The 12 Largest U.S. Data Breaches Since 2016
Here's a look at what massive data breaches at companies like Equifax, Facebook, and Marriott meant for the company's stock price, market cap, legal and remediation costs, and executive turnover.
Breach Blues
The biggest breaches suffered by American companies since 2016 came as the result of external cyberattacks that leveraged phishing, malware, and technical vulnerabilities.
Cloud security vendor Bitglass researched the three largest breaches of publicly traded companies in 2016, 2017 and 2018 – as well as three large breaches of government and then-private organizations – to uncover trends and learn more about the extent of the damage.
Bitglass found that an average of 257 million people were affected by each data breach, with the breaches costing companies an average of $347 million in legal fees, penalties, remediation costs, and other expenses. These enterprises on average suffered a 7.5 percent decrease in stock price after being breached, Bitglass said, leading to a mean market cap loss of $5.4 billion per company.
Here's a look at the pain and suffering data breaches have inflicted on 12 major United States companies over the past three years.
Chegg
Chegg discovered in September 2018 that it had been breached in April of that year, according to Bitglass, with hackers gaining access to a database that contained personally identifiable information for 40 million users. The PII included names, email addresses, shipping addresses, usernames and passwords, Bitglass said.
The encryption algorithm Chegg was using to protect the data was apparently vulnerable to being cracked, which Bitglass said demonstrates the need for a full-strength solution. Bitglass said the education technology company took immediate action to notify its users and reset their passwords.
Chegg's stock plummeted 12 percent within a day of disclosing the hack, which Bitglass said was the company's worst day of trading since going public in February 2016. The cost of the breach is still yet to be determined, Bitglass said, with Chegg currently facing a class-action lawsuit.
Dun & Bradstreet
Dun & Bradstreet confirmed in March 2017 that a database obtained during the company's acquisition of another firm had been breached. More than 33 million unique records containing personally identifiable information such as names, personal email addresses, home addresses, job titles, job functions and work emails were exposed, according to Bitglass.
Dun & Bradstreet inherited improper security from a company it purchased, failed to address the vulnerabilities, and suffered the consequences, Bitglass said. The compromised database contained details about 100,000 Department of Defense workers, 70,000 employees of financial institutions, and 35,000 Kaiser Foundation workers, Bitglass said.
Fourteen percent of the compromised accounts were found publicly available online following the breach, according to Bitglass.
Equifax
Equifax suffered one of the largest and most devastating data breaches of all time in September 2017 due to a flaw in the open-source software that was used by the credit reporting company, according to Bitglass. The company's stock dropped nearly 14 percent the day after the announcement, and 31 percent within two weeks, Bitglass said.
Through this vulnerability, Bitglass said hackers were able to access sensitive data for more than 143 million people such as Social Security numbers, credit card numbers, full names, dates of birth, and home addresses. It took nearly two months for the breach to be discovered, according to Bitglass.
Equifax CSO Susan Mauldin and CIO David Webb retired immediately after the security lapse had been announced, Bitglass said. All told, Bitglass found the company faced $439 million in legal, remediation, insurance, and investigation costs.
Exactis
Exactis experienced an immense breach in June 2018, when a publicly accessible database exposed 340 million business and consumer accounts. Of the exposed accounts, Bitglass said roughly 230 million were consumer accounts and 110 million were business accounts.
Four hundred data points were compromised per account, Bitglass said, including home address, email address, age, number of children, religious affiliations, and even household pets. While no financial information is reported to have been leaked, Bitglass said the compromised data can still enable impersonation, profiling, and targeted spear phishing.
Exactis collects consumer data for targeted ads, and Bitglass said the compromised database was reported to contain information about almost every U.S. citizen.
Facebook discovered a cyberattack on its internal network infrastructure in September 2018. The attack compromised personal details of nearly 50 million users, Bitglass said, revealing the users' names, genders, email addresses, location check-ins, and relationship statuses.
The social media giant learned the attack was made possible by three software coding issues, according to Bitglass. Two of the bugs were found in a tool developed to improve user privacy, Bitglass said, while the third was associated with streamlined video uploading.
Facebook's stock price decreased by 8 percent after the breach, Bitglass said, yielding a $16 billion loss in market capitalization. The company could face fines as high as $1.6 billion in found guilty of violating GDPR.
LinkedIn learned in late 2016 that 167 million of its users' login credentials had been stolen. The company consequently notified account holders that they needed to change their passwords, according to Bitglass.
