Technology and Communications

Web applications are targeted with availability attacks as well as leveraged for access to cloud-based organizational email accounts.

Top 3 patterns– Miscellaneous Errors, Web Applications, and Cyber-Espionage represent 83% of breaches within Information

Threat actors– External (56%), Internal (44%), Partner (2%) (breaches)

Actor motives– Financial (67%), Espionage (29%) (breaches)

Data compromised– Personal (47%), Credentials (34%), Secrets (22%) (breaches)

Illustrative breaches

  • Yahoo
  • Facebook
  • Friend Finder Networks
  • Citrix
  • Rubrik
  • 500px
  • Blur
  • VeriSign
  • Home Depot
  • RSA Security
  • Wipro
  • Microsoft Office 365
  • Box
  • EE
  • Adobe
  • Ebay
  • Home depot
  • Mumsnet
  • Quora
  • Google+
  • Uber
  • Three
  • Docker Hub
  • AMC Network’s
  • Freedom Mobile
  • WhatsApp
  • Microsoft Email Services
  • BioStar 2
  • MoviePass
  • Hostinger
  • Foxit
  • Evite
  • Evernote
  • Fieldwork Software
  • Canva
  • Flipboard
  • T-Mobile
  • Family Locator
  • MyPillow & Amerisleep
  • Reddit
  • Verifications.io
  • Timehop
  • Dixons Carphone
  • MyHeritage
  • Under Armour/MyFitnessPal
  • FedEx
  • Houzz
  • Ai.Type
  • Clarksons          
  • Pizza Hut
  • Deloitte
  • Three Mobile
  • TalkTalk
  • Think W3 Limited
  • Moonpig
  • Google Photos
  • Amazon Web Services S3
  • Creative Technology
  • T-mobile
  • NetBlocks internet observatory
  • Cambridge Analytica
  • BGR’s (Boy Genius Report) India
  • Koodo Mobile
  • PhotoSquared
  • Slickwraps
  • GoDaddy
  • Whisper
  • TrueFire
  • PropTiger
  • Peekaboo Moments
  • SOS Online Backup  
  • Email.it
  • Mathway
  • Wishbone
  • Cognizant
  • Zynga – Words with friends
  • Virgin Media
  • Zoom
  • Quidd
  • Impact Mobile Home Communities
  • Zoomcar
  • Daniel’s Hosting
  • ZEE5
  • Ledger
  • Twitter
  • Dave
  • Blacklist Alliance
  • GEDmatch
  • Family Tree Maker
  • Social Data
  • CenturyLink Inc.
  • Tokopedia
  • Instagram
  • Digital Point
  • Telemate
  • K-Electric
  • Equinix
  • Sopra Steria
  • Twitter owned SDK
  • Nitro
  • pray.com
  • GO SMS Pro
  • Managed.com
  • Miltenyi Biotec 
  • Reliance Digital
  • Prestige Software
  • FireEye
  • LinkedIn
  • Acer
  • Mobiwiki
  • LimeVPN
  • DreamHost
  • Cognyte
  • Clubhouse
  • T-Mobile
  • LimeVPN
  • EventBuilder
  • GoDaddy
  • Sharp
  • Thingiverse
  • Atraf
  • The Centre for Computing History
  • Multiple UK based internet service providers
  • Vodafone
  • Cosmotes S.A
  • Nvidia
  • Flexbooker
  • Microsoft
  • Apple
  • Meta
  • Cloudfare
  • CISCO
  • Plex
  • Samsung

Data breach – maximum fines and damages

  • Google LLC: Most recently in 2019, was fined €50 million for Insufficient transparency, control, and consent over the processing of personal data for the purposes of behavioural advertising under GDPR regulation by Commission nationale de l’informatique et des libertés of France.
  • Uber: In 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million in 2018 — the biggest data-breach fine in history at the time — for violation of state data breach notification laws.
  • Yahoo: In 2013 Yahoo suffered a massive security breach that affected its entire database, about 3 billion accounts — almost the entire population of the web. The company, however, didn’t disclose this information for three years. In April 2018, the U.S. Securities and Exchange Commission (SEC) fined the company $35 million for failing to disclose the breach. In September, Yahoo’s new owner Altaba admitted that it had settled a class action lawsuit resulting from the breach to the tune of $50 million. A total bill of $85 million for 3 billion accounts works out to around $36 per record. 
  •  Cambridge Analytica: the Australian information commissioner Angelene Falk had alleged Facebook committed serious and repeated interference with privacy in contravention of Australian privacy law because data collected by Facebook was passed onto the This is Your Digital Life app by Cambridge Analytica for political profiling, which was not what it was collected for. Data included people’s names, dates of birth, email addresses, city location, friends list, page likes  and messages (for those who had granted the app access to the messages.) Facebook has already been fined for $5 billion by the US Federal Trade Commission (FTC) as fine for users’ privacy violations in the Cambridge Analytica data scandal. The UK’s data protection watchdog imposed on Facebook a fine of 500,000 pounds in 2018 over the Cambridge Analytica data breaches.
  • Facebook: A Russian court fined social media company Facebook 4 million roubles ($62,922) for its failure to comply with a Russian data law. The Tagansky District Court in Moscow fined Facebook for its refusal to put its server holding data about Russian citizens on Russian territory, after earlier handing Twitter an identical fine for the same offence.
  • Anonymous Data Breach: On 20th March, 2020 an unsecured database contained the full names and titles of the exposed individuals, email addresses, phone numbers, dates of birth, credit ratings, home addresses, demographics including numbers of children and their genders, detailed mortgage and tax records and other personally identifiable information of over 200 million US users, was leaked on the dark web.


