many breaches are ongoing, undiscovered, or hushed-up by embarrassed executives. The inexorable shift to the cloud and SaaS makes security an imminent issue. It's a big puzzle, and the best solution isn't clear (to me, anyways). Oh, and LOL at “Harbors of Evil Goods”.

Like
Reply
Greg Larnder

President | Sales Leader | Business Strategist | Growth Driver | Highly Connected in Healthcare Education

10y

Interesting data and is useful. However I think seeing the data in context would help. A measure of the % of data breaches rather then the number itself would tell a interesting story. Based on information doubling year over year (or tripling) how many more breaches were there this year over the last year?

To view or add a comment, sign in

Insights from the community

Explore topics