10 Data Breaches that Fuel CISO Nightmares
The Chief Information Security Officer vs. Data Breaches
These are challenging times for the chief information security officer (CISO). As cyberattacks become more common and sophisticated, the CISO must address urgent risks posed by insider threats, data breaches, and the ever-dreaded ransomware attack while simultaneously advancing initiatives around infrastructure security, cyber attack prevention, and cyber security best practices such as Zero Trust networking.
The stakes are high and the pressure is on—88 percent of CISO executives report high stress levels, half are experiencing mental health issues, and a third have even suffered stress-related physical health problems.
The distress of the CISO is entirely understandable. The damage caused by data breaches can take many forms. Some incidents make the “biggest data breaches” list based on sheer number of users impacted.
Others make headlines based on financial consequences or the sensitive nature of the data involved. Add up the consequences of data breaches, and it’s a wonder today’s chief information security officer gets any sleep at all.
Consider the scope and diversity of just a few notable data breaches in recent years.
The Big 10 Data Breaches:
1. Yahoo Data Breach, 2013
Affecting three billion user accounts, the Yahoo data breach came at a particularly inopportune time as Yahoo was close to completing its acquisition by Verizon. The embarrassing disclosure—which the company kept quiet for over three years—didn’t quite derail the deal, but it did lower the amount Verizon paid for the acquisition by a whopping $350 million. Meanwhile, an unrelated incident in 2014 saw state-sponsored cyber criminals steal the data of 500 million users thanks to a careless click on a phishing email—one of the most common insider threats companies currently face. Once again, the company chose to hide the incident until 2016, when its stolen data appeared for sale on the dark web. It’s hard to maintain the trust of customers—and potential M&A partners—when you’re falling short on cyber security best practices.
2. Aadhaar Data Breach, 2018
The world’s largest identity database, Aadhaar contained the name, gender, contact information, and biometric data of more than 1.1 billion Indian citizens—all of which ended up in the hands of hackers. Created by the Unique Identification Authority of India in 2009, Aadhaar issued unique identity numbers required for everything from applying for state aid or financial assistance to buying a cellular SIM card, opening a bank account, or enrolling in utilities. Claims that the system was “hack-proof” were viewed skeptically by experts concerned about insider threats, and breach of the system further undermined its credibility on security—yet another factor in its troubled rollout to the Indian public.
3. LinkedIn Data Breach, 2021
As a business-centric social network, LinkedIn is supposed to be a trusted environment for professionals to connect. When hackers stole the email addresses, phone numbers, geolocation records, gender, and other data of 700 million of its members—more than 90 percent of its user base—this illusion of safety was shattered. The second large-scale LinkedIn data breach in less than a decade, the incident exposed members to increased risk of phishing attacks and other social engineering exploits.
4. Facebook Data Breach, 2019
From the Cambridge Analytica scandal to widespread suspicion about its behavioral tracking and advertising targeting practices, Facebook faces an uphill battle convincing the public that it can be a responsible steward of user data. When a Facebook data breach saw the personal data of more than 530 million users fall into the hands of hackers—and subsequently made available for free—that battle became all the more daunting. The company’s decision not to disclose exactly which users had been affected by the incident hardly helped matters.
5. Syniverse Data Breach, 2021
Sometimes it’s the duration of a security incident that raises eyebrows. In 2021, Syniverse, a messaging provider at the core of the global telecommunications infrastructure, revealed that hackers had taken up residence in its systems for a period of years, enjoying access to some 500 million records. The incident sounded alarms at both telecommunications companies and government agencies around the world—especially given the likely role of the company’s lax attitude about cyber security best practices in the breach. By 2020, a new generation of Syniverse secure connectivity solutions suggested that the company had finally seen the light about Zero Trust networking.
6. Capital One Data Breach, 2019
Insider threats don’t always originate within the organization itself. Affecting more than 105 million customers, the Capital One data breach hinged on the misuse of privileged access by a former employee of Amazon Web Services. Zero Trust networking could have prevented this; instead, the attacker gained access to personal credit card information, social security numbers, bank account details—everything hackers would need to perpetuate identity theft, fraud, and other crimes. The company ultimately settled a class action lawsuit for $190 million, on top of a $80 million fine paid to by the U.S. Office of the Comptroller of the Currency. Still, the company got off light compared to the $350 million settlement paid by T-Mobile following a 2021 breach.
