Halloween is the time of year when people revel in the spooky, the scary, the creepy. The horror films celebrate all the different things that can scare a person – a stranger hiding in the house or an infection turning people into blood sucking zombies.
However, Halloween, is also a time to recognize something far scarier than zombies or candy corn; a severe business-halting data breach. Things could get scary for your business if you were to experience a hacker attack.
The cyber threat landscape continues to evolve at a rapid pace. The stakes are incredibly high for any organization that conducts business online. Every organization is vulnerable ― unless you take the proper precautions to safeguard accordingly. What’s scary is watching the online habits of team’s members and company policies. Not thinking twice about opening a phishing email or unsecured internal portals: it’s hard for people to realize that in not taking basic precautions they are flirting with a real-life slashers who are more than happy to take your identity.
So, just in time for Halloween, if you weren’t scared already, here are some of the spookiest breaches of all time that should make you sit up with an eerie feeling in your bones!
High on the list of every-day nightmares are losing our phone or wallet – but how about having your personal credentials stolen and being sold on the Dark Web? In 2012, a whopping 165 million LinkedIn users had been compromised by hackers via by their password-reset notifications. While we all get the monthly warning emails about a mysterious login by an unknown user, this time over 6.5 million of the 165 million LinkedIn users fell to the trickery of the hackers requesting to change their password. Shorty after the breach occurred LinkedIn announced the hack and this revelation prompted other services to comb the LinkedIn data and force their own users to change any passwords that matched.
Possibly one of the scariest days of the year in the United States is Black Friday. Retail junkies go bonkers for sales and discounts at all the major retails stores nationally. In 2013 it felt more like Friday the 13th, 40 million Target shoppers private information was hacked via the company’s payment-card readers. That dark friday the hackers escaped with tens of millions of credit and debit card numbers that had been used at Target stores.
However, the breach wasn’t reported until Dec. 18. Then, Target came out with another announcement in 2014 that the contact information: full names, addresses, email addresses and telephone numbers — of 70 million customers had also been compromised. In the wake of the event and subsequent investigation, it was discovered that a third-party vendor was first hacked via a phishing attack, paving the way for hackers to break into Target’s POS system.
When people think of biggest hacks your first thoughts are how many people were hit and how will it affect me. In Yahoo’s breach think BILLIONS. The massive Yahoo breach revealed in late September 2016 was the biggest data breach on record up until then. While Yahoo was in the midst of being acquired by Verizon, they announced a breach from 2014. Over 3 billion accounts – much more than initially announced – were compromised, including information like: real names, email addresses, dates of birth and telephone numbers – all helpful to spammers and identity thieves. The good news is that the majority of the passwords were hashed using the so-far-uncrackable Bcrypt method. One of the spooky aspects of this breach is that Yahoo blamed an undisclosed country for the attack.
Sometimes hackers present breaches as an act of protest for the greater good. In 2015, shady spouses saw their worst nightmare became reality. The so-called “cheating network” Ashley Madison, announced that hackers infiltrated the network and publishing nearly 10 GB of data on the deep web, making it accessible to anyone with a Tor browser. The user information: names and addresses of about 36 million users were published, as well as payment card transactions from over the past seven years. This data, which amounts to millions of payment transactions going back to 2008, includes names, street address, email address and amount paid. Similar to other breaches, The company was provided with a deadline for a response before the data leak, didn’t give into the threat and faced the massive data breach.
On Sept. 7, 2017, consumer-credit-reporting agency Equifax reported a security breach that occurred between mid-May and July. The breach, totaling 145 million users, is possibly the biggest breach to date. Hackers acquired the access to a massive cluster of names, social security numbers, birth dates, street addresses and, in some instances, driver’s license numbers. With those sets of data, criminals can steal identities to set up credit cards, mortgages, loans and more. The vulnerability that attackers exploited to access Equifax’s system was in the Apache Struts web-application open source software, a widely used platform. Despite knowing about the breach in mid May 2017 and receiving an open source patch for the vulnerable leak, why didn’t Equifax patch it? Straight up negligence, right? Perhaps. But – open source security is still a challenge for many organizations. This isn’t the first time ghosts of vulnerabilities past have come back to haunt us – and if we don’t start investing in ghost patching, it probably won’t be the last.
When it comes to notorious breaches, hindsight is 20/20. All the companies hit could have done more to safeguard their users’ data and respond more swiftly.
Moving forward no matter the size of your company, if you are a small business to a fortune 500: Don’t take security lightly and resolve the issues before they come back to haunt you.