Cyberattacks pose an ongoing threat to companies and their consumers. These are the most destructive intrusions known at present.
The occurrence of cyberattacks is an unwelcome reality in contemporary company operations. The primary driving force behind their actions is financial gain since cybercriminals are primarily motivated by the acquisition of data that may be exploited for identity fraud or the chance to extort their targets by compromising their IT systems. According to projections, the anticipated global economic impact of cybercrime is expected to reach a staggering $10.5 trillion by the year 2025.
However, it is important to note that cyberattacks can also possess political motivations, leading to firms becoming entangled in conflicts between nation-states that aim to disrupt or acquire confidential information from their adversaries in the geopolitical arena.
The compilation of the five most significant cyberattacks in history was conducted by Tech Monitor, which examined the extent of user impact. The aforementioned list demonstrates that a significant amount of consumer data has been illicitly obtained over the past ten years, resulting in detrimental consequences for the affected firms in terms of both their financial standing and their reputation.
1. RockYou2021: The biggest password leak yet – 2021
The most extensive compilation of stolen passwords to date involved the unauthorized disclosure of over 8.4 billion credentials.
The individual responsible for the cyber intrusion, whose identity remains undisclosed, designated the collection of credentials as “RockYou2021,” alluding to the notorious RockYou data breach of 2009, during which over 32 million individuals had their passwords illicitly obtained.
The individual responsible for unauthorized access to passwords disseminated a text file of 100 gigabytes, which encompassed a staggering total of 8.4 billion password entries. Additionally, this file included information from earlier instances of data breaches.
The hacker made a statement asserting that the list comprised a total of 82 billion passwords. Nevertheless, the precise figure is approximately one-tenth of the original value. According to security experts, both organizations and consumers face potential risks.
According to the statements made by cybersecurity specialist Troy Hunt on the social media platform Twitter, it has been clarified that the compilation known as RockYou2021 does not encompass a comprehensive collection of 8.4 billion distinct passwords. Indeed, the 100GB dataset appears to consist of a compilation of previously compromised passwords, often employed passwords, and a comprehensive wordlist. This breach can be considered the most significant thus far due to the substantial volume and weight of the data included.
2. Cyberattack on Yahoo – 2014
In the year 2016, the prominent internet corporation Yahoo Inc. disclosed that personal information associated with a minimum of 500 million user accounts had been unlawfully obtained in 2014, allegedly by an entity supported by a nation-state.
According to Yahoo, the perpetrators of cybercrime illicitly acquired personal data like email addresses, passwords, telephone numbers, dates of birth, and names. Nevertheless, it does not appear that sensitive data such as protected passwords, payment information, and bank account details were hacked.
The primary individual responsible for the hacking activities is Aleksey Belan, a Latvian hacker who was employed by Russian operatives. The individual successfully obtained unauthorized access to Yahoo’s User Database and account management tool by executing a phishing operation that exclusively focused on Yahoo’s employees.
There have been various repercussions in the realms of finance, business, and public affairs. Despite the preservation of the most important data, the magnitude of the Yahoo breach was unparalleled, resulting in significant economic ramifications, particularly in relation to the company’s $4.83 billion financial transaction involving the sale of its internet division to Verizon Communications Inc. There are allegations that Yahoo provided Verizon with inaccurate information and subsequently entered into a stock agreement without revealing the security vulnerability. As a result, Verizon engaged in negotiations that resulted in a reduction of $350 million in the acquisition cost of Yahoo.
Following the occurrence of the aforementioned incident, Yahoo experienced a decline in its stock price by 3%, resulting in a loss of $1.3 billion in market capitalization.
In March 2017, legal action was initiated by the Department of Justice, resulting in the indictment of four individuals in connection with the incident. Two individuals identified as Russian intelligence officers were engaged in gathering intelligence with the intention of conducting espionage activities against various targets within the United States.
