AXEL.org

data breach

Devastating Data Breaches – Part 5: Facebook Dismisses Data Security

In the history of the Internet, no tech company may be more controversial than Facebook. Started in 2004 and initially limited to Harvard University students, Facebook quickly hit the mainstream as the premier social networking site. In just a few years, it overtook older sites like MySpace and Friendster, making it the go-to social network for hundreds of millions of people. However, this massive growth has not been without controversy.

Facebook has long been criticized for its record on privacy and security. From collecting mountains of information on individuals to its involvement in state-sponsored surveillance, Facebook’s record on privacy is shaky [1]. But even though billions are skeptical of Facebook and its security practices, it’s still the most popular social network in the world. Combined with its ownership of popular messaging app WhatsApp and photo-sharing app Instagram, Facebook has become one of the Silicon Valley giants where their main product isn’t a product or software, but users themselves. Because of this, it is in Facebook’s best interest to collect as much information as possible from its users. While this strategy certainly lines Facebook’s pockets with oodles of advertiser cash, it forces user privacy to take a backseat and puts user security at risk. Unfortunately, in 2019, this security risk became realized for hundreds of millions of people.

In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Check out our previous posts about Yahoo, Marriott, Equifax, and Target to learn about what went wrong, what could’ve been done, and how each company responded to devastating data breaches.

Before The Breach

In 2019, Facebook was already facing the aftermath of another massive privacy mishap, the Cambridge Analytica scandal. With Facebook’s knowledge, Cambridge Analytica, a political data analytics firm, harvested data from 87 million Facebook accounts. It then sold this information to multiple United States presidential campaigns in order to inundate potential supporters with political advertisements [2]

Following the revelations of this data thievery, Facebook CEO Mark Zuckerburg even testified in front of Congress, along with taking out full-page advertisements in major newspapers, vowing to “ensure this doesn’t happen again [2].” Following an investigation, the Federal Trade Commission fined Facebook USD $5 billion, the largest fine ever levied by the United States government [3].

Put simply, Facebook was not seen in a positive light by many people. Its track record regarding data privacy had always been shaky, but this new scandal not only drew the ire of government officials, but the general public as well. After this scandal, all eyes were on Facebook to see if it would actually make changes to protect user privacy. Unfortunately, Facebook did not keep its promises for long. 

The Leak

In 2019, through a vulnerability in Facebook’s code, the personal data of 533 million Facebook users was stolen [4]. Concerningly, the perpetrators of this attack did not acquire the data through hacking or phishing, but simply by finding a vulnerability that allowed users to record millions of phone numbers from Facebook’s servers. In August 2019, Facebook patched this vulnerability, but was unaware of the stolen data. However, in April 2021, phone numbers of the 533 million users were posted to a hacking forum. This data mainly consisted of names and phone numbers, but some email addresses and birth dates were compromised as well [4]. Even worse, the data was posted for free on a public forum, meaning that any scammer or spammer with basic computer knowledge could access this stolen data [4].

While no financial or government data, such as credit card numbers or Social Security numbers, were posted, the release of phone numbers and corresponding names was a goldmine for scammers. Primarily, these cybercriminals could use this information to send phishing scams to unsuspecting users. While the attack could have been much worse, the leak of over half a billion phone numbers directly after Facebook’s previous data scandal was not received well by the general public.

Facebook did little to satiate the outrage following the leak. After the leak was publicly revealed, Facebook stressed that the leaked data was outdated (albeit, by only two years) and that the security flaw had already been patched. Additionally, Facebook refused to notify the affected users, stating that there was nothing that users could do to mitigate the consequences [5]

The Aftermath

While a leak that puts 533 million phone numbers at risk may sound like a big deal, for Facebook, it’s just a drop in the bucket of criticism the company has received regarding user privacy. After all, the Cambridge Analytica scandal forced Zuckerberg to testify before Congress. For Facebook, this is a run-of-the-mill data breach. In fact, in a leaked email detailing the company’s response to the breach, a Facebook employee stated “We expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly [6].”

Unfortunately, it appears Facebook is not planning on making substantive changes regarding user privacy. This isn’t particularly surprising, as Facebook has become a giant because of its willingness to collect user information. However, just because Facebook is slow to change doesn’t mean you have to be a victim. You can protect your data by following simple cybersecurity tips, like not clicking unfamiliar links and double-checking email addresses. If Facebook isn’t going to protect your privacy, it’s up to you to do it yourself.

