AXEL.org

Blog

The 10 WORST Data Breaches of the Decade

As another decade comes to a close, now is the perfect time to reflect on some of the top 10 worst data breaches and cyber-security blunders from the last ten years. Over the 2010s, we’ve seen the pace of technological growth rapidly advance. From the development of facial recognition software to the growth of artificial intelligence and quantum computing, the digital age has taken a monumental leap forward.

And while this technology has brought innumerable benefits, the vast quantity of personal information now stored digitally has exposed us to catastrophic privacy violations from even the smallest data breach.

While there have been data breaches as long as data has existed, the danger has never been more apparent. Our entire lives are stored digitally, from personal files like family photos to vital business data like employee records and legal documents. The digital world is inescapable, and millions of users across the web are unknowingly putting their privacy at risk.

Data breaches have become so common that society has become desensitized to the effects, which, ironically, makes it all that more dangerous.

So in case you’ve forgotten just how pervasive data breaches have become, we’ve assembled a list of the ten most damaging breaches of the last decade.

10) Facebook

Date: 2017-2019
Impact: 50 Million Users

Starting off our list is the social media powerhouse, Facebook. Although a prominent social platform, Facebook is not 100% bulletproof and has become a victim to hackers and data breaches in the past. Two years ago, Facebook announced the discovery of a bug in their site that resulted in the exposure of over 50 million accounts. By abusing the flaw, hackers were able to obtain account access tokens, which are security keys that enable users to stay logged into a Facebook account without the need to re-enter passwords when returning to the site. The real significance of this data breach was that the access tokens didn’t just allow hackers to spy on users’ private information; the tokens gave hackers full control over the victims’ accounts. The breach forced Facebook to reset the access tokens of the over 50 million affected accounts, in addition to 40 million more accounts out of precaution. (Source)

9) Uber

Date: 2016
Impact: 57 Million Users

Uber, a multi-national ride-sharing company, suffered a major data breach in 2016, which involved at least 7 million drivers and 50 million passengers. The breach compromised all sorts of personal information: names, email addresses, and phone numbers, to name but a few examples. In addition, the breach exposed over 600,000 drivers’ license numbers. What makes this data breach so much worse, is that Uber initially attempted to hide the incident to regulators and users. Instead, Uber tried to pay a $100,000.00 ransom to the hackers, in the hope that they would get rid of the data and keep the breach concealed from the public. Their plan failed, but to Uber’s credit, they did take immediate steps to secure the data and shut down further unauthorized access by the hackers. (Source)

8) JP Morgan Chase

Date: 2014
Impact: 76 Million Users and 7 Million Small Businesses

In 2014, JPMorgan Chase was the victim of a cyber-attack that resulted in the theft of nearly 80 million users’ data. From confidential information like home addresses to business information like corporate banking documents, the breach affected millions of files. Reporters and journalists stated that the hackers likely operated out of Russia or Eastern Europe and that they were able to break into the Chase network by hacking a Chase employee’s personal computer. (Source)

7) Target

Date: 2013
Impact: 110 Million Accounts

The retail giant faced a data breach that resulted in the unauthorized access of almost 110 million accounts. The attackers stole information stored on the magnetic stripe of the back of credit and debit cards swiped in several Target stores. It was incidents like this that contributed to the rise of the EMV chip, now embedded into all new credit and debit cards. Several years later, Target paid out an $18.5-million-dollar settlement, which included a $10,000.00 payment to consumers who provided evidence that they suffered losses resulting from the data breach. (Source)

6) eBay

Date: 2014
Impact: 145 Million Users

In 2014, the online commerce company, eBay, announced that its records had been breached and suggested that almost 145 million users needed to change their passwords. This cyber-attack was carried out by a team of hackers who were able to obtain the credentials of three eBay employees. Names, emails, passwords, and even security questions were all compromised in the hack. Even more concerning was that due to eBay and Paypal being so interconnected, hackers were able to gain access to people’s Paypal accounts too. In the end, eBay did not provide any reimbursement towards the consumers that had their credentials misused or their money stolen. (Source)

5) Equifax

Date: 2017
Impact: 148 Million Users

Equifax, one of the largest consumer credit reporting agencies in the United States, suffered a data breach in September 2017. In addition to the theft of 209,000 credit card numbers, approximately 148 million Americans had their name, phone number, home address, date of birth, driver’s license number, and social security number compromised as well. As more details came to light, a lack of regard for consumer data by many of Equifax’s senior staff became apparent. It was a catastrophe; they even hired a Chief Information Security Officer who’s credentials were entirely made up of not one, but two degrees, in music. Yes, music.

