Top Five Worst Data Security Breaches

//Top Five Worst Data Security Breaches

Data security breaches seem to be hitting the headlines frequently these days. So, we decided to make a Top Five list of the Worst Data Security Breaches in the world. Each of the data security breaches on our list demonstrates a different area of vulnerability and the different responses of the businesses involved. But, more than that – they are great examples of why understanding information security and implementing incident response policies should be at the heart of your organization. Each of these breaches took place, of course, before what is now known as the Panama Papers leak and which has become bigger than any previous data leak.

What is the Panama Papers leak?

For those of you who have not been lucky enough to hear or read about it somewhere, the saga can be summed up as follows:

  • Eleven million confidential documents belonging to the Panamanian law firm, Mossack Fonseca have been anonymously leaked.
  • The documents relate to the firm’s clients, who include ministers, business persons and other prominent figures.
  • According to the Panama Papers leak, the firm has a 40-year history of bending and breaking the law for the benefit of its clients, including laundering money and evading taxes.

Top Five Data Breaches

1. Target Corporation
2. TJX Companies, Inc.
3. Heartland Payment Systems
4. LivingSocial
5. Adobe Systems

5. Adobe Systems

In this data security breach 38 million encrypted passwords were stolen from approximately 38 million active users. The hackers also stole parts of the source code to the Adobe’s Photoshop product. Encrypted credit and debit card numbers were compromised for 2.9 million users.

One of the interesting aspects of this data security breach was the response from Adobe. Their initial public notification of the data security breach did not disclose the full scope of the attack which the company justified by saying that they were only communicating information which had been validated.

Adobe contacted customers affected by the incident. Hackers uploaded the information that they obtained to a hacking website. Adobe responded quickly and had that information removed from the site.

Adobe tried to rectify the situation by offering one year of free credit monitoring to affected users.

Adobe offered affected customers free products

4. LivingSocial

This data security breach affected 50 million customers and involved unauthorised access to their customer data, including names, email addresses, and encrypted passwords. The hackers forced their way into encrypted systems. However, the did not manage to access financial and banking information. It appeared that the attack also affected customers who had closed accounts.

This is a good example of how it is as important to protect customer data of non-active customers. The company encouraged users to change their passwords and apologised to customers. They then put a banner across their website encouraging users to change their passwords. The company also sent out an email warning of possible phishing emails.

Protection of non-active customer data is still important.

3. Heartland Payment Systems

Heartland are a payroll processing company and secure various kinds of information for their clients. They suffered a data security breach when their systems were attacked using malware and the attackers gained access to 100 million debit and credit cards. Heartland had to pay out $140 million in fines and penalties. Ultimately, one of the hackers – Albert Gonzales was found guilty of the attack and is currently serving a 20 year sentence for his role in this and other hacking incidents, including TJX Inc.

As a response, Heartland posted a letter of regret and outlined what they were doing to improve their systems.

2. TJX Companies Inc.

In this data security breach hackers stole data from 45.7 million credit and debit cards of customers of T.J Maxx and Marshalls. They stole 200 million records in total. This is an interesting example because it would appear that the hackers had the decryption tool for the encryption software that TJX used. This data security breach began in  June 2005. This data security breach was only discovered and announced by anti-fraud agents the following year.

The data security  breach caused the company financial loss of $256 million. TJX faces an investigation by the Federal Trade Commission, which could fine the company, and lawsuits accusing the firm of failing to safeguard private data. Ultimately, 11 people were charged for the crime.

A slow response from the company had expensive consequences.

1. Target

In November 2013, hackers inserted malware into American company Target’s security and payments system. This malware was designed to steal credit card numbers of every credit card used in a Target store over that time. The malware would capture the credit card number, store it on Target’s server which was then taken over by the hackers.

In an ironic twist, Target had prepared for a data security breach of this nature. Six months earlier they installed malware detection software from security firm FireEye. Target employed a team of security specialists in Bangalore to monitor their computer systems. If this team noticed anything suspicious, they would then notify Target’s security operations centre in Minneapolis. As the hackers uploaded the malware software – FireEye spotted them, and the team in Bangalore flagged it and notified the security team in Minneapolis. And… there was no response from Target.

They failed to respond to their own data security breach alert.

When Target were questioned by the media on why they didn’t respond immediately to the data security breach, especially since they had been forewarned, the Target chairman issued a statement which acknowledged the data security breach in a highly technical and formalistic way. Arguably, the response failed both to explain why Target had not responded when they were notified of the malware and it failed to adequately apologise to the customers who had suffered the data security breach.

Target customers responded by filing 90 lawsuits against the company for negligence and compensatory damages. By February 2014, Target had spent $61 million responding to the breach. In order to regain customer trust Target set up a customer response operation. Target suffered a 46% drop in profit for the holiday period when the breach occurred.

They suffered 46% drop in profit due to breach and now facing multiple lawsuits.

The Target customers whose information was stolen did not have to pay to have their credit cards replaced. The credit unions and community banks covered that cost. However, since the Target breach those banks have spent $100 million reissuing 21.8 million cards. The Consumer Bankers Association estimates that the cost of replacing the credit and debit cards from the breach will exceed $200 million.

Data security breaches like this can have far reaching consequences.

How to protect your business from data security breaches

These Top Five Data Security Breaches demonstrate multiple system vulnerabilities, but more importantly they show that it is critical to successful functioning of your business that you are informed on all aspects of information security. To get the latest expert advice and knowledge on information security you should attend our Information Security Workshop.

These data breaches also demonstrate that how a business responds to an incident is  critical. Businesses need to have clear incident response policies because a careful, planned and proactive response that addresses customer concerns can dramatically reduce the damage to your business. We can help you prepare an incident response policy that is suitable for your business. If you want us to do this for you then click Enquire Now on this page.

You can also find out more about data security breaches in this video:


If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.

By |2019-06-28T16:42:59+02:00March 23rd, 2016|Categories: Information Security Law|