Protect Your Data with AXEL Go

Another way to protect your privacy is to use a secure file-sharing software. Offering industry-leading encryption and decentralized blockchain technology, AXEL Go is the best way to protect yourself or your business from unauthorized cybercriminals. Featuring a myriad of unique privacy features, AXEL Go is the best way to keep your data safe. If you’re ready to try the best protection, get two free weeks of AXEL Go here

[1] Greenwald, Glenn, and Ewen MacAskill. “NSA Prism Program Taps in to User Data of Apple, Google and Others.” The Guardian. June 07, 2013. https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data.

[2] Meredith, Sam. “Facebook-Cambridge Analytica: A Timeline of the Data Hijacking Scandal.” CNBC. April 10, 2018. https://www.cnbc.com/2018/04/10/facebook-cambridge-analytica-a-timeline-of-the-data-hijacking-scandal.html.

[3] Nuñez, Michael. “FTC Slaps Facebook With $5 Billion Fine, Forces New Privacy Controls.” Forbes. July 24, 2019. https://www.forbes.com/sites/mnunez/2019/07/24/ftcs-unprecedented-slap-fines-facebook-5-billion-forces-new-privacy-controls/.

[4] Holmes, Aaron. “533 Million Facebook Users’ Phone Numbers and Personal Data Have Been Leaked Online.” Business Insider. April 03, 2021. https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4.

[5] Farmer, Ryan. “Facebook’s April 2021 Data Breach Explained.” StrongVPN Blog. April 30, 2021. https://blog.strongvpn.com/facebook-data-breach-april-2021/.


[6] “Facebook Downplays Data Breach in Internal Email.” BBC News. April 20, 2021. https://www.bbc.com/news/technology-56815478.

Devastating Data Breaches – Part 4: How Target Changed Credit Cards

In 2013, data breaches were common, but didn’t particularly weigh heavily in the public consciousness. While major data breaches had certainly occurred by that point, these breaches tended to affect less personal businesses. After all, Americans weren’t going into Yahoo or Equifax every week for grocery shopping. Data breaches tended to affect corporations that most people only interacted with online. Therefore, when a data breach occurred, it didn’t feel as personal. Combined with the equally impersonal picture of shadowy hackers stealing data from continents away, data breaches weren’t seen as a massive issue to the general population, but as an online nuisance.

Unfortunately, that mindset soon changed. In late 2013, in the middle of the holiday shopping season, Target fell victim to a data breach, with over 70 million people’s financial information becoming compromised [1]. While 70 million may sound paltry compared to Yahoo’s 3 billion leaked accounts, the damage to those 70 million victims was much more severe. Ultimately, this hack put data breaches on the mind of everyday citizens. After all, these hackers didn’t target a shadowy Internet business that only a few hundred people have physically been to. This hack targeted a popular chain of stores where millions of people shop every week.

In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches.

The Breach

In September 2013, the cybercriminals responsible for the attack began their strike on the popular retail chain. However, the hackers’ plans did not involve attacking Target directly, at least not yet. The cybercriminals targeted Fazio Mechanical Services, a contractor that provided Target with heating and air conditioning [2]. From Fazio and its approved credentials, the hackers then accessed Target’s network and quickly found access to Target’s point-of-sale (POS) systems. From there, the attackers installed malware that recorded credit card data. Finally, the hackers encrypted the credit card data and exfiltrated it right under Target’s nose.

Target became aware of a potential breach on November 30, when a Target security operations center in India recorded potentially malicious activity [1]. That activity was shared with the Target corporate office in Minneapolis, but no action was taken. Again, on December 2, malicious activity was found and reported, but no action was taken by the corporate office. Finally, on December 12, the US Department of Justice contacted Target about a potential data breach, and an investigation began [1]. One week later, Target publicly revealed the data breach.

All in all, over 70 million customer records and 40 million payment card credentials were stolen in the hack [3]. This information was put up for sale on the dark web, where any variety of cybercriminals could pay for the stolen financial data. The data breach not only included debit and credit card numbers, but PIN numbers as well, putting affected customers at a large financial risk. Overall, while 70 million victims may pale in comparison to other data breaches, the breach’s effect on those victims was enormous. 

The Fallout

In the years following the data breach, Target paid over USD $200 million in costs related to the hack [4]. Target could have paid much more, but the company had a cybersecurity insurance policy that covered about USD $90 million of the total cost [1]. Additionally, Target agreed to a settlement of USD $18.5 million to 47 state governments for further compensation to victims [4]. As part of the settlement, Target agreed to tighten its security measures, along with promising to separate its cardholder data from the rest of its computer network. Additionally, Target’s CEO, Gregg Steinhafel, resigned in May 2014, in the aftermath of the attack [4]. Although the breach certainly did not put Target out of business, it had a profound effect on the company’s financial security, along with consumer trust in the company.