Fast forward to July 2019, Equifax announced a $675 million consumer settlement. They offered people who were affected by the breach a choice of  4-years of free credit monitoring services or a $125 cash payment. (Source)

4) Adult Friend Finder

Date: 2016
Impact: 400 Million Users

Almost half a billion users had their data compromised from a litany of websites across the FriendFinder network. Over 20 years of data, including names, email addresses, and passwords were all exposed. Even more worrying, is that this wasn’t FriendFinder’s first rodeo…

In May 2015, it was revealed that around 4 million FriendFinder accounts were stolen. The good news is that FriendFinder was transparent and updated the public as soon as they became aware of the attack. The breadth of this data breach is still under investigation; however, FriendFinder Networks suggests that all users reset their passwords. (Source)

3) Marriot International

Date: 2018
Impact: 500 Million Customers

In November 2018, Marriot International announced that a data breach had occurred within their system. However, the incident initially began in 2014. The breach originated in the Starwood Hotel guest reservation database, where hackers laid dormant in the system for several years before Marriott acquired the company. With that time, the attackers were able to steal passport and credit card information from hundreds of millions of people. (Source)

2) First American

Date: 2019
Impact: 885 Million Customers

Not only is First American second on this list because of volume, but they are here due to their carelessness. Data from at least 885 million people was easily accessible on the First American’s site by inputting a specific set of URLs. These URL’s had a sequential system, meaning you could simply plug and play with different numbers to find confidential information. This sort of reckless behavior regarding data security seems like it would be a story from the 1990’s. What makes it so sad though… is this is the most recent data breach on this list, occurring in 2019. (Source)

1) Yahoo!

Date: 2013-2014
Impact: Over 3 Billion Users

Yahoo takes the number one spot for the largest data breach of the decade due to the pure volume of records stolen. The internet giant that was once the face of the internet had names, email addresses, passwords, and security questions compromised due to outdated and easy-to-crack encryption. Also, Yahoo failed to correctly pinpoint the number of users affected and released several revisions on the estimate. In 2016, Yahoo announced that 500 million users had their data compromised in a 2014 data breach. That announcement was later amended with information that there was another 2013 data breach that affected approximately 1 billion users. After drastically increasing the estimate with each subsequent announcement, the final estimate was that over 3 billion people were affected. In the spirit of schadenfreude, though, you can find some solace in knowing that Yahoo did pay. When the breach was announced, Yahoo was in the process of selling the company to Verizon. The data breaches ended up chopping off approximately $350 million off Yahoo’s sale price and the two companies agreed to share regulatory and legal liabilities from the incident. (Source)

On the plus side, a class-action lawsuit was filed against Yahoo and people who’ve had a Yahoo account since 2012 are entitled to up to $358.80 of compensation. You can learn more on YahooDataBreachSettlement.com. Don’t let these Yahoo’s get off cheap for exposing your data.

Based on big tech’s terrible track record with data protection, it is safe to say that our data is not safe. Cybersecurity, which should be at the forefront of any company’s mind -especially when you hold the private information of millions of people- is looked at as an expense to be mitigated.

And what may be the most disheartening part is that it’s not a super team of elite hackers cracking into databases. It’s pure and simple negligence in many cases, from not updating security software, to leaving private information exposed on a public database with no password.

But finally, the decade is coming to an end, and hopefully, data breaches are ending with it. But with how little is being done to prevent them… it might be best to start keeping your data to yourself.

Why Data Breaches are so Damaging and how the Law has Failed Consumers

Very few times in history have a group of people sat down with the purpose of writing a set of new laws to improve society. Instead, what usually happens is that laws are written to solve specific problems. This leads to a litany of laws piling up over the decades. While it could always be debated how effective a particular law might be at accomplishing its goal, the rapid pace of technological advancement over the past 20 years – especially as compared to the pace of the lawmaking process – has introduced new challenges as laws become quickly outdated, sometimes even by the time they take effect.