Hackers had managed to circumvent the inadequate encryption that LinkedIn had in place, Bitglass said, gaining unauthorized access to the company's store of user credentials. Adversaries used the stolen passwords to sign in to 90 percent of their victims' accounts within 72 hours, according to Bitglass.
LinkedIn initially believes that just 6.5 million accounts had been affected; however, Bitglass said the company later determined that tens of millions more were compromised. News of the breach led to a 4 percent drop in LinkedIn's share price within a week, according to Bitglass.
Marriott
Marriott discovered on Nov. 30, 2018, that its Starwood Hotel branch had suffered a massive security breach. While the multinational hotel chain was uncertain about how the breach occurred, Bitglass said, it did find that approximately 387 million guests had their names, dates of birth, gender, addresses, and passport numbers stolen.
Unauthorized parties somehow gained access to reservations made between Sept. 10, 2018, and potentially as far back as 2014, according to the report made to U.S. regulators. Bitglass said the company experienced a 5.6 percent drop in share price following the breach.
Marriott uncovered the breach while seeking GDPR compliance, Bitglass said; the company is now being fined $912 million under the regulation. There are multiple lawsuits pending against Marriott, according to Bitglass, with firms seeking up to $12.5 billion in legal damages.
National Security Agency
A cybercriminal group known as Shadow Brokers in August 2016 published samples of code that demonstrated they had extensive knowledge of the National Security Agency's IT systems and tools. Specifically, Bitglass said that Shadow Brokers gained access to tools that the NSA was using to hack other nation-states.
Shadow Brokers was supposedly using the stolen NSA information to enable its own hacking, according to Bitglass. Following the breach, Bitglass said compromised NSA data was found for sale for $1 million.
The fact that the NSA was vulnerable to hackers demonstrates that even the most trusted organizations are not invincible, Bitglass said.
Sonic Drive-In
Sonic Drive-In discovered in September 2017 that it had fallen victim to a breach when its credit card processor identified unusual activity. While Sonic hasn't officially disclosed how the breach occurred, Bitglass said it was likely caused by malware installed on one or more point-of-sale terminals.
The goal of the attack was to compromise customer credit card information, and Bitglass said five million credit cards from the attack were found for sale online. Following the breach, Bitglass said Sonic's stock price dropped by 3.5 percent in less than a week.
Of Sonic's 3,600 locations in the U.S., Bitglass said 325 stores were affected by the six-month malware attack. Two years later, Bitglass said the company has had to pay $4.3 million in legal damages.
Uber
Hackers gained access to the personal data of millions of Uber users and drivers in late 2016 by stealing credentials for the company's AWS instance. Fifty-seven million individuals had their personally identifiable information accessed, according to Bitglass, including names, phone numbers, and email addresses.
In addition, Bitglass said hundreds of thousands of Uber drivers had their Driver License numbers stolen. Uber ultimately paid $148 million in settlement, according to Bitglass.
Uber paid the attackers $100,000 and made them sign a non-disclosure agreement in hopes of hiding the breach, Bitglass said. And once the events came to light, Bitglass said Chief Security Officer John Sullivan and CEO Travis Kalanick were fired.
Verizon Enterprise
Verizon Enterprise discovered in March 2016 that the personally identifiable information of 1.5 million consumers had been compromised. The Verizon division focused on corporate clients confirmed the breach when it found the stolen data for sale in an underground cybercrime forum, according to Bitglass.
The personal information was being sold for $100,000, Bitglass said, with subsets available for purchase at $10,000 apiece. In addition to selling the stolen information, Bitglass said hackers offered details about the vulnerabilities they exploited in the breach.
Bitglass said the breach occurred because of a security flaw on Verizon's website that gave hackers access to an unsecured MongoDB server. And employees at Fortune 500 companies are now at greater risk of falling prey to targeting spear phishing attacks that leverage the stolen personal information, Bitglass said.
Yahoo!
Yahoo! faced two separate breaches in 2016, with a September incident compromising more than 500 million account holders and a December incident affecting more than 1 billion account holders. Compromised materials included personally identifiable information that was initially collected in 2014 and used through December 2016, Bitglass said.
In the state-sponsored phishing attack, Bitglass said hackers stole data such as users' names, email addresses, phone numbers, birthdays, passwords, and answers to their security questions. Yahoo! ended up spending more than $95 million on remediation and legal fees, Bitglass said.
The company was fined an additional $35 million for failing to disclose the hack to investors, Bitglass said. And because of the breaches, Verizon ended up purchasing Yahoo! for $350 million less than what was originally offered, according to Bitglass.