To this day, just one person has been charged in connection to the attack. In 2018, a Latvian computer programmer named Ruslan Bondars was sentenced to 14 years in prison for creating a program that helped cybercriminals, including the perpetrators behind the Target attack, improve malware [5]. However, Bondars was not immediately connected to the attack. Cybersecurity experts hypothesize that Andrey Hodirevsky, a Ukrainian programmer who specializes in selling stolen financial information, was the mastermind behind the attack [5]. However, Hodirevsky has never been charged with the crime.

Finally, the Target data breach affected not only the victims, but spearheaded a massive change in credit card usage as well. Following the breach, Target was one of the first companies to offer credit cards with embedded microchips, which provides better security than the traditional magnetic swipe [3]. So while the Target attack affected millions of victims, it also helped encourage the necessary transition from magnetic swipes to chip cards.

Overall, the Target data breach highlights the importance of communications, especially when it comes to cybersecurity incidents. Had Target taken action earlier, the effects of the data breach could have been mitigated or even eliminated. Unfortunately, in the time it took for Target to realize something was wrong, the damage had already been done. Thankfully, Target quickly identified and eliminated the malware, and also ushered in the era of microchipped cards. 

Keep Your Data Secure with AXEL Go

AXEL Go is a secure file-sharing and storage software that puts you back in control of your data. From military-grade encryption to blockchain technology, AXEL offers the most stringent security for your most important files. If you’re ready to take back control of your data, try two weeks of AXEL Go for free here. To read more about AXEL Go, click here.

[1] Plachkinova, Miloslava, and Chris Maurer. “Teaching Case Security Breach at Target.” Journal of Information Systems Education 29, no. 1 (March 21, 2018). https://jise.org/Volume29/n1/JISEv29n1p11.pdf.

[2] Shu, Xiaokui, Ke Tian, Andrew Ciambrone, and Danfeng Yao. “Breaking the Target: An Analysis of Target Data Breach and Lessons Learned.” January 18, 2017. https://arxiv.org/pdf/1701.04940.pdf.

[3] Myers, Lysa. “Target Targeted: Five Years on from a Breach That Shook the Cybersecurity Industry.” WeLiveSecurity. December 13, 2018. https://www.welivesecurity.com/2018/12/18/target-targeted-five-years-breach-shook-cybersecurity/.

[4] Abrams, Rachel. “Target to Pay $18.5 Million to 47 States in Security Breach Settlement.” The New York Times. May 23, 2017. https://www.nytimes.com/2017/05/23/business/target-security-breach-settlement.html.

[5] Weiner, Rachel. “Hacker Linked to Target Data Breach Gets 14 Years in Prison.” The Washington Post. September 21, 2018. https://www.washingtonpost.com/local/public-safety/hacker-linked-to-target-data-breach-gets-14-years-in-prison/2018/09/21/839fd6b0-bd17-11e8-b7d2-0773aa1e33da_story.html.

Devastating Data Breaches – Part 3: The Negligence of Equifax

Data breaches, in the traditional sense, have existed for centuries. Although we think of data breaches as a relatively new phenomenon due to the sheer prevalence of attacks we see today, data breaches have been causing headaches to businesses and consumers for a long, long time. Of course, before computers, a data breach meant the exposing of physical papers with confidential information on them. Before the Internet, the amount of damage that could be done was limited by the physical amount of data you could steal. After all, there’s only a finite amount of confidential papers a criminal can sneakily fit in a briefcase. Because of this, the amount of damage done by data breaches was limited.

However, once Internet usage became widespread, the potential damage of a data breach skyrocketed. Millions of consumer records could be stored digitally, ripe for the picking for any cybercriminal with enough knowledge and skill. Ultimately, the Internet ushered in the great data breach boom. And no case is more symbolic of this new trend than the Equifax data breach of 2017.

In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches.

Equifax’s Lax Security

Equifax, one of the three major credit bureaus in the United States, has held mountains of information on millions of Americans for decades. Of course, recording and analyzing this personal information is what a credit bureau does, and their existence is necessary in today’s world. However, because of the sheer amount of information that credit bureaus have, they also hold more responsibilities than most other businesses. Specifically, these businesses have increased responsibility for protecting data and preventing cybercrime. Unfortunately, Equifax reneged on this responsibility in 2017.