The results of this are acutely apparent in the cross-section between the fields of cybersecurity and consumer protection, namely data breaches.

The magnanimity of consumer protection laws in the United States were written for a society concerned with immediate product safety and compensation for resulting injuries, not for the nebulous and incalculable injuries that may be sustained by potential millions when private records are exposed.

Why are data breaches so damaging?

The unique problem of data breaches stems from the fact that the breach of privacy carries in of itself no specific harm. Instead, it is the later misuse of information that has been breached that may lead to ensuing harm. However, with data breaches occurring on a near-daily basis, the causality of specific financial or reputational damage is nigh impossible to link to a single breach causally; with our laws written around the concept of calculable damages being the source of justified remuneration, we are left constantly and increasingly victimized but unable to seek just compensation.

Some would argue that even more problematic is the irreparable nature of many of the most severe data breaches. Once a name and social security number are leaked, that identity is permanently and irreversibly at risk for being used fraudulently. While one could always apply for a new social security number, the Social Security Administration is extremely reluctant to issue new identities, and while that is a debate for another time, it goes to show just how difficult it can be to recover from a breach. Victims are permanently marred and at increased risk for future injuries resulting from a single breach, no matter how much time has passed.

Because of the damage resulting from a data breach being so far removed temporally and causally from the actual breach itself, adequate compensation is rarely won, if it is even sought. Was it the Equifax breach, the MoviePass breach, or one of the innumerable other breaches this year that resulted in your identity being stolen and used to take out fraudulent loans a decade from now?

Moreover, even if you should find that it was MoviePass’ negligence that leads to your identity being stolen, what compensation can you seek from a company that has been defunct for years? Our laws were not written to address these issues adequately. Our legal system often does not ponder questions of uncertainty and possibility, and that’s the perfect summary of what victims face in the aftermath of a breach; uncertainty and possibilities.

For all the uncertainty victims face, the solutions going forward as a country are equally opaque.

It would be easy to write some draconian law to punish companies for exposing private data, but as is often the case, that could have unintended consequences, such as pushing data overseas where even looser security and weaker privacy laws may exacerbate the problem. Instead, it’s going to take a significant shift in our collective-consciousness over how data is handled.

Laws written for managing telecommunications and transmissions in that era are being used to handle complex cybersecurity and data privacy cases.

This can’t come just from one party though; companies need to seriously consider what data they need to collect, and what information needs to be retained on a long-term basis. Consumers have to take ownership of their data and demand a higher quality of service from corporations and governments over how their data is collected and used.

As a whole, we must recognize the value of data, and the dangers we expose ourselves to by collecting it (and why it might even be best to not collect data at all in many circumstances).

Just like holding valuables such as gold and art entails a security risk, so too does data. If people started treating data like the digital gold it really is, maybe then we could all come together to work out a solution.

But until then, I’ll be keeping my data to myself.

Projects We Love: PrivacyWall

This is part of our series highlighting startups who share our mission of trying to bring data privacy back to users.

You’ve had a rough week, maybe it’s a relationship or health problem, but either way, you’re feeling down. Fortunately, your family is there for you, and reach out to console you through a few private messages on social media.

Mom: “I know it’s expensive, I’m sorry your health care doesn’t cover it, we’ll do what we can to help you pay.”

Dad: “Don’t worry sport, she’s just going through a phase, I’m sure you guys will work through it.”

Friend: “Hey man, let’s meet up for a drink this weekend, cheer up!”

After reading your messages, you lay down in bed to rest and start scrolling through social media to pass the time until you fall asleep, and you’re astounded by what you find.

Ads.

But not just the usual ads for food, or some new tech gadget.

“Lower your healthcare costs now! Save 20% off market rate plans!”

“Relationship trouble? Local family counseling is available!”

“Cheapest beer in town, and half-price shots on Fridays!”

Maybe it’s just coincidence, or maybe every single thing you say or do online is being tracked and sold to advertisers… That “free” social media website has to make money somehow.