Yahoo faced allegations of negligence due to its delay of two years in disclosing the security issue to both investors and the general public. The Chief Executive Officer, Marissa Mayer, expressed opposition towards the notion of requesting impacted consumers to modify their passwords, as she believed that such a measure would result in customer attrition for Yahoo.
- In addition, there were many pecuniary ramifications.
The Securities and Exchange Commission (SEC) imposed a $35 million fine on Yahoo for engaging in deceptive practices and neglecting to inform its customers about the security vulnerability.
- Yahoo was required to make a payment of $85 million as a result of settlement charges in response to the losses incurred. Additionally, the company was obligated to offer complimentary credit monitoring services to more than 200 million users.
- Yahoo was obligated to make a payment of $35 million in attorneys’ costs and an additional $16 million in relation to its cyber issue.
Yahoo made an additional payment of $11 million to cover legal fees associated with ongoing investigations conducted by five state and federal agencies, as well as 44 class action lawsuits.
- The administrative decree issued by the SEC asserts that Yahoo has contravened Sections 17(a)(2) and (3) of the Securities Act of 1993, as well as Section 13(a) of the Securities Exchange Act of 1934, as a result of its handling of the breach and subsequent reaction.
3. Cyberattack on Marriott Hotels – 2014
The Information Commissioners’ Office (ICO), which serves as the data privacy regulatory body in the United Kingdom, imposed a fine of £18.4 million on the Marriott Hotel chain in response to a significant data breach that potentially impacted a total of 339 million guests.
According to the ICO, personal data such as names, passport details, contact information, and credit card information were hacked. The security breach encompassed a total of seven million guest records pertaining to individuals residing in the United Kingdom. It had been rendered feasible by an additional safety mistake on Marriot’s part: while the credit card numbers were saved in an encrypted state, the encryption keys were stored on the same server. Similarly, the aforementioned applies to passport numbers.
The initial phase of the incident occurred in the year 2014, subsequently impacting the Starwood Hotels conglomerate, which was later acquired by Marriott in 2016. Nevertheless, the matter went unnoticed until the year 2018. This resulted in a prolonged period of four years during which the assailants maintained uninterrupted access to the compromised data.
The examination conducted by the ICO revealed that Marriott had neglected to implement adequate technological or organizational safeguards to ensure the protection of personal data processed on its systems, as mandated by the General Data Protection Regulation (GDPR).
4. Sony’s PlayStation Network attack – 2011
In the year 2011, Sony disclosed that the personal information, including names, addresses, and other relevant data, of around 77 million users of its PlayStation Network (PSN) had been unlawfully obtained.
The accounts of gamers were temporarily stopped and inaccessible on the network for a duration of one week in response to the need to prevent other instances of data breaches. An individual who lacked legal authorization had unauthorized access to a range of sensitive information, encompassing names, addresses, email addresses, usernames, passwords, security questions, and, in certain instances, payment information.
The pilfered data may have encompassed details pertaining to minors as well.
The PlayStation Network (PSN) operated by Sony is recognized as a prominent repository of credit card data, and the security breach it experienced has the potential to be the most significant disclosure of credit card information to date. Nevertheless, Sony stated at that period that it had not uncovered any substantiating evidence regarding the theft of credit card information. However, it did caution consumers to remain vigilant.
Sony, in the aftermath of the attack, unveiled a “welcome back” initiative for its impacted clientele and concurrently disseminated a press statement. Within this particular initiative, Sony made a commitment to provide a complimentary 30-day membership to PlayStation Plus for all individuals who are users of the PlayStation Network (PSN). Additionally, those who were already subscribed to PlayStation Plus were granted an extra 30 days on their existing subscription.
A total of 12,000 credit card numbers, which were encrypted, were obtained from individuals who are from non-U.S cardholders. Furthermore, data from an additional 27.4 million accounts was also accessed. In addition to other measures, Sony has communicated to the United States House of Representatives its intention to offer identity theft insurance plans valued at $1 million per member of the PlayStation Network, among other things.
