In the past two years, there were 6,789 data breaches globally that amounted to 886.5 million compromised records. That’s more than double the U.S. population. With each person having numerous accounts across various industries and services, chances are good that you’ve been exposed at some point.
This timeline of email security breaches shows their evolution.
In 2004, 92 million AOL customer accounts were breached. The hacker was employee Jason Smathers, a software engineer, and the stolen information included screen names, email addresses, zip codes, telephone numbers, and credit card types.The lists were sold for $52,000 to $100,000 to spammers, who then sent 7 billion unsolicited emails. The cost to the company was $400,000 to millions.
August 2006 – March 2012: Syria Files
In the Syria Files hack that occurred between August 2007 and March 2012, 2.4 million email messages were compromised from the Assad regime’s inner circle of Syrian political figures, ministries, and companies. A hacktivist group of the Anonymous collective was responsible, and the information was published by WikiLeaks on July 5, 2012, which the group said was “supremely well equipped to handle a disclosure of this magnitude.”
December 2010: Gawker Media
In December 2010, the Gawker Media system was compromised, and hackers stole Gawker employees’ message content and digital activity, as well as email addresses and passwords for the 1.3 million commenters of its nine sites, including Lifehacker, Gizmodo, and Jezebel. The 500 MB database of user information was then placed on the file-sharing system BitTorrent. After hunting for users who reused their passwords across Gawker and Twitter, the hackers then sent out 10,000 tweets a minute on any account they gained access to.
The hack was done by a group known as Gnosis, which was responding to Gawker’s coverage of the 4Chan message board as well as Gawker’s “outright arrogance” toward the hacker community. Experts say passwords were accessed via a brute force attack. The hackers said of Gawker’s security vulnerabilities: “Their servers run horribly outdated kernel versions, their site is filled with numerous exploitable code, and their database is publicly accessible.”
March 2011: Epsilon
Epsilon, a Texas-based email marketing firm, was hacked in March 2011 with 60 million to 250 million records compromised. More than a dozen major company accounts were affected, including Best Buy, JPMorgan Chase, Capital One Bank, and Verizon. The stolen information included names, email addresses, and some disclosure of member rewards points. The breadth of exposure could have been limited by segregating sensitive customer data so a breach in one area did not compromise the entire database. Four years later in 2015, two Vietnamese men and a Canadian citizen were indicted for the hack.
The hackers made more than $2 million from the theft, but the estimated costs to the company were $3 billion to $4 billion, including forensic audits and monitoring, fines, litigation, and lost business for Epsilon and its affected customers. On the market, shares of the parent company fell $2.78, or 3.2%, immediately after the hack.
August 2013: Yahoo
In the first Yahoo hack in August 2013, 1 billion email accounts were compromised. Late in 2014, there were an additional 500 million Yahoo email accounts compromised. The public was notified of the second breach in September 2016, and the 2013 breach was announced a few months later in December 2016.
The hackers were initially thought to be state-sponsored actors, with China and Russia as top suspects. Later, it was believed the hackers were a group of Eastern European blackhats called “Group E.” Whoever they were, the hackers gained access through “forged cookies” that falsified login credentials. From this, the hackers gained names, email addresses, telephone numbers, dates of birth, hashed passwords (bcrypt and MD5 algorithms), and in some cases, encrypted or unencrypted security questions and answers.
The stolen information ended up for sale on the darkweb. In August 2015, a seller was offering more than 1 billion Yahoo accounts for $300,000. Two of the data’s purchasers were underground spammers. A third buyer was specifically seeking information on 10 U.S. and foreign government officials who were included in the dataset. In total, the list contained 150,000 people from the U.S. government and military, and the European Union, Canadian, British, and Australian governments. As of October 2016, the full list was still for sale on the darkweb for $200,000, with the lower price because many users changed their passwords.
The hack resulted in a risk of losing the $4.8 billion sale of the company to Verizon. Experts say a data breach costs the company $221 per stolen record, which equals more than Yahoo’s sale price.
Possible causes for the attack include the company’s denial of financial resources to its security team. Internal security requests were often overridden because of concerns about losing users due to the inconvenience of higher security. In fact, Yahoo did not implement an automatic reset of all user passwords for fear that it would shrink its already dwindling user base.
2014: U.S. Government
U.S. government emails and servers were compromised in 2014. Accessed information included some of President Obama’s emails, other governmental email messages, and the State Department’s unclassified system. The hackers also attacked the Pentagon’s unclassified systems but were “kicked off.”
The hackers are believed to be either employees of, or people with ties to, the Russian government. Following the cyber attack, there was a partial shutdown of the White House email system. This occurred during the Iranian nuclear negotiations in Vienna, and officials were distributing personal email accounts to maintain contact with each other.
November 2014: Sony Pictures
The Sony Pictures corporate network was compromised in November 2014, which resulted in 46,800 contractors and employees at risk of identity theft. The hack was likely North Korean in origin, with the responsible group known as the “Guardians of Peace.” It used malware to gain access to the system.
More than 100 terabytes of data were stolen, including detailed company information; emails between employees; information about employees, actors, and executives (Social Security numbers, scanned passports, and salaries); internal passwords; unpublished scripts; marketing plans; financial and legal information; and four entire unreleased Sony movies. The approximate cost to Sony was $35 million plus the loss of revenue from not screening “The Interview” in theaters.
This breach could have been prevented by better education about phishing emails, implementation of two-factor authentication or multi-factor authentication, or selection of the proper identity management solution vendor. Additional prevention measures include implementing company-wide password standards that prevent simple passwords and reusing passwords across accounts. Even basic encryption tools may have prevented some damage.