Web applications are targeted with availability attacks as well as leveraged for access to cloud-based organizational email accounts.
Top 3 patterns– Miscellaneous Errors, Web Applications, and Cyber-Espionage represent 83% of breaches within Information
Threat actors– External (56%), Internal (44%), Partner (2%) (breaches)
Actor motives– Financial (67%), Espionage (29%) (breaches)
Data compromised– Personal (47%), Credentials (34%), Secrets (22%) (breaches)
Illustrative breaches
- Yahoo
- Friend Finder Networks
- Citrix
- Rubrik
- 500px
- Blur
- VeriSign
- Home Depot
- RSA Security
- Wipro
- Microsoft Office 365
- Box
- EE
- Adobe
- Ebay
- Home depot
- Mumsnet
- Quora
- Google+
- Uber
- Three
- Docker Hub
- AMC Network’s
- Freedom Mobile
- Microsoft Email Services
- BioStar 2
- MoviePass
- Hostinger
- Foxit
- Evite
- Evernote
- Fieldwork Software
- Canva
- T-Mobile
- Family Locator
- MyPillow & Amerisleep
- Verifications.io
- Timehop
- Dixons Carphone
- MyHeritage
- Under Armour/MyFitnessPal
- FedEx
- Houzz
- Ai.Type
- Clarksons
- Pizza Hut
- Deloitte
- Three Mobile
- TalkTalk
- Think W3 Limited
- Moonpig
- Google Photos
- Amazon Web Services S3
- Creative Technology
- T-mobile
- NetBlocks internet observatory
- Cambridge Analytica
- BGR’s (Boy Genius Report) India
- Koodo Mobile
- PhotoSquared
- Slickwraps
- GoDaddy
- Whisper
- TrueFire
- PropTiger
- Peekaboo Moments
- SOS Online Backup
- Email.it
- Mathway
- Wishbone
- Cognizant
- Zynga – Words with friends
- Virgin Media
- Zoom
- Quidd
- Impact Mobile Home Communities
- Zoomcar
- Daniel’s Hosting
- ZEE5
- Ledger
- Dave
- Blacklist Alliance
- GEDmatch
- Family Tree Maker
- Social Data
- CenturyLink Inc.
- Tokopedia
- Digital Point
- Telemate
- K-Electric
- Equinix
- Sopra Steria
- Twitter owned SDK
- Nitro
- pray.com
- GO SMS Pro
- Managed.com
- Miltenyi Biotec
- Reliance Digital
- Prestige Software
- FireEye
- Acer
- Mobiwiki
- LimeVPN
- DreamHost
- Cognyte
- Clubhouse
- T-Mobile
- LimeVPN
- EventBuilder
- GoDaddy
- Sharp
- Thingiverse
- Atraf
- The Centre for Computing History
- Multiple UK based internet service providers
- Vodafone
- Cosmotes S.A
- Nvidia
- Flexbooker
- Microsoft
- Apple
- Meta
- Cloudfare
- CISCO
- Plex
- Samsung
Data breach – maximum fines and damages
- Google LLC: Most recently in 2019, was fined €50 million for Insufficient transparency, control, and consent over the processing of personal data for the purposes of behavioural advertising under GDPR regulation by Commission nationale de l’informatique et des libertés of France.
- Uber: In 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts breached. Instead of reporting the incident, the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million in 2018 — the biggest data-breach fine in history at the time — for violation of state data breach notification laws.
- Yahoo: In 2013 Yahoo suffered a massive security breach that affected its entire database, about 3 billion accounts — almost the entire population of the web. The company, however, didn’t disclose this information for three years. In April 2018, the U.S. Securities and Exchange Commission (SEC) fined the company $35 million for failing to disclose the breach. In September, Yahoo’s new owner Altaba admitted that it had settled a class action lawsuit resulting from the breach to the tune of $50 million. A total bill of $85 million for 3 billion accounts works out to around $36 per record.
- Cambridge Analytica: the Australian information commissioner Angelene Falk had alleged Facebook committed serious and repeated interference with privacy in contravention of Australian privacy law because data collected by Facebook was passed onto the This is Your Digital Life app by Cambridge Analytica for political profiling, which was not what it was collected for. Data included people’s names, dates of birth, email addresses, city location, friends list, page likes and messages (for those who had granted the app access to the messages.) Facebook has already been fined for $5 billion by the US Federal Trade Commission (FTC) as fine for users’ privacy violations in the Cambridge Analytica data scandal. The UK’s data protection watchdog imposed on Facebook a fine of 500,000 pounds in 2018 over the Cambridge Analytica data breaches.
- Facebook: A Russian court fined social media company Facebook 4 million roubles ($62,922) for its failure to comply with a Russian data law. The Tagansky District Court in Moscow fined Facebook for its refusal to put its server holding data about Russian citizens on Russian territory, after earlier handing Twitter an identical fine for the same offence.
- Anonymous Data Breach: On 20th March, 2020 an unsecured database contained the full names and titles of the exposed individuals, email addresses, phone numbers, dates of birth, credit ratings, home addresses, demographics including numbers of children and their genders, detailed mortgage and tax records and other personally identifiable information of over 200 million US users, was leaked on the dark web.