On March 7, 2017, Apache Struts, a software program that Equifax and thousands of other companies used, announced a security vulnerability in the software, and immediately sent an update to Equifax to patch the security hole [1]. For reasons unknown, the software was never updated by Equifax, creating a massive security vulnerability. Just a week later, Equifax ran a scan for unpatched systems, but the Apache Struts security hole was not flagged [1]. Ultimately, these two errors put Equifax’s data at massive risk, as the software’s security flaw was publicly known. Just a few days after Equifax’s initial error, the risk became realized.

The Breach

On March 10, 2017, the perpetrators first gained access to Equifax’s servers. However, the cybercriminals did not do much for the next few months, likely to evade detection by Equifax IT. However, by May, the hackers began their attack [2]. For the next two months, the hackers gained access to multiple Equifax databases, They then encrypted this data, and extracted it right under Equifax’s nose. Not long after, the perpetrators were in control of millions of Social Security numbers, birth dates, names, driver’s license numbers, and credit card numbers. After months of investigations, it was determined that the cybercriminals made away with the vital personal information of over 140 million people [3].

To make matters worse, Equifax could’ve had one last line of defense when the hackers were extracting the encrypted data. Most companies receive notifications when a large amount of encrypted data is exfiltrated. However, in another cybersecurity blunder by Equifax, the company failed to renew a vital security service that inspects encrypted data traffic [1]. Because of this, the hackers made away with the data with no detection.

The Response

In August 2017, Equifax became aware of the cybersecurity incident, but did not reveal the attack to the public until September [1]. While Equifax attempted to provide resources to those affected, even the company’s response to the attack was widely panned. For example, Equifax’s social media team directed affected consumers to incorrect web pages on multiple occasions [1]. Even worse, it was revealed that multiple Equifax executives sold USD $1.8 million in Equifax stock following the company’s discovery of the attack, but before it was publicly announced [4]. One executive, Equifax’s Chief Information Officer, was eventually convicted of insider trading related to the attack [5]. Simply put, Equifax’s response to the crisis was woefully inept, and the affected consumers were furious. Eventually, this frustration resulted in litigation.

In the following years, a class-action lawsuit was filed on behalf of the affected consumers, and Equifax’s penalty was steep. In July 2019, Equifax agreed to settle the case, paying USD $1.38 billion to resolve consumer complaints, and USD $380.5 million to those who were harmed by the breach [6]. While those numbers are large, the large number of victims meant that the maximum payout was only USD $125 [1]. Additionally, Equifax was required to provide free credit monitoring to all those affected by the breach.

For months, investigators waited for the stolen data to appear on the dark web to be sold to spammers and scammers. However, the stolen personal information never appeared. Ultimately, this led to the belief that state-sponsored actors were behind the attack. This meant the purpose of the attack was not to make money, but for espionage. For years, it was unknown who was behind the breach. However, in 2020, the United States Department of Justice abruptly charged four Chinese military members with the attack [1]. While the four potential perpetrators are unlikely to ever be extradited to stand trial, these charges at least provide a theory of who was behind this massive data breach.

Protect Your Data with AXEL Go

AXEL is committed to protecting your data from scammers, spammers, and cybercriminals. And the best way to fight against cyberattacks is to be prepared. That’s why AXEL Go, AXEL’s secure file-storage application, uses military-grade encryption and blockchain technology to safeguard your data. To try out AXEL Go’s unparalleled data security, sign up for a two-week free trial here

[1] Fruhlinger, Josh. “Equifax Data Breach FAQ: What Happened, Who Was Affected, What Was the Impact?” CSO Online. February 12, 2020. https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html.

[2] Riley, Michael, Jordan Robertson, and Anita Sharpe. “The Equifax Hack Has the Hallmarks of State-Sponsored Pros.” Bloomberg.com. September 29, 2017. https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros.

[3] Leonhardt, Megan. “Equifax to Pay $700 Million for Massive Data Breach. Here’s What You Need to Know about Getting a Cut.” CNBC. July 23, 2019. https://www.cnbc.com/2019/07/22/what-you-need-to-know-equifax-data-breach-700-million-settlement.html.

[4] Hudson, Phil. “Equifax Gets Blasted for Cybersecurity Hack on Social Media.” Bizjournals.com. September 8, 2017. https://www.bizjournals.com/atlanta/news/2017/09/08/equifax-gets-blasted-for-cybersecurity-hack-on.html.

[5] Liptak, Andrew. “Former Equifax Executive Sentenced to Prison for Insider Trading Prior to Data Breach.” The Verge. June 29, 2019. https://www.theverge.com/2019/6/29/20056655/jun-ying-equifax-breach-jail-time-insider-trading-department-of-justice.