And that’s where PrivacyWall comes in- a startup that is returning data privacy and security to users. By blocking unwanted data collection by everyone from Facebook to Google, PrivacyWall puts you back in the driver’s seat.

Why PrivacyWall?

Every website you visit, every search you type in, every message you send and photo you post, it’s all tracked, recorded, and monitored. PrivacyWall is the “off” switch we’ve been waiting for.

By blocking over 3,000+ trackers from many of the largest tech companies in the world you can once again browse the internet without fear of being tracked like the target of a CIA investigation. We expect privacy in our homes, and we should get the same treatment on the internet.

PrivacyWall even blocks Facebook Connect from building a shadow profile of your online activity when you are not on Facebook. If you didn’t know, that convenient “log-in with Facebook” turns that account you just signed up for into another data collection point for Facebook to build a profile on you.

If you didn’t know that, you aren’t alone. And that’s exactly why PrivacyWall blocks threats you don’t even know about yet. Because you shouldn’t have to become a security expert and worry about your private information being leaked just because you used Facebook to sign-up for a food delivery app, or a dating site, or anything.

You deserve privacy, and PrivacyWall is a step towards a more private world.

How Artificial Intelligence is Shaping the Future of Cybersecurity

This article is a guest post by Maddie Davis, co-founder of Enlightened Digital.

The threat of a cyberattack in today’s world reaches far beyond just enterprise level companies. Government systems, small and large businesses, educational institutions and non-profit organizations are all targets for the vicious hackers of the dark web. Moving forward, the advancement of technology will contribute to changes in both attack methods and defense mechanisms of cybersecurity. Artificial intelligence (AI), in particular, is currently viewed as a leading technology in this transformation. AI’s capabilities carry significant advantages. As AI-enthusiast, Mark Hurd has stated, “the advantage of AI not only is that it constantly learns, but it also never forgets.” We’re taking a look at how AI will use this advantage, among others, to shape the future of cybersecurity.

AI-powered security

An AI-powered defense system is no longer just a possible option for businesses today, but a necessity, considering the threat of AI-fueld cyber attacks. As attackers become more vigilant about their techniques and more vicious in their invasions, organizations must step up their defence in retaliation. Moving forward, AI will play a large role in how cybercrimes are both prevented and dealt with. As Executive Director of NCSA (National Cybersecurity Alliance, Kevin Coleman puts it, “this new era in tech and cybersecurity is driven by prediction, detection and rapid response.”

Attack detection

Using machine learning algorithms, AI will be able to improve a victim’s ability to detect potential threats. Every user within a given system can be tracked and monitored based on their individual roles, allowances and common behaviors, so any deviation from the standard can be flagged to prompt a second form of authentication. Password protection can also be improved. AI can monitor how individuals enter their passwords, which characters are used and the length of passwords to better identify and rectify poor practices. Moving forward, the hope is that AI will ultimately transform the current password model with something more advanced and secure.

Natural language processing (NLP)

AI’s natural language capabilities are expected to significantly improve cybersecurity efforts through better attack identification and reaction. Armorblox’s natural language understanding platform for example, uses NLP to more accurately inspect text content of everything within an organization’s system. This technology enables companies to detect threats regardless of whether or not they contain links or file attachments and provides heightened visibility of all communication and data transferring across an organization. As Armorblo explains it there are three main offerings of the platform that can improve cybersecurity

  1. A natural language engine that derives new insights from enterprise communications and data.
  2. Automated policy recommendations through learning what is important for the organization.
  3. An alert remediation framework that distributes context-sensitive alerts to the relevant users, saving time for the security team.

AI-powered attacks

The level of sophistication in modern cybercrime is continuously increasing. Both cyber criminals and their attacks are equipped with more advanced technology than we, as a society, have ever combated before. Artificial intelligence, specifically, is contributing to frightening new malware that goes beyond the level of attacks we’ve traditionally seen from computer algorithms without the help of AI. 

There are numerous new threats to consider for businesses and individuals alike now that hackers are armed with machine learning technology. According to an article by Towards Data Science, there are essentially five ways machine learning can be used for potential attacks.