Approximately one month subsequent to the incident, Sony declared that the financial impact of the outage reached a total of $171 million.
Sony was penalized with a punishment of £250,000 by the British Information Commissioner’s Office due to its violation of the Data Protection Act in the United Kingdom. Subsequently, on April 27, 2011, a legal action was initiated by Kristopher Johns of Alabama, representing all PlayStation users. The lawsuit alleges that Sony neglected to encrypt data and implement sufficient firewalls to effectively address the possibility of a server breach.
A legal action has been initiated in Canada against Sony USA, Sony Canada, and Sony Japan, wherein the plaintiffs are seeking compensation up to C$1 billion.
5. Uber data breach – 2016
This week, Uber has acknowledged its complicity in concealing a significant data breach that occurred in 2016. In 2016, the corporation neglected to inform both individuals and regulatory bodies, as well as the general public. The security breach resulted in the unauthorized disclosure of sensitive information belonging to a total of 57 million individuals, including both customers and drivers.
The unauthorized individuals employed stolen login credentials to breach a confidential repository containing source code, thereby acquiring a proprietary access key. This key then facilitated their unauthorized entry into Uber’s systems, enabling them to illicitly retrieve and duplicate substantial volumes of data pertaining to Uber’s users and drivers. Notably, this compromised data included around 600,000 driver’s license numbers.
According to a report by Bloomberg, the corporation acknowledged that it had provided a payment of $100,000 to the hackers in order to facilitate the deletion of the compromised data and maintain confidentiality regarding the cyberattack. In response to the incriminating Bloomberg story, Dara Khosrowshahi, the Chief Executive Officer of Uber, issued a public statement on behalf of the organization. The speaker expressed her disapproval of the events that transpired, emphasizing her refusal to provide justifications for them. She acknowledged the inability to alter the past but asserted her dedication, on behalf of all Uber employees, to derive valuable lessons from the errors committed.
Uber acknowledged its involvement in this security breach as a component of a legal agreement with the United States Department of Justice, so circumventing potential criminal charges. As per the terms of the settlement, the Chief Executive Officer (CEO) and his staff notified the individuals impacted by the breach one year subsequent to its occurrence. The decision to refrain from prosecuting Uber was reached by drivers, public stakeholders, and government authorities due to the company’s choice to reveal the cyberattack incident, coupled with their commitment to the Federal Trade Commission (FTC) in 2018 to promptly notify government regulators of any forthcoming cyberattacks. The settlement further confirms that Uber made a payment of $148 million in order to resolve civil action associated with the data breach.
The former top security officer of Uber, Joe Sullivan, was found to be involved in the concealment of the incident, leading to his termination by Khosrowshahi in 2017. As a result, Sullivan faced charges of obstruction of justice due to his attempts to conceal a data breach from both the Federal Trade Commission (FTC) and Uber’s management. The trial for his case is scheduled to commence in September 2022.
6. Adobe cyberattack – 2013
Adobe, a prominent software manufacturer, experienced a hack resulting in the compromising of around 38 million active users. Initially, the corporation announced that a total of 2.9 million accounts had been impacted.
Moreover, the perpetrators had gained unauthorized access to data from a certain number of accounts that were either inactive or terminated.
In addition to compromising user data, the hackers illicitly obtained a portion of the source code for the widely used photo-editing software Photoshop, as well as the Acrobat PDF Editor.
In May of the aforementioned year, Adobe transitioned a number of its products to a subscription-based model. Currently, those utilizing the platform are required to create an account and furnish their credit card information.
The repercussions of this cyberattack were rather insignificant. Adobe reached a settlement agreement to resolve a lawsuit initiated by 15 state attorneys general, resulting in a payment of $1 million. In addition, the perpetrator, a 39-year-old male from The Netherlands, managed to evade imprisonment.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
Read More Blogs Here