[6] Brumfield, Cynthia. “Equifax’s Data Breach Disaster: Will It Change Executive Attitudes toward Security?” CSO Online. July 24, 2019.  https://www.csoonline.com/article/3411139/equifax-s-billion-dollar-data-breach-disaster-will-it-change-executive-attitudes-toward-security.html.

Devastating Data Breaches – Part 2: Marriott’s Merger Misfire

In the relatively short history of data breaches, most have followed a similar pattern. Generally, some bad actor gains access to classified data, and then leaks names, phone numbers, birthdates, and other semi-private pieces of information. While breaches like this can certainly have a negative impact on a business, the consequences aren’t as severe for the consumer when only semi-private information leaks. After all, bad actors can only do so much with a name and corresponding phone number. However, the consequences become much more serious when private data is lost. If information like credit card numbers, passwords, and social security numbers are leaked, it can have devastating financial consequences for those affected. Unfortunately, that is exactly what occurred in the case of the Marriott data breach in 2018.

In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches. 

The Background

In November 2015, Marriott made a massive purchase, announcing its bid to buy Starwood Hotels and Resorts. Following a bidding war, Marriott eventually acquired the hotel chain for USD $13.6 billion [1]. Hotels previously under the Starwood brand include Westin, Sheraton, and other luxury hotels popular with business travelers. This merger ultimately made Marriott the world’s largest hotel chain, with over 5,700 properties worldwide following the acquisition [2]. Unfortunately, Marriott’s acquisition of Starwood did not only include Starwood’s hotel properties, but its outdated cybersecurity infrastructure as well.

In 2014, a bad actor gained access to Starwood’s network and began to extract customer data from the company’s reservation system. Starwood’s network was already seen as particularly susceptible in 2014, and cybercriminals seized on that opportunity [3]. However, this attack went unnoticed for years, even as Starwood was being acquired by Marriott. In fact, most of Starwood’s information technology and security staff were laid off following the merger [3]. Ultimately, this created the perfect storm for the hackers; an outdated, compromised reservation system with little security to watch over them. Even after the merger, Marriott still used Starwood’s reservation system for its former properties, continuing to put customer data at risk. And in 2018, that risk became realized.

The Breach

In September 2018, Marriott’s cybersecurity team found a suspicious attempt to gain access to Starwood’s guest reservation database. After investigating, Marriott found that bad actors had gained access, encrypted the guest reservation data, and extracted that data over four years [3]. Ultimately, Marriott estimated that 500 million guest records had been leaked. Even worse, the records contained highly personal information, including credit card numbers and passport numbers.

Worst of all, however, the breach was entirely preventable. While Starwood did encrypt credit card numbers on its server, it kept the encryption keys on the same server, making it painfully easy for the cybercriminals to extract the data [3]. Additionally, the majority of passport numbers were not encrypted at all. Combined with Starwood and Marriott failing to recognize or change its poor cybersecurity, this was a cyberattack that simply would not have happened if not for the negligence of the companies involved.

Eventually, investigators determined that the perpetrators of the cyberattack were Chinese state actors [4]. While most cyberattacks are committed by criminals who wish to sell the leaked data and make a quick buck, this attack had a very different purpose. Investigators hypothesize that China wished to track the movement and gain information on American businesspeople, military personnel, and diplomats. Ultimately, Chinese officials wished to gain this information to find potential candidates to approach to become spies for China [4]. This made the leaked passport numbers, a rarity in most data breaches, particularly valuable for the perpetrators of the cyberattack.

Lessons From the Attack

Following the breach, Marriott faced criticism from individuals and governments alike. While class action lawsuits originated in the United States mostly failed to gain traction in court, Marriott faced a myriad of fines overseas. In fact, Marriott was fined GBP £18.4 million, or approximately USD $25 million, for violating the General Data Protection Regulation, the EU’s overarching privacy law [5]. However, many of the expenses related to the attack were covered by Marriott’s cybersecurity insurance, a growing industry due to the sheer prevalence of cyberattacks in modern times [3].

While cybersecurity insurance incurred many of the costs, irreparable harm was done to Marriott’s image due to its mistakes. First and foremost, the company’s decision to continue using an outdated, vulnerable reservation system even after the merger proved to be catastrophic. While business mergers are undoubtedly a time of great turmoil, the negligence of Marriott’s cybersecurity is unforgivable, as it put millions at risk. Additionally, Marriott’s poor encryption made the data easy to find and extract. While some businesses are simply unlucky when it comes to cyberattacks, Marriott did not suffer because of bad luck, but its own negligence.

