Data breaches and hacks hit us at an alarming pace if you follow the news. We’re reminded almost daily of just how fragile our internet-based financial and commercial infrastructure is. 7 percent, or about $1.35 trillion, of US GDP is generated digitally makes cracking (i.e. criminal hacking) large companies an alluring activity for online criminals.
There are all sorts of ways to categorize and rank these data breaches — some have important political significance and others are represent new trends in cybersecurity and online crimes. But in light of the recent Capital One breach, the following list are the five that have had the most devastating and widespread effect on the average person over the years.
Probably the most frequently cited and visible example of a data breach, Equifax revealed that its records of consumer spending habits were compromised in September 2017. The data loss exposed the sensitive financial data of more than 145 million consumers in the US, and several million in the UK as well. Its effects also reverberated beyond the intrusion proper to impact US consumers with records held by Equifax competitor TransUnion.
There are a number of factors that rightly cement the Equifax breach as the most serious in history. For one thing, more so than other intrusions, it resulted from grossly inadequate response on the part of the breached company. After initially learning of the compromise of their enterprise systems, Equifax buried any public admission of failure for five months. The sum total of Equifax’s mismanagement was so immense that it led to one of the rare instances of company executives suffering meaningful consequences, forcing then-CEO Richard F. Smith to resign.
The other element that distinguishes this digital security lapse among so many others is the vividness with which it illustrates how companies that consumers don’t directly do business with handle sensitive information, and are impacted adversely when that data is mishandled. Two years on, we are still seeing this incident make headlines, with consumers now scrambling to collect their cut of the enormous class action settlement.
Only days old, the theft of data from approximately 100 million customer accounts is proving significant enough to reserve it a place in the history ebooks. Already, a criminal investigation into the incident has been opened, and an estimate of the cost in revenue loss and recovery expenditures has been calculated. In all likelihood, the swift response is due to not only lessons learned from Equifax, but from how unsettling of a prospect it is that such a major financial institution could be digitally infiltrated.
The company maintains that much of the more sensitive stolen data is encrypted, but like the Equifax breach, the cautionary measure of freezing their credit which consumers are forced to take involves substantial knock-on effects that will persist for years. The allegedly lone attacker in this case also shows how vulnerable we all are to a single motivated individual bent on sowing chaos.
Although it did not directly touch consumers per se, May 2017’s WannaCry attack shocked many with its mind-boggling global scale. In all, it ensnared upwards of 200,000 victims in over 150 countries, and succeeded in destroying numerous production systems beyond recovery when the ransom couldn’t (or wouldn’t) be paid. As a result, millions of employees around the world were doubtless thrown immediately into crisis remediation mode.
WannaCry easily merits its spot in hacker history for the numerous lessons it taught consumers and the information security industry as a whole. For starters, it illustrated the extent to which a wide array of industries rely on legacy technology that is way out of support cycle, as the attack primarily set its sights on Windows XP devices. This played out in a particularly terrifying fashion when it was able to bring such critical infrastructure as the UK’s National Health Service to its knees despite the relatively small number of victim systems.
Also, because the exploit supposedly originated with the NSA, and was subsequently leaked via the Shadow Brokers, it clearly demonstrated the unintended second-order consequences of nation-state exploit stockpiling, and the improper handling thereof. All of this combined to induce serious reflection on the state of critical infrastructure security.
United States Office of Personnel Management
An intrusion into the network of the US Office of Personnel Management (OPM) allowed attackers to pilfer the personal information of 22 million US government employees, some of whom had access to classified information. As part of the trove, the intruders were able to make off with more than 5 million fingerprint records.
Even more alarming was how profoundly vulnerable the breach proved the OPM to be. What is commonly regarded as “the OPM breach” was actually two hacks, with the first one occurring in 2013 to steal department documentation (ostensibly in preparation for the subsequent stage) and the second one taking place in 2014 to execute the theft of OPM’s employee data. In fact, Congress was repeatedly warned that OPM was woefully unprepared to fend off an intrusion.
Reporting to this point has laid the blame on China. Regardless of which actors perpetrated the attack, though, the vulnerable position that so many US military and intelligence personnel are in as a result carries serious national security implications that will be felt for decades to come.
In July 2015, the accounts of 36 million users of the adultery-facilitating “dating” site Ashley Madison were stolen and dumped on the internet. Because of the illicit nature of the services offered, many of these accounts were only distinguishable by pseudonym. However, while there is no reliable figure for how many real identities it revealed, a number of users were positively identified by credit card information or by the use of work emails, including those belonging to government employees.
What made the hack particularly nasty, and noteworthy, were the resulting attempts to blackmail victims, and the pitched moral battle that ensued in the public sphere. It also fascinated the American public consciousness by the way that it shed light on a murky and taboo aspect of society. Since the data was publicly available, many curious would-be social scientists performed data analysis on it to discern trends. The Ashley Madison breach established itself as a prominent example of a niche case in which a digital compromise roiled society even in the absence of large financial losses.