A data breach occurs when an unauthorized person (hacker) gains access to confidential information for personal or political gain.
Data breaches frequently lead to identity theft and financial losses.
Data breaches frequently lead to identity theft and financial losses. They have become increasingly common over the past several years, and often lead to lawsuits on behalf of consumers.
As of April 2016, 227 data breaches had already exposed more than 6.2 million records for the year 2016, according to the Identity Theft Resource Center (ITRC). The number of breaches is 10% higher compared to that point in 2015.
According to Statista, there were 169 million records exposed in 2015—more than double the number exposed in 2014 (85,610,000). The past two years have also had the two highest occurrences of breaches, with 783 in 2014 and 781 in 2015. No other year eclipsed 700, or even 670. (Please note that there are conflicting statistics on data breaches. The Breach Level Index, for example, puts the number of 2015 breaches much higher: 1,673.)
Data breaches are a growing threat, and as technology becomes more pervasive, they could become even more common.
Breaches Occur Across Industries
The Breach Level Index (BLI) organizes breaches by industry:
- Retail: 29.87%
- Government: 21.49%
- Technology: 17.97%
- Other: 11.51%
- Financial: 11.47%
- Healthcare: 7.69%
Unfortunately, the breaches are so spread out that there is not a single sector a person can avoid to feel more secure.
The BLI also attributes the majority of breaches (57.91%) to malicious outsiders, plus 15% to malicious insiders—and only 23.29% to accidental loss.
More often, hackers steal data to sell it to the highest bidder, commit credit card fraud, and/or make a political statement.
Mega-Breaches Compromise Hundreds of Millions
In September 2016, Yahoo announced that 500 million users’ personal information had been stolen in 2014. This information included names, email addresses, dates of birth, passwords, etc.
A few months prior, in May 2016, several social media mega-breaches came to light: MySpace, LinkedIn, and Tumblr all announced that their users’ data had been compromised years prior, in 2012 and 2013. (LinkedIn had previously announced the breach, but underestimated its size by about 100 million users.) Hundreds of millions of email addresses and passwords are now for sale on black market forums.
Troy Hunt is a Regional Director for Microsoft; web security expert; and founder of Have I Been Pwned, an invaluable website that allows users to check when their data has been compromised in a breach. He was floored by the size and scope of the mega-breaches, and noticed some disturbing patterns:
Just now, I’ve finished loading tumblr into Have I been pwned (HIBP) with a grand total of over 65 million records dating back to 2013. That rounds out the total number of records loaded in just the last 6 days to 269 million, not that much less than I had in the entire system just a week ago. It’s also the second data breach I’ve personally appeared in over that period, my 6th overall. (Incidentally, you may see various different stats on the exact number of addresses in the tumblr breach due to data idiosyncrasies such as the way deactivated accounts were flagged.)
But all of these will pale in comparison when the much-touted MySpace breach of 360 million records turns up. Whilst I’ve not seen a date on when the breach actually occurred, c’mon, it’s MySpace and you know it’s going to date back a way.
Mr. Hunt also notes the massive size of the breaches (they comprise four of the five largest ever) and wonders if they’re related, given that they all occurred and then surfaced around the same time.
Perhaps the only silver lining to this growing security threat is that it’s finally getting the media attention and boost in consumer awareness that it deserves.
Notable Web Breaches
The Yahoo breach is the largest web breach ever, while MySpace is second, and LinkedIn third:
- Yahoo: approx. 500,000,000 accounts exposed
- MySpace: 359,420,698 accounts
- LinkedIn: 164,611,595 accounts
- Adobe: 152,445,165 accounts
- Badoo: 112,005,531 accounts
- VK: 93,338,602 accounts
- Dropbox: 68,648,009 accounts
- Tumblr: 65,469,298 accounts
The list above does not include highly publicized retail breaches like the Home Depot and Target, which endangered tens of millions of consumers and cost these companies tens of millions of dollars.
Breaches in Other Sectors
Data breaches are not confined to websites like LinkedIn and Tumblr. Major retailers, medical/healthcare companies, and financial institutions are also susceptible to these hacks.
For example, in 2016, Wendy’s suffered a breach that compromised roughly 300 of its 5,500 restaurants. That means any customer who used a credit card at one of these 300 restaurants is now vulnerable to credit card fraud. (In addition to consumers, these kinds of breaches also put a considerable burden on credit card companies, who must respond to a flood of fraud claims and canceled cards.)
Here are some of the notable breaches in these industries, and the class action settlements that have resulted (see below: “Data Breach Lawsuits”):
- Home Depot (affected 50 million cardholders): $19.5 million settlement
- Sony (PlayStation network breach): $15 million
- Target: $10 million
- Sony (employee information breach): $8 million
- Stanford University Hospital and Clinics: $4.1 million
- AvMed Inc.: $3.1 million
- Vendini: $3 million
- Schnuck Markets: $2.1 million
But a data breach doesn’t go away after a company updates their security measures and settles a lawsuit, or after a consumer updates his or her password or PIN. A breach that occurred years ago can come back to haunt the users whose information was stolen.
Breaches Can Have Ripple Effect
The danger of a breach lies not in a hacker having a person’s MySpace or LinkedIn password, necessarily, but in millions of people using the same email and password combination for their bank or credit card account, Amazon account, etc. Too often, people recycle passwords across myriad accounts over many years: this is a hacker’s dream.
If anyone should know better, it’s Facebook founder and CEO Mark Zuckerberg. But even Mr. Zuckerberg had his Twitter, Instagram, and Pinterest accounts hacked in June 2016 after a group called OurMine Team gained access to Mr. Zuckerberg’s password via the LinkedIn breach (see above: “Mega-Breaches”).
Mr. Zuckerberg’s password, according to OurMine Team? The all-lowercase, easy-to-crack “dadada.”
Data Breach Lawsuits
When a company fails to exercise reasonable care in protecting their customers’ information, and a breach occurs, affected consumers may be able to join together and file a data breach lawsuit against the company. These lawsuits can net plaintiffs millions of dollars in damages—which is only fair given how devastating a breach can be to a person’s personal finances, reputation, and/or credit score.
Home Depot agreed to pay $19.5 million to consumers after its data breach: $13 million to reimburse shoppers for losses and $6.5 million toward identity protection services.
Theirs is just one of many multimillion-dollar settlements that have been reached after major data breaches (see above: “Notable Data Breaches in Other Sectors”). Sony paid $15 million to settle a data breach suit—and $8 million to settle another. Target paid $10 million. LinkedIn paid $1.25 million to settle theirs, which, in hindsight, seems like a bargain.
In general, companies much prefer settling cases out of court to going to trial. That is especially true with data breach lawsuits, because there is almost no court precedent for these kinds of cases. Companies like Home Depot and Sony have no idea what would happen if they went to trial to fight a data breach suit, which is a scary prospect.
How Consumers Can Fight Back
At Morgan & Morgan, our attorneys are dedicated to helping consumers who suffered financial and reputational harm as result of a data breach. We help the people hold the powerful accountable by filing lawsuits against the companies that were subject to these invasive breaches.
If your credit card information, social security number, or other private information was stolen as a result of a data breach, we would like to hear from you. Contact us for a free, no-obligation case review.