For many people tomorrow is just 28th January 2020, but for others in the cybersecurity space it is rather significant as it is also Data Protection Day.
It is also referred to as Data Privacy Day in other parts of the world, but the overriding sentiment remains – that greater awareness is created around data privacy and the promotion of data protection best practices.
“Data Protection Day serves as an important reminder that businesses are being increasingly held more accountable by regulators and consumers for protecting data,” says Jasmit Sagoo, senior director and head of technology for UK & Ireland at Veritas.
“It is a good opportunity for Chief Information Officers (CIOs) and Data Protection Officers to highlight the issue of data privacy to the board, or implement internal activities such as employee training or phishing tests to ensure employees are continually educated about the vital role they play in protecting data,” adds Sagoo.
While it is indeed a good idea to review the cybersecurity practices in your business and personal capacity this week, we also thought it worthwhile to illustrate the effect that poor data protection can have by highlighting five of the largest data breaches of the past decade.
All five (no particular order) vary in severity and the extent to which they’ve had an impact on people also varies, but they all grabbed headlines for the wrong reasons over the past 10 years.
At the time of writing Yahoo holds the record for the largest publicly disclosed data breach, which saw more than 500 million user accounts being exposed in 2014. The major problem here though, is that Yahoo only chose to disclose this information in September 2016.
This was followed in 2017 by the company noting that its entire 3 billion user base was compromised, with email addresses, names and phone numbers being stolen in the process.
The real cracker is that the only reason why all of this was revealed, was because Verizon was acquiring Yahoo.
If you had not heard of Equifax you definitely did in 2017. That year the company disclosed it had suffered a data breach in September, which eventually saw 147 million users being affected, 56 percent of which hailed from the United States.
Like many of the data breaches listed here, Equifax knew that it was vulnerable, being informed of a flaw in its system in March of that year, but failing to perform the necessary patches.
It proved to be a costly mistake as the firm agreed to pay $700 million to settle federal and state investigations into how it handled the massive data breach.
Much like Equifax, not many people had heard of marketing and data aggregation firm Exactis before June 2018. During its existence the firm had built up a massive database of hundreds of millions of people and businesses, most of which were in the US.
Fatally that database was built on an unsecure server, which a security researcher discovered in the same month. The result was 2TB worth of data being exposed, which included email and home addresses, phone numbers and other information such as people’s hobbies and interests.
Veeam is a Swiss-based data management firm, so their inclusion on this list is not a good look. Handling several hundred marketing databases, the company issued a statement in September 2018 confirming that one of them was left public for unauthorised third parties.
This mistake resulted in 445 million records containing names, email and IP addresses among other details being compromised over a period of 10 days. Veeam says that many of those records were duplicates and only 4.5 million records were in fact disclosed.
Whether that is actually the case is still unclear.
If you’re looking for the most recent data breach, just go back to last week when Microsoft explained that 250 million records were exposed as a result of a misconfigured database.
The discovery happened on 29th December last year, and credit needs to go to Microsoft’s team for securing the servers within two days (31st December 2019). The speed of the response of Microsoft proved vital here as the aforementioned records were said to contain sensitive information, such as email addresses, IP address, locations, confidential internal notes and more.
Microsoft says it’s working hard to ensure something like this never happens again, but the full ramifications of this temporary breach are still unknown for now.