Cybersecurity fails should not happen. Cybersecurity is one of the most important areas a business can invest in. Having strong data protections builds consumer loyalty, increases trust, and can add enormous value in the long run. It can also save thousands, if not millions of dollars, as the average cost of a data breach is now estimated to reach up to $4.4 million globally, and $9.4 million in the US.
Failing to prioritize cybersecurity can lead to embarrassing incidents that tarnish brand reputation. These 10 cybersecurity fails led to huge losses or even imminent danger for those affected. What is more, they should never have happened if certain basic cybersecurity steps had been implemented.
- First American Financial Corporation data breach (2019)
With an estimated 885 million records affected, the First American Financial Corp data breach was an enormous 2019 hack that led to widespread losses. Bank account numbers, bank statements, mortgage and tax records, wire transaction receipts, driver’s license photos, and even Social Security numbers were all shared publicly via this First American breach. This hack was particularly noteworthy because it was a true accident. The New York Department of Financial Services found upon investigation that the leak happened solely because First American failed to follow its own internal security procedures. The web design of its data storage structure contained a simple authentication error. This web design flaw, called an “Insecure Direct Object Reference” (IDOR) allows anyone who searches for a direct link access to it. First American failed to check on its web structure, allowing all of these secure documents to be accessed by anyone who searched. This cybersecurity fail went undetected for years.
- CSDN Leak (2022)
Human error tops the list in this recent 2022 breach. According to recent reports, a leak of 23 terabytes of personal data was traced back to a developer working for the Chinese government. The government developer apparently accidentally included access credentials to a Shanghai police database while writing a tech blog post on the China Software Developer Network (CSDN). Up to one billion Chinese resident records were then found listed for sale on the dark web in what is thought to be the biggest leak of all time.
- Equifax data breach (2017)
Almost everyone has heard of the Equifax data breach, which cost not only $700 million in payments to those affected but also lasting professional damage. An application vulnerability in one of Equifax’s websites was eventually discovered to be the source of the enormous breach, which led to congressional inquiries about Equifax’s lax cybersecurity policies. According to the findings, inadequate system segmentation caused lateral contamination throughout multiple sites and data storage systems.
- Marriott International data breach (2018)
Taking a trip is supposed to be relaxing, but the Marriott International data breach of 2018 cost many vacationers their peace of mind. In this hack, 500 million records were compromised, consisting of passport information, travel dates and information, credit card numbers and expiration dates, as well as Marriott-specific details such as Starwood Preferred Guest numbers. The hack was traced back to a failure to update and integrate systems when Marriott purchased Starwood back in 2016. By 2018, they still had yet to update the old Starwood IT infrastructure, which had been hacked back in 2014. When Starwood was incorporated into the Marriott system, the damage only spread.
- Ellsworth, Kansas water hack (2021)
In one of the most dangerous hacks on the list, a disgruntled former employee used their login to shut down the sanitation services for a town’s drinking water. The Ellsworth, Kansas hack was a simple enough situation where the former employee’s login information had yet to be deactivated after he resigned. The remote login jeopardized the entire town’s health and safety, but was luckily discovered before harm could spread.
- Facebook Cambridge Analytica Scandal
Because of the amount of personal information stored on its platform, Facebook has been the target of a barrage of hacks throughout the years, the most damning of which was the Cambridge Analytica scandal. The social network has been criticized for not addressing key weaknesses within its cyber security infrastructure that allowed marketing firm Cambridge Analytica to collect the data of up to 87 million users worldwide.
- Target credit card leak (2013)
How secure is your supply chain? In some cases, your business is only as secure as the vendors who service it. A 2013 hack revealed that up to 60 million Target customers had their personal and financial information stolen when the HVAC company that serviced certain Target locations was breached by hackers. The lateral attack cost Target an $18.5 million settlement spread across multiple state lawsuits, a $10 million class action settlement, as well as individual direct payments to consumers who showed that they had suffered losses.
- SEPA Christmas hack (2020)
An enormous cyber hack devastated the Scottish Environmental Protection Agency on Christmas of 2020. The incident is believed to have cost the Agency around $1.2 million, as well as around $2 million in missing fees and penalties that were unable to be collected due to the lost or stolen records. Around 1.2 GB of data, including backup copies of records, were stolen. The breach was believed to be traced back to employee error, when a link in a phishing email was clicked on.
- Yahoo database breaches (2013 & 2014)
The once-great email and search giant Yahoo was crippled by back-to-back cyber breaches that cost the company millions, leaked private customer information, and ultimately lost the brand its good name. The 2014 hack was particularly egregious after a similar 2013 effort succeeded in affecting over 3 million accounts total.
- SolarWinds (2019)
The full effects of the 2019 SolarWinds breach are still being fully investigated. This enormous hack, thought to be the result of a routine software update gone awry, continues to be monitored by Congress and the President to understand the extent of the damage.
Don’t let your business become part of the list. Upgrade cybersecurity measures now, and be sure to train your employees on the risks of phishing and malware scams.