The Top 10 Data Breaches of 2017

February 6, 2018 by

Stephen Moramarco

Introduction

As we begin a new year, let’s take a moment to look back on the biggest data breaches in 2018. This is a year-end list no one is excited to be on, yet it’s an important reminder of how every sector is vulnerable to hacks, bugs and human error. So without further ado, here is our list of the top 10 data breaches of 2017.

1.    Equifax

The Equifax breach exposed sensitive credit information, including social security numbers, addresses and employer histories, of 143 million people. The exploitation was due to a vulnerability in the open-source Apache platform that was discovered in March. While a security patch was quickly announced and issued, Equifax did not update their system — the breach was said to have occurred from mid-May to July —  causing concern about the company’s overall security protocols.

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Demo Now

The telecommunications giant Verizon exposed personal data of 14 million customers, thanks to a third-party vendor. The information, including phone numbers and pin numbers that could be used for two-factor authentication, was left unprotected on an unsecure Amazon server. Ironically, the damage was done by NICE systems, a company that allegedly specializes in data security.

Deloitte, one of the top accountancy firms in the world, was breached in 2017. The hack exposed information from up to 350 clients, including the information of top-level executives. This type of information could then be used in “fake president” scams to bilk companies of millions. Hackers gained access through an admin account, which did not have two-factor authorization.

Wrestling fans were potentially body slammed when security firm Kromtech alerted the World Wrestling Entertainment network that information from three million accounts were exposed. The information, which included names, addresses and even information on children, were discovered on an Amazon server as a text file without a password.

The electronic document signature service DocuSign has long been a target of hackers, and in 2017 they broke through. The company announced that a “non-core” section of the company database was accessed and upwards of 100 million email addresses were possibly stolen. While no other information was breached, there is concern that these addresses could be used in the future for sophisticated spearphishing attacks.

The technological behemoth Google suffered an embarrassing breach of its popular Gmail service. Sophisticated hackers created a worm that infiltrated a user’s inbox and sent emails to their contacts with what appeared to be a link to a legitimate Google document. Instead, users were taken to a phony portal, their information was stolen and worms were sent out to their contact lists. Google said the breach was discovered within the hour and only affected 0.1% of users, but that still means one million people were affected.

An IRS tool that was supposed to ease the burden for students applying to financial aid was also glaringly vulnerable. The IRS’s Data Retrieval Tool, which allowed students to export their parents’ tax information and auto-fill it in the Federal Application for Student Aid form, allowed thieves to also access the same information. The flaw was discovered in October 2016, yet the IRS let it remain online until March of 2017. An estimated 8,000 false tax forms were filed, and $30 million in refunds stolen.

The corporate analysis and rating firm Dun & Bradstreet had perhaps one of the most mysterious breaches this year. A cyber researcher was emailed a link to 52 GB containing 33.7 million unique emails and other personal information culled from a database it purchased from NetProspex. While the database contained a lot of information that was publicly available, the culmination of the data could very easily be used to initiate spearphishing attacks. It is not known how the list was originally stolen.

Due to a bug in the software, content delivery network Cloudflare was also delivering its clients’ unencrypted information to the Internet. Companies that use their networks, such as OKCupid, FitBit and Uber, potentially exposed user personal information to anyone that knew to search for it, as information is regularly cached by Google. When the vulnerability was discovered, Cloudflare asked Google to have it scrubbed.

The top security organization in the country is in the top-ten data breach list for the fifth straight year in a row. In 2017, a virtual disk code named “Red Disk” appeared on an unsecured web server containing highly confidential information. It is not known who left it there.

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Demo Now

Conclusion

Although hackers continue to get more sophisticated, many breaches are still the result of human error or faulty protocol. Cybercrime is a round-the-clock threat that shows no sign of slowing; the only defense is vigilance, security awareness and education.

Sources

• NSA leak exposes Red Disk, the Army's failed intelligence system, ZD Net
• Major Cloudflare bug leaked sensitive data from customers’ websites, TechCrunch
• Equifax traced the source of its massive hack to a preventable software flaw, Business Insider  
• Over 14 Million Verizon Customers’ Data Exposed On Unprotected AWS Server, Hacker News
• Deloitte hit by cyber-attack revealing clients’ secret emails, The Guardian
• Massive WWE Leak Exposes 3 Million Wrestling Fans' Addresses, Ethnicities And More, Forbes
• Breach at DocuSign Led to Targeted Email Malware Campaign, Krebs On Security
• Massive Phishing Attack Targets Gmail Users, NBC News
• Millions of records leaked from huge US corporate database, ZD Net