Enforcements
Name | Fine | Authority |
Knuddels.de | EUR 20,000 | Data Protection Authority of Baden-Wuerttemberg |
Facebook Germany GmbH | EUR 51,000 | Data Protection Authority of Hamburg |
HVV GmbH | EUR 20,000 | Data Protection Authority of Hamburg |
Google Inc | EUR 50 million | French Data Protection Authority (CNIL) |
Vodafone España, S.A.U | EUR 40,000 | Spanish Data Protection Authority |
Telefonica Moviles España, S.A.U. | EUR 1,400 | Spanish Data Protection Authority |
Payment service provider UAB MisterTango | EUR 61,500 | Lithuanian Data Protection Authority |
IDdesign A / S | EUR 2,00,850 | Danish Data Protection Authority |
Vodafone España, S.A.U. | EUR 30,000 | Spanish Data Protection Authority |
Morele.net | EUR 6,44,780 | Polish National Personal Data Protection Office |
Inteligo Media SA | EUR 9,000 | Romanian National Supervisory Authority for Personal Data Processing |
ClickQuickNow | EUR 47,000 | Polish National Personal Data |
Xfera Moviles S.A | EUR 60,000 | Spanish Data Protection Authority |
UTTIS INDUSTRIES SRL | EUR 2,500 | Romanian National Supervisory Authority for Personal Data Processing |
Wind Hellas Telecommunications | EUR 20,000 | Hellenic Data Protection Authority |
Vodafone España, S.A.U | EUR 60,000 | Spanish Data Protection Authority |
Cerrajero Online | EUR 900 | Spanish Data Protection Authority |
Telefónica SA | EUR 30,000 | Spanish Data Protection Authority |
TIM (telecommunications operator) | EUR 27,802,946 | Italian Data Protection Authority |
Xfera Moviles S.A. | EUR 60,000 | Spanish Data Protection Agency |
Oliveros Ustrell, S.L. | EUR 6,000 | Spanish Data Protection Agency |
Vodafone Romania | EUR 4,150 | Romanian National Supervisory Authority for Personal Data Processing |
Miraclia (telecommunications company) | EUR 7500 | Spanish Data Protection Authority |
Mapei S.p.A.- | EUR 5000 | Spanish Data Protection Authority |
Vodafone España, SAU | EUR 60,000 | Spanish Data Protection Authority |
Xfera Moviles S.A. | EUR 60,000 | Spanish Data Protection Authority |
Vodafone España, S.A.U | EUR 30,000 | Spanish Data Protection Authority |
Telefonica Moviles Espana, S.A.U. | EUR 75,000 | Spanish Data Protection Authority |
Xfera Moviles S.A | EUR 20,000 | Spanish Data Protection Authority |
1&1 Telecom GmbH | EUR 95,50,000 | The Federal Commissioner for Data Protection and Freedom of Information |
Vodafone España, S.A.U. | EUR 42,000 | Spanish Data Protection Authority |
Vodafone Italia S.p.A. | EUR 12,251,601 | Italian Data Protection Authority |
Vodafone România SA | EUR 4000 | Romanian Data Protection Authority |
Vodafone España, S.A.U. | EUR 27,000 | Spanish Data Protection Authority |
Facebook Ireland Ltd. and Facebook Inc | EUR 7 million | Italian Antitrust Authority (ACGM) |
Family Service | EUR 50,000 | Belgian Data Protection Authority |
Call Centre Ops of Nottingham | EUR 120,000 | Information Commissioner Office, UK |
USD 650 million | United States District Court of California | |
Haoshilai Management Consulting Co. Ltd. | MOP 3.24 million | GPDP, Macau |
Vodafone Espana | EUR 8.15 million | Spanish Data Protection Authority (AEPD) |
Rising Eagle and JSquared Telecom | USD $225 million | Federal Communications Commission |
Booking.com BV | EUR 475,000 | Dutch Data Protection Authority |
Telekom Romania Mobile Communications S.A. | RON 63,748 | National Supervisory Authority for Personal Data Processing, Romania |
Vodafone Espana | EUR 90000 | Spanish Data Protection Authority (AEPD) |
Orange Espagne | EUR 90000 | Spanish Data Protection Authority (AEPD) |
Scatter Lab KRW | 133.3 million | Personal Information Protection Commission, South Korea |
Disqus | NOK 25 million | Norwegian Data Protection Authority |
Equifax Iberica, SL | EUR 1 million | Spanish Data Protection Authority (AEPD) |
Locatefamily.com. | EUR 525,000 | Dutch Data Protection Authority |
IT Company | TRY 450,000 | Turkish Data Protection Authority (KVKK) |
Vodafone España, S.A.U. | EUR 56,000 | Spanish Data Protection Authority |
WhatsApp Ireland Ltd. | EUR 225 million | Data Protection Authority of Ireland |
Magyar Telekom Nyrt. | EUR 28,400 | Hungarian National Authority for Data Protection and the Freedom of Information (NAIH) |