  1. Information gathering: AI can analyze vast amounts of data quickly.
  2. Impersonation: Self-learning AI can accurately imitate human communications.
  3. Unauthorized access: AI is adaptable to new environments, enabling easier access to secured systems.
  4. Attack: Malware and DDoS attacks can be made more scalable and harder to detect.
  5. Automation: AI botnets are capable of automating various aspects of an attack. 

The main function of machine learning is its ability to continuously learn and adapt. In terms of cyber crime, this ability presents an advantage to attackers. Self-learning AI could potentially lead to scalable attacks that can adapt to victims’ changing environments and modify itself to compromise each unique system it encounters. This agility may also make it more difficult for IT teams to detect intruders.

Artificial intelligence in the world of cybersecurity is seemingly both friend and foe. In the right hands, technology is the key to better detection and faster incident response. In the wrong hands, it can be the conductor of devastating attacks. Moving forward, we can certainly expect to see continuous AI advancement and implementation in the future of cybersecurity.

Maddie Davis is the co-founder of Enlightened Digital and self-described tech-obsessed female from the Big Apple who lives by building and redesigning websites, running marathons, and reading anything and everything on the NYT Best Sellers list.

You can read more great content from Maddie and her team right now on Enlightened Digital’s website.

Q&A With The Developers Of AXEL IPFS

We sat down with AXEL’s development team to discuss their AXEL IPFS Pinning Facility.

Q: What inspired you to develop AXEL IPFS?

The next evolution of computing is distributed. IPFS or something very similar is going to be the basis of distributed storage. The AXEL IPFS integration into our ecosystem has given us a worldwide public distributed storage system to build practically anything on top of including AXEL IPFS Pinning, AXEL IPFS Search, and many other services to come. AXEL is building a very strong foundation in distributed storage and will be a leader in the next evolution of Web 3.0!

Q: What excites you the most about AXEL IPFS?

AXEL IPFS will allow our users to immediately and securely distribute their data around the world for personal or business use. AXEL will be fostering the movement from centralized to decentralized computing and AXEL IPFS is the start of the process. For AXEL users, they can share files or even distribute website information with IPFS. It is very exciting to bring Web 3.0 technology to the masses. AXEL has made it super easy to use, which is very important when you want to increase the adoption of complex technologies like IPFS.

Q: Do you see a future for IPFS and what industries will adopt it first?

Web 3.0 will be distributed. IPFS seems likely to be a core technology of Web 3.0 and the distributed Internet. Right now archivists, service providers, researchers, developers, and content creators have begun to adopt IPFS to address many problems caused by centralized computing. IPFS also addresses many issues around high-latency networks found in developing countries. Even NASA is using similar systems to address the high-latency involved in space communications. So there is a lot going on in this field. With that said, though, it is still very new. AXEL is bringing this technology to users today by making it secure and easy to use so anyone can take advantage. I think it will be interesting to see how IPFS develops and is integrated into more and more consumer products. 

Q: What industries will IPFS be the death blow for? Is there a future for cybersecurity in a distributed web?

I do not think we are talking extinction but evolution. Current centralized systems will evolve into decentralized/distributed systems as users demand the flexibility, security, and efficiency of decentralized/distributed systems. The only companies that will go extinct are those that fail to evolve or evolve without taking into account customer needs. And as far as cybersecurity goes, as long as we use computers and the human condition remains as it is, cybersecurity will also be a lucrative and in-demand career.

Q: How much will AXEL IPFS cost to use?

The IPFS is the backbone for our private, secure file-sharing and cloud storage platform; AXEL Go. You can sign up for a free Basic account and receive 2GB of online storage and enough network fuel for hundreds of typical shares. Power users or enterprise customers have a choice of pricing tiers to accommodate their specific needs. 

Q: Is IPFS the death of HTTP?

In the computer industry, protocols die hard. As much as we want to criticize the problems with centralized computing, it has provided one of the greatest revolutions in mankind’s history. Never before have so many had access to almost the entire world’s knowledge. Individuals and entrepreneurs have tapped into this knowledge to develop some incredibly cool tech over these past 20 years. So, HTTP has been a great success, and it will not disappear quickly. But as 5G becomes more prevalent and developing countries increase their demand for data, decentralized and distributed technologies will be selected as the protocol over HTTP. It is also interesting to note that Tim Berners-Lee who created the HTTP protocol and the World Wide Web is now working on the next distributed/decentralized protocol. It is one of the greatest qualities of humans, we never stop creating.

