Top Breaches From the Past Three Years Caused by External Cyberattacks

External cybersecurity attacks leveraging phishing, malware, technical vulnerabilities, and more, triggered the biggest breaches of publicly-traded companies over the last three years according to a report from Campbell, Calif.-based Bitglass.

“Kings of the Monster Breaches,” from the cloud access security broker Bitglass, explored causes, repercussions and company responses for preeminent breaches. Additionally, it recaps three of the most significant cybersecurity incidents over the last three years.

“The largest breaches over the past three years have caused massive and irreparable damage to large enterprises and their stakeholders around the globe,” Rich Campagna, chief marketing officer of Bitglass, said. “This should serve as a stark warning to organizations everywhere. If massive companies with seemingly endless resources are falling victim to external attacks, then companies of all sizes must remain vigilant in their cybersecurity efforts. It is only by taking a proactive approach to security that breaches can be prevented and data can truly be kept safe.”

Some key insights from the report revealed publicly traded companies suffering the worst data breaches averaged a 7.5 percent decrease in stock price; the mean number of individuals directly affected by each breach was 257 million; and to date, have cost their companies an average of $347 million in legal fees, penalties, remediation costs and other expenses.

As with all data breaches and/or events involving personal information and payment cards the risks could extend to credit unions and other financial institutions.

Here is a quick rundown of some of the incidents as covered in the report:

- Marriott discovered on November 30, 2018 its Starwood Hotel branch suffered a massive security breach. Approximately 387 million guests had names, birthdates, gender, addresses, and passport numbers stolen after unauthorized parties somehow gained access to reservations made between September 10, 2018 and, potentially, as far back as 2014. The company now faces $912 million in fines under the EU’s General Data Protection Regulation; experienced a 5.6% drop in share price following the breach; and has multiple lawsuits pending, with firms seeking up to $12.5 billion in legal damages.

- In September 2018, Facebook discovered a cyberattack, which affected nearly 50 million users, compromised users’ names, genders, email addresses, location check-ins, and relationship statuses. The incursion caused by three software coding issues precipitated Facebook’s stock price decrease by 8%, yielding a $16 billion loss in market capitalization. If found guilty of violating GDPR, the company could face fines as high as $1.6 billion.

- Dun & Bradstreet confirmed a breach occurred In March 2017, during the acquisition of another company exposing over 33 million unique records such as names, personal email addresses, home addresses, job titles, job functions, and work emails. The compromised database contained details about 100,000 Department of Defense workers, 70,000 financial institution employees, and 35,000 Kaiser Foundation workers. Fourteen percent of the compromised accounts became available online after the attack.

- In September 2017, Sonic Drive-In the fast-food chain discovered it had fallen victim to a breach when its credit card processor identified unusual activity. The attack compromised credit card information at 325 of its the 3,600 U.S. locations. Hackers later offered five million credit cards gleaned from this attack for sale online. Sonic paid $4.3 million in legal damages. Following the breach, the company’s share price dropped by 3.5% in less than one week.

- In 2016 Yahoo! faced two separate breaches— one in September, which compromised over 500 million account holders, and another in December, which affected over one billion. Bitglass found in the state-sponsored phishing attacks, hackers stole data such as users’ names, email addresses, phone numbers, birthdays, passwords, as well as answers to security questions. Yahoo! spent over $95 million on remediation and legal fees, suffered an additional $35 million for failure to disclose the hacks to investors; and because of the breaches, Verizon purchased Yahoo! for $350 million less than it originally offered.

- On March 24, 2016, Verizon Enterprise, the division of Verizon focused on corporate clients, discovered the compromising of 1.5 million customers’ personal information. Because some 97% of Fortune 500 companies use Verizon Enterprise, the employees of these and other organizations now face the risk of falling prey to targeted spear phishing attacks. Dark web marketplaces offered the stolen data for $100,000 with subsets available for $10,000 apiece. In addition to selling the stolen information, hackers offered details about the vulnerabilities they exploited in the breach