3 of the Worst Data Breaches in the World That Could Have Been Prevented

Data breaches can be devastating for organizations, these are 3 of the worst incidents that could have been prevented

Data breaches can be devastating for organizations and even entire countries. Eliminating the risk of a data breach is nearly impossible, but some things can be done to reduce it significantly.

Here are three of the worst data breaches that could have been avoided:

Yahoo

In 2013, Yahoo suffered one of the worst data breaches in history, exposing over 3 billion user accounts. The breach was unveiled three years later, during the process where Verizon was acquiring Yahoo.

Yahoo initially reported that 1 billion users had been affected, but the number turned out to be much higher. The attack and lack of transparency from Yahoo reduced the price Verizon had to pay for the acquisition. While no plaintext passwords or financial data was stolen, the hack did expose answers to security questions. This allowed hackers to breach many user accounts.

Experts believe Yahoo was using outdated, easy-to-crack encryption, which led to the attack. The attack is a good reminder of how critical strong encryption is in protecting your website users. This attack could’ve easily been avoided if Yahoo had invested more in the security infrastructure.

SolarWinds attack on U.S. government agencies

In February 2021, several U.S. government agencies and large organizations were hit by cyberattacks due to a vulnerability in their IT infrastructure provider – SolarWinds.

Many government agencies and Fortune 500 companies use SolarWinds, which contributed to the severity of the attack. Because of SolarWinds’ deep integration with other software solutions, organizations were forced to continue working with it despite knowing that a breach had occurred.

SolarWinds employees claim that the attack resulted from a weak password that an intern had used – “solarwinds123”. The attack affected thousands of SolarWinds’ clients, causing billions in damages.

All of that could’ve been avoided had SolarWinds implemented a strong password policy. Weak passwords are the easiest way hackers can hack into a system. Organizations must have a robust password policy. One way to help enforce such a policy is by providing employees with a password manager for easy password generation and storage.

Target

Near the holiday season of 2013, hackers exposed the credit and debit card information of over 110 million Target customers. Because it was impossible to recover the data, Target had to pay tens of millions in damages to affected customers. The attack happened around Black Friday, which was particularly bad for business due to the bad publicity.

The hackers used social engineering techniques, sending phishing emails to several of Target’s vendors, and successfully breached Target’s network. They then installed malware, which helped them obtain customers’ credit/debit card information.

Organizations are now very interconnected and depend on the services of vendors, suppliers, and other entities. Focusing on your own cybersecurity practices isn’t enough. You must also worry about that of your third parties. Before engaging in business with a third party, ensure that they meet your cybersecurity standards. You can do so by sending questionnaires or through security ratings.

Final thoughts

Organizations are constantly under threat of data breaches. Attackers are relentless and regularly discover new ways to harm. While eliminating the risk completely is impossible, there are a few things organizations can do to improve their cybersecurity posture. Here are some of them:

Strong encryption
Strong password policy for employees
Third-party risk management
Educate employees about cyber risks

About the Author: Anas Baig

With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data breaches)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.