The Data Black Market (pt. 2): Infamous Data Breaches in History

As the black market for stolen data grows, cybercriminals are targeting enterprises more aggressively than ever. Don’t let your organization join this list of victims. 

2019 is proving to be one of the worst years on record for data breaches. In just the first half of this year alone, hackers have collected and sold over 2.2 billion stolen records from large enterprises, including major industry moguls like Facebook, Dropbox, and LinkedIn. 

In our last article, we explored what happens to sensitive data when it’s stolen and sold on the digital black market. With a newfound understanding of how personal and enterprise data is traded and valued, let’s take a look back at some of the biggest data breaches of the past decade. For CIOs and enterprise IT teams especially, understanding how cybersecurity has failed in the past can help inform better decisions for the future.

1. The Uber Cover-up

In October 2016, Uber was hit with a data breach that affected over 57 million customers. According to Bloomberg, the personal information of both drivers and riders was compromised, including names, email addresses, phone numbers, and — in the case of drivers — license plate numbers. 

The breach was carried out by two hackers who exfiltrated login credentials from Uber's GitHub account — a site that companies use to store code and track projects. The hackers used the stolen usernames and passwords to access Uber’s user database, which was stored on a third-party Amazon server. 

The hackers then approached Uber and demanded $100,000 to delete their copy of the stolen data. Uber, in turn, handled the attack about as poorly as a company could. They paid the ransom but failed to tell regulators about the breach, instead asking the hackers to sign nondisclosure agreements in an effort to cover up the mishap. From there, Uber executives also made it appear as if their payout had been a bug bounty effort — a practice among companies in which they pay hackers to attack their software as a means of vulnerability testing. 

All things considered, this was not a very sophisticated attack, and as such, two primary lessons can be gleaned from these events. One, always use two-factor authentication whenever possible. And two, never try to cover up a breach — the bad press and legal liability associated with such a decision could end up being worse than the crime itself.

2. Trouble in the Heartland 

In March 2008, before Heartland Payment Systems was acquired by Global Payments, the company experienced one of the worst data breaches of the 2000s. Using SQL injection (a common attack technique for data-driven applications), hackers installed spyware on Heartland’s data systems. Hackers were then able to stealthily exfiltrate over 134 million credit cards over the course of several months. 

At the time of the breach, Heartland was running nearly 100 million payment card transactions for nearly 175,000 merchants each month. It took almost an entire year for Visa and MasterCard to notify Heartland of suspicious transactions from the accounts it had processed.

Heartland was forced to pay an estimated $145 million in compensation to their retailers on behalf of the fraudulent transactions, but faced an even bigger blow shortly after to their reputation. Heartland lost compliance with the Payment Card Industry Data Security Standard and was not allowed to process major credit providers until May 2009 — a great reminder to other enterprises of the potential long-term repercussions of a data breach.

3. Friend Finder, Data Stealer

In 2016, the adult dating and entertainment company FriendFinder suffered a data breach that compromised six entire databases of user information. It was estimated that the personal information — names, emails, and passwords — of more than 412 million users were exposed as these databases circulated the web. What’s more, the breach even affected deleted accounts that the company failed to purge from their databases, leaving an additional 15 million former users’ personal data exposed.

Experts say that hackers breached these databases through file inclusion vulnerabilities — a type of vulnerability that hackers exploit on web applications. File inclusion vulnerabilities are created when web applications give users the ability to upload malicious files to a server. They are most often found in poorly-written web applications. As such, a good takeaway from this breach is to ensure that your enterprise develops best practices for website development, like implementing sufficient filtering.

4. Equifax: The Largest Settlement 

In July 2017, Equifax experienced a data breach that compromised the accounts of over 147 million consumers. Sensitive financial and personal information like Social Security Numbers, birthdates, home addresses, and drivers’ licenses were stolen — and for an unlucky additional 209,000 consumers, credit card data was also exposed.

Hackers were able to gain access to this sensitive user data by exploiting an application vulnerability on one of Equifax’s websites. Although the breach was discovered in July, the company said that hackers initially started stealing data as early as mid-May.

As a result of the exploit, Equifax was forced to cough up $650 million dollars, nearly half of which went directly to the American consumers harmed by the breach. The company also paid $275 million in fines to end the investigations carried out by the Consumer Financial Protection Bureau, and the Federal Trade Commission. In an effort to retain their existing customers, Equifax even agreed to provide up to ten years of free credit monitoring services to any U.S. users affected by the breach.

The Immediate Need For Cybersecurity 

Unfortunately, we are living in an era in which we can expect these attacks to proliferate at a steep and steady rate. Considering the exorbitant costs associated with these cyberattacks, both in terms of dollars and in reputation, enterprises must be prepared to thwart any emerging cyber threats. Luckily, a partnership with Turn-key Technologies, Inc. (TTI) can strengthen your cybersecurity initiatives and help ensure your enterprise isn’t the next victim on this list.

With almost three decades of IT experience, we have the resources and expertise necessary to ensure that your data and your customers’ data remains secure. Organizations of all sizes can benefit from additional cybersecurity support, and there’s no better partner in this regard than TTI.