(Updated November 30, 2018)
A data breach occurs when an unauthorized person gains access to confidential information for personal or political gain.
Data breaches frequently lead to identity theft and financial losses.
Data breaches frequently lead to identity theft, financial losses, and lawsuits. They have become increasingly common over the past several years, and often lead to lawsuits on behalf of consumers—especially in the case of Yahoo, which has had at least 1.4 billion accounts exposed.
Marriott, the world's largest hotel chain, suffered a massive breach as well, which may have impacted up to 500 million consumers.
According to a report from Risk Based Security, there were more than 4.2 billion records exposed in 2016. While the number of data breaches largely remained the same from the previous year, the number of mega breaches like Yahoo's have increased. Data breaches are a growing threat; as technology becomes more pervasive, they could become even more common.
If you or a loved one suffered losses from a data breach, please contact us for a free legal consultation. Our attorneys are some of the most qualified and experienced in the world at handling these types of cases.
Breaches Occur Across Industries
The Breach Level Index (BLI) organizes breaches by industry:
- Retail: 29.87%
- Government: 21.49%
- Technology: 17.97%
- Other: 11.51%
- Financial: 11.47%
- Healthcare: 7.69%
Unfortunately, the breaches are so spread out that there is not a single sector a person can avoid to feel more secure.
The BLI also attributes the majority of breaches (57.91%) to malicious outsiders, plus 15% to malicious insiders—and only 23.29% to accidental loss.
More often, hackers steal data to sell it to the highest bidder, commit credit card fraud, and/or make a political statement.
Mega-Breaches Compromise Billions
In December 2016, Yahoo announced that 1 billion users' information had been stolen in August 2013. This occurred just a few months after Yahoo announced that 500 million users' data had been breached in 2014. This information included names, email addresses, dates of birth, phone numbers, passwords, etc. (Check these FAQs on the Yahoo data breach and how it might affect you.)
In June 2018, a breach affecting marketing and data aggregation firm Exactis was discovered. The breach exposed highly sensitive information like phone numbers, home and email addresses, and personal interests and preferences of 230 million consumers and 110 million businesses. Attorney John Yanchunis filed a lawsuit against Exactis, pending class-action status, on June 29, 2018.
Furthermore, in May 2016, several social media mega-breaches came to light: MySpace, LinkedIn, and Tumblr all announced that their users’ data had been compromised years prior, in 2012 and 2013. (LinkedIn had previously announced the breach, but underestimated its size by about 100 million users.) Hundreds of millions of email addresses and passwords are now for sale on black market forums.
Troy Hunt is a Regional Director for Microsoft; web security expert; and founder of Have I Been Pwned, an invaluable website that allows users to check when their data has been compromised in a breach. He was floored by the size and scope of the mega-breaches.
Perhaps the only silver lining to this growing security threat is that it’s finally getting the media attention and boost in consumer awareness that it deserves.
Notable Web Breaches
The Yahoo breaches are the largest web breaches ever, followed by Marriott, MySpace, and Exactis:
- Yahoo (2013): approx. 1 billion accounts exposed
- Yahoo (2014): approx. 500,000,000 accounts exposed
- Marriott (2018): approx. 500,000,000 accounts exposed
- MySpace: 359,420,698 accounts
- Exactis: 340,000,000 accounts
- LinkedIn: 164,611,595 accounts
- Adobe: 152,445,165 accounts
- Badoo: 112,005,531 accounts
- VK: 93,338,602 accounts
- Dropbox: 68,648,009 accounts
- Tumblr: 65,469,298 accounts
The list above does not include highly publicized retail breaches like Anthem, Home Depot, and Target, which endangered tens of millions of consumers and cost these companies tens of millions of dollars.
Breaches in Other Sectors
Data breaches are not confined to websites like LinkedIn and Tumblr. Major retailers, medical/healthcare companies, and financial institutions are also susceptible to these hacks.
For example, in 2016, Wendy’s suffered a breach that compromised roughly 300 of its 5,500 restaurants. That means any customer who used a credit card at one of these 300 restaurants is now vulnerable to credit card fraud. (In addition to consumers, these kinds of breaches also put a considerable burden on credit card companies, who must respond to a flood of fraud claims and canceled cards.)
Here are some of the notable breaches in these industries, and the class action settlements that have resulted:
- Anthem (affected up to 80 million customers): $115 million settlement
- Target: $28.5 million ($18.5 million for states, $10 million for consumers)
- Home Depot (affected 50 million cardholders): $19.5 million settlement
- Sony (PlayStation network breach): $15 million
- Sony (employee information breach): $8 million
- Stanford University Hospital and Clinics: $4.1 million
- AvMed Inc.: $3.1 million
- Vendini: $3 million
- Schnuck Markets: $2.1 million
But a data breach doesn’t go away after a company updates their security measures and settles a lawsuit, or after a consumer updates his or her password or PIN. A breach that occurred years ago can come back to haunt the users whose information was stolen.
Breaches Can Have Ripple Effects
The danger of a breach lies not in a hacker having a person’s MySpace or LinkedIn password, necessarily, but in millions of people using the same email and password combination for their bank or credit card account, Amazon account, etc. Too often, people recycle passwords across myriad accounts over many years: this is a hacker’s dream.
If anyone should know better, it’s Facebook founder and CEO Mark Zuckerberg. But even Mr. Zuckerberg had his Twitter, Instagram, and Pinterest accounts hacked in June 2016 after a group called OurMine Team gained access to Mr. Zuckerberg’s password via the LinkedIn breach (see above: “Mega-Breaches”).
Mr. Zuckerberg’s password, according to OurMine Team? The all-lowercase, easy-to-crack “dadada.”
Data Breach Lawsuits
When a company fails to exercise reasonable care in protecting their customers’ information, and a breach occurs, affected consumers may be able to join together and file a data breach lawsuit against the company. These lawsuits can net plaintiffs millions of dollars in damages—which is only fair given how devastating a breach can be to a person’s personal finances, reputation, and/or credit score.
These lawsuits can net plaintiffs millions of dollars in damages.
Anthem agreed to pay $115 million to consumers after its 2015 data breach, the largest data breach settlement in history. The settlement covers credit monitoring services for affected consumers, and out-of-pocket expenses caused by the data breach.
Theirs is just one of many multimillion-dollar settlements that have been reached after major data breaches (see above: “Notable Data Breaches in Other Sectors”). Home Depot agreed to pay $19.5 million to consumers after its data breach: $13 million to reimburse shoppers for losses and $6.5 million toward identity protection services. Sony paid $15 million to settle a data breach suit—and $8 million to settle another. Target paid $10 million.
In general, companies much prefer settling cases out of court to going to trial. That is especially true with data breach lawsuits, because there is almost no court precedent for these kinds of cases. Companies like Home Depot and Sony have no idea what would happen if they went to trial to fight a data breach suit, which is a scary prospect.
How Consumers Can Fight Back
ClassAction.com is dedicated to helping consumers who suffered financial and reputational harm as result of a data breach. We help the people hold the powerful accountable by filing lawsuits against the companies that were subject to these invasive breaches.
If your credit card information, social security number, or other private information was stolen as a result of a data breach, we would like to hear from you. Contact us for a free, no-obligation legal consultation.