Protect Your Data with AXEL Go

Using a secure file storage system is the key to protecting your data from breaches and ransomware attacks. That’s where AXEL Go comes in. Offering military-grade encryption and decentralized blockchain technology, AXEL Go is the best way to protect yourself and your business from unauthorized cybercriminals. With devastating cyberattacks not going away any time soon, secure file-sharing is a necessity for businesses and individuals. If you’re ready to get the best protection, try two free weeks of AXEL Go here.

[1] Smith, Aaron. “Marriott Starwood Merger Creates World’s Biggest Hotel Company.” CNNMoney. November 16, 2015. https://money.cnn.com/2015/11/16/investing/marriott-starwood-hotel/index.html.

[2] “Meet the Biggest Hotel Chains in the World.” Hospitality News & Business Insights by EHL. https://hospitalityinsights.ehl.edu/biggest-hotel-chains.

[3] Fruhlinger, Josh. “Marriott Data Breach FAQ: How Did It Happen and What Was the Impact?” CSO Online. February 12, 2020. https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html.

[4] Nakashima, Ellen, and Craig Timberg. “U.S. Investigators Point to China in Marriott Hack Affecting 500 Million Guests.” The Washington Post. December 12, 2018. https://www.washingtonpost.com/technology/2018/12/12/us-investigators-point-china-marriott-hack-affecting-million-travelers/.

[5] “ICO Fines Marriott International Inc £18.4million for failing to Keep Customers’ Personal Data Secure.” ICO. October 30, 2020. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184million-for-failing-to-keep-customers-personal-data-secure/.

Devastating Data Breaches – Part 1: The Hard Fall of Yahoo

Data breaches can affect any business. It’s an unfortunate fact, but in today’s digital world, there are so many technologically savvy criminals who seek to make money and wreak havoc upon millions. Cyberattacks can affect anyone, from the smallest neighborhood shop to the largest multinational corporations. However, while small businesses are affected constantly, the data breaches that affect large corporations are the ones that receive the most news coverage. And while the number of cyberattacks has risen in recent years, no incident comes close to the number of victims as the back-to-back data breaches Yahoo faced in 2013 and 2014.

In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches. 

The History of Yahoo

From the late 1990s until the late 2000s, Yahoo was among the giants of Silicon Valley. Although the company never dabbled in hardware, it focused on one utility: Web services. And in the early years of the Internet, no one did web services better than Yahoo. Following in the footsteps of AOL, Yahoo’s first business model was organizing new web pages into categories in the early 1990s. When this proved successful, Yahoo quickly expanded into other web services, including email, instant messaging, news, and games [1]. With these services, Yahoo truly hit the mainstream. Throughout the 2000s, Yahoo remained popular, but began to lag behind tech newcomers like Google, Facebook, and their suites of web services. Following years of underperformance, Yahoo was struggling in the early 2010s. Unfortunately, Yahoo’s problems were only just beginning.

The Breach(es)

In August 2013, an unknown third party gained access to Yahoo data, making away with names, birth dates, phone numbers, and poorly encrypted passwords [2]. For three years following the breach, Yahoo was unaware of this unauthorized digital theft. However, in August 2016, Yahoo accounts were seen for sale on the dark web. Later, three separate buyers bought this stolen data for USD $300,000. To this day, Yahoo and federal investigators do not know the culprit of the 2013 hack [2].

In addition to the 2013 breach, Yahoo faced another cybersecurity crisis just a year later. In December 2014, Yahoo fell victim to another data breach, losing usernames, phone numbers, passwords, and security question answers to at least 500 million Yahoo accounts [3]. It was later revealed that the hack was the responsibility of four men hired by Russia, who sought the personal information of American intelligence officers [3]

In contrast to the 2013 breach, however, Yahoo executives were made aware of the hack soon after it occurred. Even when Yahoo was set to be acquired by Verizon in 2016, the company stated that it was aware of only four minor breaches [4]. Even in June 2016, Yahoo’s security team was aware that hundreds of millions of accounts were compromised, yet the company failed to inform Verizon or the public until September 2016.

The Fallout

Finally, in September 2016, Yahoo announced to Verizon and the public its knowledge of the 2014 breach. At the time, Yahoo estimated that 500 million accounts were compromised in the attack. In December 2016, Yahoo became aware of the 2013 attack and announced that an estimated one billion accounts were affected by the incident. While an estimated 1.5 billion compromised accounts is a nightmare for any business, the hacks and fallout occurred during a time of turmoil and transition for Yahoo. In fact, after the announcement of the 2014 hack, Yahoo lowered its purchase price to Verizon by $350 million [4]. Unfortunately, the news soon got worse for Yahoo. The company’s initial estimate of affected accounts was far from the true scale of the breaches.