Enforcements

NameFineAuthority
Knuddels.deEUR 20,000Data Protection Authority of
Baden-Wuerttemberg
Facebook Germany GmbHEUR 51,000Data Protection Authority of
Hamburg
HVV GmbHEUR 20,000Data Protection Authority of
Hamburg
Google IncEUR 50 millionFrench Data Protection Authority
(CNIL)
Vodafone España, S.A.UEUR 40,000Spanish Data Protection Authority
Telefonica Moviles España,
S.A.U.
EUR 1,400Spanish Data Protection Authority
Payment service provider UAB
MisterTango
EUR 61,500Lithuanian Data Protection
Authority
IDdesign A / SEUR 2,00,850Danish Data Protection Authority
Vodafone España, S.A.U.EUR 30,000Spanish Data Protection Authority
Morele.netEUR 6,44,780Polish National Personal Data
Protection Office
Inteligo Media SAEUR 9,000Romanian National Supervisory
Authority for Personal Data
Processing
ClickQuickNowEUR 47,000Polish National Personal Data
Xfera Moviles S.AEUR 60,000Spanish Data Protection Authority
UTTIS INDUSTRIES SRLEUR 2,500Romanian National Supervisory
Authority for Personal Data
Processing
Wind Hellas TelecommunicationsEUR 20,000Hellenic Data Protection Authority
Vodafone España, S.A.UEUR 60,000Spanish Data Protection Authority
Cerrajero OnlineEUR 900Spanish Data Protection Authority
Telefónica SAEUR 30,000Spanish Data Protection Authority
TIM (telecommunications
operator)
EUR 27,802,946Italian Data Protection Authority
Xfera Moviles S.A.EUR 60,000Spanish Data Protection Agency
Oliveros Ustrell, S.L.EUR 6,000Spanish Data Protection Agency
Vodafone RomaniaEUR 4,150Romanian National Supervisory
Authority for Personal Data
Processing
Miraclia (telecommunications
company)
EUR 7500Spanish Data Protection Authority
Mapei S.p.A.-EUR 5000Spanish Data Protection Authority
Vodafone España, SAUEUR 60,000Spanish Data Protection Authority
Xfera Moviles S.A.EUR 60,000Spanish Data Protection Authority
Vodafone España, S.A.UEUR 30,000Spanish Data Protection Authority
Telefonica Moviles Espana,
S.A.U.
EUR 75,000Spanish Data Protection Authority
Xfera Moviles S.AEUR 20,000Spanish Data Protection Authority
1&1 Telecom
GmbH
EUR 95,50,000The Federal Commissioner for
Data Protection and Freedom of
Information
Vodafone España, S.A.U.EUR 42,000Spanish Data Protection Authority
Vodafone Italia S.p.A.EUR 12,251,601Italian Data Protection Authority
Vodafone România SAEUR 4000Romanian Data Protection
Authority
Vodafone España, S.A.U.EUR 27,000Spanish Data Protection Authority
Facebook Ireland Ltd. and Facebook IncEUR 7 million Italian Antitrust Authority (ACGM)
Family Service EUR 50,000 Belgian Data Protection Authority
Call Centre Ops of Nottingham EUR 120,000 Information Commissioner Office, UK
Facebook USD 650 millionUnited States District Court of California
Haoshilai Management Consulting Co. Ltd. MOP 3.24 million GPDP, Macau
Vodafone Espana EUR 8.15 million Spanish Data Protection Authority (AEPD)
Rising Eagle and JSquared TelecomUSD $225 million Federal Communications Commission
Booking.com BV EUR 475,000 Dutch Data Protection Authority
Telekom Romania Mobile Communications S.A.RON 63,748 National Supervisory Authority for Personal Data Processing, Romania
Vodafone Espana EUR 90000 Spanish Data Protection Authority (AEPD)
Orange Espagne EUR 90000 Spanish Data Protection Authority (AEPD)
Scatter Lab KRW 133.3 million Personal Information Protection Commission, South Korea
Disqus NOK 25 million Norwegian Data Protection Authority
Equifax Iberica, SL EUR 1 million Spanish Data Protection Authority (AEPD)
Locatefamily.com. EUR 525,000 Dutch Data Protection Authority
IT Company TRY 450,000 Turkish Data Protection Authority (KVKK)
Vodafone España, S.A.U.EUR 56,000Spanish Data Protection Authority
WhatsApp Ireland Ltd.EUR 225 millionData Protection Authority of Ireland
Magyar Telekom Nyrt.EUR 28,400Hungarian National Authority for Data Protection and the Freedom of Information (NAIH)