Q: Do you have any concerns that content on IPFS can’t be removed or censored?

Yes, absolutely. There are clearly certain types of information that are not suited for publication anywhere at any time, such as child pornography or sex trafficking. Universally, this type of abhorrent information has no place on IPFS or anywhere else on the internet for that matter. When it is so universal and clear-cut like this, AXEL will do everything in its power to prevent this content from being listed on IPFS.

Q: What was the most challenging aspect of developing AXEL IPFS?

The IPFS is still actively being developed and there are always difficulties with anything new and in-development. But otherwise, I have been developing technology for over 30 years and with that experience, you learn how to be diligent and get it done the right way.

Q: What does AXEL IPFS do that sets it apart from any other IPFS platform?

We believe our IPFS integration is the most easy-to-use, intuitive solution on the market. In the past, IPFS pinning required extensive technical knowledge or expensive third party services. We’ve eliminated both barriers and made utilizing this decentralized technology simple and affordable. For instance, with AXEL Go, the process isn’t any more complicated than using other popular cloud storage and sharing applications. And it doesn’t get much more affordable than a free Basic account! 

Q: How can someone help or participate in the project?

Join us on Discord or Telegram and get involved. Telegram has a lot of great community activity and Discord is where the Devs hang out. Come chat with us! There are so many ways to get involved, ask any of the channel admins and they’d be happy to help!

The Distributed Future

According to Blade Runner, we only have 7 months left for the invention of sentient androids, but that seems unlikely at this point (I’m still hoping though). And we’re already four years late for Back to the Future’s flying cars and hover-boards. 

Looking back, all of these predictions seem a little bit silly in comparison to how fast technology has actually progressed. We don’t have androids, we don’t have flying cars, we don’t even have a printer that works without having to beg and plead for it to just print your document correctly for once. Physical tech has lagged behind our predictions. No matter how hard we work, there’s only so efficient you can make a chemical process, like the one that powers the batteries any of this tech would require. 

But what hasn’t slowed down… is digital technology. Smaller, lighter, and faster than anybody ever imagined even 30 years ago. Look at Blade Runner, they had sentient androids and still worked with magnetic tape recordings for data storage, not exactly a great prediction there Ridley Scott… 

The computing power in your cell phone dwarfs even the most advanced supercomputer of the early 1990s. And it doesn’t take up an entire warehouse and enough power to run a small town. And all you use it for is to watch cat videos on Youtube… really? 

So in a world where we’re all carrying around a supercomputer in our pocket, what are we going to do with it? (And please… don’t just say watch more cat videos, yes I know they’re adorable but come on, aim a little higher, please?) Why not run the internet ourselves? 

When we’re all running around with supercomputers, why should we be putting our trust in these large tech conglomerates when they’ve continually shown themselves, at best as ambivalent and at worst as downright negligible when it comes to our data privacy. Every other day it seems like there’s a new data breach, hack, or the company itself selling our private data to advertisers. They haven’t earned our trust, and even if they did at some point, they’ve certainly lost it by now. 

But we don’t have to anymore. We aren’t beholden to big tech if we are willing to take the plunge and dive into the distributed web. A web like our predecessors in the 80s imagined it, free to surf, send, and share without someone looking over your shoulder. A web free of censorship, where the only boundaries are our imaginations. A web hosted by people for people, not advertisers and tech monopolies. 

The distributed web is not the web like you’re used to though. It’s not some massive server farm hidden away in a warehouse, its independent server operators sharing the network load among them. It’s every one of us having the opportunity to participate in the governance of the internet. It’s freedom from control and freedom from censorship. 

It’s not just about escaping big tech though; it’s about building something better. Joining the distributed web doesn’t mean you don’t get to share photos and videos with your friends, it means sharing content in a way that doesn’t compromise your data privacy. It’s about creating a web where you are in ultimate control of your data, your privacy, and your life. 

Welcome to the future of the internet.