In October 2017, Yahoo announced that all of its accounts were compromised in the two hacks. Over 3 billion accounts were ultimately affected by the breaches. Following the public reveal of the 2013 hack, Yahoo forced all of its users to change their passwords [5]. While this was a smart, necessary step, much of the damage had already been done. Usernames, phone numbers and birthdates were, unfortunately, already vulnerable.

Following the revelations of the breaches, Yahoo faced serious scrutiny from consumers and investigators alike. Following investigations, Yahoo was fined USD $35 million by the Securities and Exchange Commission (SEC) not for the breaches themselves, but for failing to disclose its knowledge of the 2014 breach until two years later [4]. In fact, this was the first time the SEC ever fined a public company for failure to disclose knowledge of data breaches. Additionally, Yahoo settled a class-action lawsuit for USD $80 million. Ultimately, Yahoo was punished for the cover-up, rather than the actual breaches. Unfortunately, the steep punishment simply did not outweigh the damage done to Yahoo and its customers.

Protecting Your Data

Although October is designated as Cybersecurity Awareness Month, true protection from data breaches and cyberattacks requires a year-long commitment. That’s where AXEL Go comes in. AXEL Go is a secure file-sharing and storage software that prioritizes data protection. Offering military-grade encryption and decentralized blockchain technology, AXEL Go is the best way to protect yourself or your business from cybercriminals. Put simply, your vital information deserves the best protection. If you’re ready to try the best protection, get two free weeks of AXEL Go here

[1] Greenberg, Julia. “Once Upon a Time, Yahoo Was the Most Important Internet Company. Now It’s Struggling.” Wired. November 23, 2015. https://www.wired.com/2015/11/once-upon-a-time-yahoo-was-the-most-important-internet-company/.

[2] Perlroth, Nicole. “All 3 Billion Yahoo Accounts Were Affected by 2013 Attack.” The New York Times. October 03, 2017. https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html.

[3] Goel, Vindu, and Eric Lichtblau. “Russian Agents Were Behind Yahoo Hack, U.S. Says.” The New York Times. March 15, 2017. https://www.nytimes.com/2017/03/15/technology/yahoo-hack-indictment.html?_r=0.

[4] “The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far).” The National Law Review. May 11, 2018. https://www.natlawreview.com/article/hacked-hacker-hire-lessons-yahoo-data-breaches-so-far.


[5] Goel, Vindu, and Nicole Perlroth. “Yahoo Says 1 Billion User Accounts Were Hacked.” The New York Times. December 14, 2016. https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html.

Data Breaches are Here to Stay (For the Unprepared)

On August 18, T-Mobile announced that a recent data breach has affected over 40 million customers. Thankfully, it appears that no financial information was leaked. However, in a statement, T-Mobile stated “While our investigation is still underway and we continue to learn additional details, we have now been able to confirm that the data stolen from our systems did include some personal information.” Those responsible for the breach targeted T-Mobile credit applications, putting names, phone numbers and social security numbers at risk [1].

This massive data leak is just one of many that have occurred in recent years. From banks to superstores, data breaches have affected businesses in every industry, putting customers at risk. With this never-ending barrage of data breaches occurring, it’s fair to ask: When will they stop?

Well, we simply don’t know. If businesses continue to neglect cybersecurity, data breaches will remain common and catastrophic. However, there are ways to minimize this risk. Simply taking the time to protect your data is the key to preventing these massive, costly data breaches. After all, protecting your data is a lot easier than dealing with a massive data breach. Just ask Equifax.

The Equifax Data Breach

In 2017, Equifax, a consumer credit reporting agency, fell victim to a massive cyberattack and data breach. In the attack, over 160 million customers’ personal information was leaked, including names, phone numbers, social security numbers, driver’s license numbers and more [2].

In addition to the massive security breach, Equifax’s response to the attack was criticized as well. Although Equifax learned of the attack in July 2017, it was not announced publicly until September 2017. Additionally, Equifax social media directed customers to unofficial sites not owned by Equifax, putting clients further at risk of phishing attacks [3]. Put simply, the Equifax data breach showed what a business should not do in the event of a data breach. From poor communication to a lackadaisical response to the sheer scale of the breach, Equifax was largely unprepared for the breach and its consequences.

But how did the breach occur? While some data breaches can be the consequence of an honest mistake, this was anything but. Equifax was targeted because of its refusal to update its security software. In March 2017, an update for Equifax’s security software was released, but the update was not immediately installed. Quickly, cybercriminals realized there was a security hole in the older version of the software. Then, in May 2017, cybercriminals found that Equifax’s dispute portal still used the flawed security software. They gained access to documents that contained customers’ personal information, and slowly extracted the data over 76 days to avoid detection. As the attackers continued to extract the data, Equifax learned of the breach on July 29, and quickly shut off access. However, by the time Equifax cut off access to the criminals, the damage had already been done.