7. CommonSpirit Data Breach, 2022
While data breaches technically involve unauthorized viewing or use of customer data, hackers can also create havoc simply by rendering a data inaccessible—in other words, launching a ransomware attack. When CommonSpirit Health was struck by a ransomware gang in October 2022, the nationwide health system was forced to take the electronic health records of its patients offline, in addition to patient portals and other systems. More than a month later, CommonSpirit Health was still working to get back online. The disruption to patient care, practitioner support, and business operations has been widespread.
8. Marriott Data Breach, 2018
Cyber criminals are bad enough—but some data breaches rise to the level of international espionage. That seems to have been the case with the theft of sensitive data of 500,000 guests of Marriott’s Starwood hotels. The company was fined a relatively modest £18.4 million by a U.K. government agency for its failure, but the full implications of the incident were hinted at when the New York Times attributed the attack to a Chinese intelligence group seeking data on U.S. citizens.
9. Equifax Data Breach, 2017
Surely the gold standard of data breaches, the Equifax hack compromised the most sensitive personal financial data imaginable of 147 million people. A post-mortem suggested that the company’s network design had been insufficiently segmented, a glaring failure to follow Zero Trust networking principles. Even worse, the company’s slow response and notification process—during which Equifax executives dumped large amounts of stock—raised suspicions of insider trading. For a company whose business is built on credibility, that’s not a good look. And it’s not a good feeling when you end up paying a $700 million settlement, either.
10. Republican National Committee Data Breach, 2017
With public cynicism and disillusionment about U.S. politics at an all-time high, the Republican National Committee chose an inopportune time to be careless with cloud security. The committee’s data vendors left the privileged data of more than 198 million Americans—including not only names and birth dates, but party affiliation, ethnicity, race, gender, religion, and even their views on sensitive political issues—entirely unprotected on a public-facing server. The inevitable 1.1 TB breach shocked voters about not only sloppy cyber security best practices, but also the growing role of big data in analyzing, shaping, and manipulating their political views.
Best Practices to Preserve Chief Information Security Officer Sanity
With cyber risk and chief information security officer burnout both at unprecedented levels, cyber security best practices have never been more important. The biggest data breaches often begin with relatively minor oversights such as excess privileges, system misconfigurations, and employee oversights and errors.
For that reason, companies need to weave cyber attack prevention throughout their infrastructure security strategy. Zero Trust networking can help prevent both external and insider threats and limit the impact of any breach that does occur. Enterprise malware protection may seem old-school, but it’s a tried-and-true method to prevent many types of ransomware attacks. Careful vendor selection is vital as well; the best cyber security companies can offer advanced capabilities like AI-powered threat detection, integrated threat intelligence, SSL inspection, security information and event management (SIEM) integration, network micro-segmentation, real-time extended detection and response (XDR), and more.
How A10 Networks helps prevent data breaches
A key data protection challenge for CISOs is the Zero Trust blind spot created by SSL/TLS encryption. Simply put, network traffic that’s encrypted to prevent snooping by hackers is also rendered opaque to security solutions—making it impossible to detect ransomware, malware, data exfiltration, and other threats.
As an ally and resource for CISOs under siege, A10 Networks eliminates this blind spot by making it possible to decrypt traffic for inspection, then re-encrypt it to continue its journey in or out of the organization. To avoid the performance, cost, and scalability issues that come with device-by-device SSL inspection, A10 Networks Thunder® SSL Insight® takes a centralized, decrypt-once, inspect-everywhere approach that allows inspection by as many devices as needed, including NGFW, IPS, IDS, ATP, SWG, DLP, and antivirus, without repetitive decryption and re-encryption. In this way, organizations can detect data breaches and cyber-attacks while enforcing security and regulatory compliance standards. A10 Networks Harmony® Controller, which provides centralized management and analytics for A10 secure application services, offers actionable insights into real-time traffic encryption activity.
As cyber criminals work overtime to innovate new forms of threats and attacks, life isn’t likely to get much easier for the chief information security officer. But with the right tools, strategies, and best practices, they can keep their data out of the hands of hackers—and keep their company’s name out of articles like this one.