Why do Criminals Want Your Data?

While data breaches can be catastrophic to consumers, they can lead to big paydays for hackers. For the T-Mobile breach, the release of phone numbers can lead to increased phishing attempts among victims. And because the criminals have access to each phone number’s accompanying name, they can craft a much more convincing phishing text message. If customers fall for the trick, it puts the rest of their data, including financial information, at risk.

If cybercriminals gain access to financial information in a data breach, the consequences can be even more severe. Using this financial information, the hackers (or those who buy the data from the hackers) can open new credit lines, receive loans, or file false tax returns. And because these financial agreements are under your name, you could be on the hook for paying it back.

How do Data Breaches Happen?

While the cause of T-Mobile’s breach is not immediately apparent, Equifax’s cause certainly is clear: Negligence of cybersecurity. Treating cybersecurity as an afterthought is the main cause of many data breaches. Attackers often use phishing techniques and malware in order to gain access to valuable data. For example, when Target was the victim of a data breach in 2013, the attackers stole credentials and installed malware to Target’s software to extract names and credit card numbers [4]

In addition to outside cybercriminals, insider attacks pose a threat to businesses as well. In fact, employee error is the main cause of most data breaches [5]. While most of these breaches are small and have few negative consequences, it shows that outside actors are not the only cybersecurity risk. 47% of business leaders say that human error has caused a data breach in their organization. From losing a device to unintentionally sending confidential emails, internal data breaches certainly pose a threat. Thankfully, there are ways to minimize this risk.

How to Minimize the Risk of a Data Breach

One of the best ways for businesses to prevent a data breach is to encrypt confidential files. With strong encryption, files are unintelligible to unauthorized attackers, making your data useless to cybercriminals. So even if attackers gain access to your documents, encryption blocks the attackers from understanding the data. This ensures that your documents are usable for you, but worthless to criminals.

For individuals, there are easy strategies to minimize harm if your data is leaked. One easy technique to protect yourself is to use different passwords for different accounts. If you use the same password for all of your accounts, just one leak can make all of your accounts at risk. Therefore, it’s important to use different passwords for all your online accounts to ensure one leaked password doesn’t compromise all of your accounts. Additionally, simply checking your credit card history and credit reports can help stop identity theft after a data breach. If you catch fraud early, it can be stopped. Simply using these two techniques can help minimize the damage of a data breach if your information is compromised.

AXEL Offers Unparalleled Protection

AXEL believes that privacy is a human right. With this in mind, we created AXEL Go, a secure file-sharing and storage software. Offering industry-leading encryption and decentralized blockchain technology, AXEL Go is the best way to protect yourself or your business from unauthorized cybercriminals. Put simply, personal information deserves the best protection. If you’re ready to try the best protection, get two free weeks of AXEL Go here

[1] Schwartz, Mathew J., and Ron Ross. “T-Mobile: Attackers Stole 8.6 Million Customers’ Details.” Data Breach Today. August 18, 2021. https://www.databreachtoday.com/t-mobile-attackers-stole-86-million-customers-details-a-17314?rf=2021-08-19_ENEWS_ACQ_DBT__Slot1_ART17314&mkt_tok=MDUxLVpYSS0yMzcAAAF-_hUkPD9ryUOmFe0rRKxJ3eQA_mnHG9wpo_qAsffgZRgbqIV4FLolYFKr0A7f0CcMmHSwwy3ta4adyJhcjljmHueKFGYuyCT0ezu_kdFj7GYGdCBegA.

[2] Ng, Alfred. “How the Equifax Hack Happened, and What Still Needs to Be Done.” CNET. September 07, 2018. https://www.cnet.com/tech/services-and-software/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/.

[3] Morse, Jack. “Equifax Has Been Directing Victims to a Fake Phishing Site for Weeks.” Mashable. June 10, 2021. https://mashable.com/article/equifax-twitter-phishing-site-facepalm

[4] McCoy, Kevin. “Target to Pay $18.5M for 2013 Data Breach That Affected 41 Million Consumers.” USA Today. May 23, 2017. https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/.

[5] Reinicke, Carmen. “The Biggest Cybersecurity Risk to US Businesses Is Employee Negligence, Study Says.” CNBC. June 21, 2018. https://www.cnbc.com/2018/06/21/the-biggest-cybersecurity-risk-to-us-businesses-is-employee-negligence-study-says.html.