Cyberattacks are an unfortunate fact of modern business. They are motivated mainly by money, with cybercriminals seeking data they can use in identity fraud or the opportunity to hold their targets’ IT systems to ransom. The global cost of cybercrime has been projected to reach $10.5tn by 2025.

But cyberattacks can also be politically motivated, and companies can find themselves caught in the crossfire between nation states seeking to disrupt or steal secrets from their geopolitical rivals.

Tech Monitor looked at the number of users affected to compile this list of the five biggest cyberattacks in history. As the list reveals, huge quantities of customer data have been stolen in the last decade, causing both financial and reputational damage to the targeted companies.

An illustration of a cyberattack.

1. RockYou2021: The biggest password leak yet – 2021

The largest stolen password collection of all time saw 8.4 billion passwords leaked.

The hacker – whose identity is not disclosed – named the password compilation “RockYou2021”, referencing the 2009 RockYou data breach, in which more than 32 million users had their passwords harvested.

The password hacker posted a 100GB txt file containing 8.4 billion password entries, alongside previous data leaks.

The hacker declared that the list contained 82 billion passwords. However, the exact number is around ten times smaller. Security experts also say that businesses and consumers are at risk.

Cybersecurity expert Troy Hunt explained on Twitter that RockYou2021 is not actually a list of 8.4 billion passwords. In fact, the 100GB seems to be a compilation of old password leaks, possible and frequently-used passwords, and a wordlist. This still makes it the biggest leak yet, because of the actual number and weight of data.

2. Cyberattack on Yahoo – 2014

In 2016, web giant Yahoo Inc. revealed that personal data linked to at least 500 million accounts had been stolen in 2014 by what is believed to be a state-sponsored actor.

The cybercriminals stole email addresses, passwords, telephone numbers, dates of birth and names, Yahoo said. However, protected passwords, payment information and bank account information did not appear to have been compromised.

The main hacker’s name is Aleksey Belan, who was a Latvian hacker hired by Russian agents. He was able to gain access to Yahoo’s User Database and account management tool through a phishing campaign which specifically targeted Yahoo’s employees.

There have been financial, business and public consequences. Even if the most valuable data was untouched, the attack on Yahoo was unprecedented in size, which caused economic losses, especially around the company’s $4.83bn cash sale of its internet business to Verizon Communications Inc. It is claimed that Yahoo misled Verizon with false information too, and ended up signing a stock agreement without disclosing the breach. This led Verizon to negotiate $350m less for the acquisition of Yahoo.

The day after the attack, Yahoo’s stock price dropped by 3%, and it lost $1.3bn in market capitalisation.

In March 2017, the Department of Justice indicted four individuals for the attack. Two of them were Russian intelligence officers, who were collecting information to spy on a range of targets in the United States.

Yahoo was accused of negligence after taking two years to disclose the security breach to investors and the public. CEO Marissa Mayer was against the idea of asking affected users to change their passwords, believing that Yahoo would lose customers by doing so.

Other financial implications included:

  • Yahoo was charged with $35m by the Securities and Exchange Commission (SEC) as a penalty for misleading the public and failing to notify the customers about the breach,
  • Yahoo had to pay $85m as part of settlement charges for the damages caused and had to provide free credit monitoring services for over 200 million customers,
  • Yahoo had to pay $35m in attorneys’ fees and another $16m toward their cyber incident,
  • Yahoo paid a further $11m towards legal expenses, their investigations from five state and federal agencies and 44 class action lawsuits.

Because of the response to the breach, SEC’s administrative order claimed that Yahoo violated Sections 17(a)(2) & (3) of the Securities Act of 1993 and Section 13(a) of the Securities Exchange Act of 1934.

3. Cyberattack on Marriott Hotels – 2014

The UK’s data privacy watchdog, the Information Commissioners’ Office (ICO), fined the Marriott Hotel chain £18.4m for a major data breach that might have affected 339 million guests.

The ICO explained that names, passport details contact information and credit card information had been compromised. The breach included seven million guest records for people in the UK. It was made possible by another security failing on Marriot’s part: while the credit card numbers were stored in encrypted form, the encryption keys were stored on the same server. The same goes for passport numbers.

The first part of the cyberattack happened in 2014, also affecting the Starwood Hotels group, which Marriott bought in 2016. However, the issue was not noticed until 2018. This meant that for four years, the attackers continued to have access to all affected data.

The ICO’s investigation showed that there had been failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).

4. Sony’s PlayStation Network attack – 2011

In 2011, Sony revealed that the names, addresses and other personal data of about 77 million users on its PlayStation Network (PSN) had been stolen.

Gamers’ accounts were blocked and locked out of the network for a week as the system was suspended to avoid more data breaches. An “illegal and unauthorised person” got access to the data, including names, addresses, email addresses, usernames, passwords, security questions and, in some cases, even payment details.

This stolen data may have also included information about children.

Sony’s PSN is one of the largest holders of credit card data and the breach could have been the largest leak of credit card information ever. However, Sony said at the time that it had not discovered any evidence that any credit card info was stolen, although it still advised users to be on the lookout.

A couple of weeks after the attack, Sony announced a “welcome back” programme for its affected customers, as well as issued a press release. In this programme, Sony promised to include 30 days of free membership of PlayStation Plus for all PSN members, while existing PlayStation Plus members received an additional 30 days on their subscription.

Over 12,000 credit card numbers, albeit in encrypted form, from non-U.S cardholders and additional information from 27.4 million accounts were accessed. Sony also sent a letter to the US House of Representatives, announcing that they would be providing identity theft insurance policies in the amount of $1m per user of the PlayStation Network, among other things.

About a month after the attack, Sony stated that the outage cost amounted to $171m.

The British Information Commissioner’s Office fined Sony £250,000 for breaching the UK’s Data Protection Act. Following that, a lawsuit was posted on 27 April 2011 by Kristopher Johns from Alabama on behalf of all PlayStation users, claiming that Sony “failed to encrypt data and establish adequate firewalls to handle a server intrusion contingency.”

Another lawsuit from Canada against Sony USA, Sony Canada and Sony Japan claimed damages up to C$1bn.

5. Uber data breach – 2016

Just this week, Uber admits covering up a huge data breach that happened in 2016. The company, back in 2016, failed to notify the individuals and regulators, as well as the public. The attack exposed the confidential data of 57 million customers and drivers.

Hackers used stolen credentials to access a private source code repository and obtain a proprietary access key, which then allowed them to access and copy large quantities of data associated with Uber’s users and drivers, such as data regarding 600,000 driver’s license numbers.

The company confessed to having paid the hackers $100,000 to delete the information and keep the cyberattack quiet, as Bloomberg reported. Because of the damning Bloomberg report, Uber’s CEO Dara Khosrowshahi wrote a public statement on behalf of the company. “None of this should have happened, and I will not make excuses for it,” she said, “while I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

Uber admitted to this breach as part of a settlement with the US Department of Justice to avoid criminal prosecution. According to the settlement, the CEO and his team reported the breach to the people affected a year later it happened. The drivers, public and government authorities decided not to prosecute Uber because of their decision to disclose it, as well as an agreement with the FTC in 2018 to report any future cyberattack to government regulators. The settlement also acknowledges that Uber paid $148m to settle civil litigation tied to the data breach.

Uber’s chief security officer at the time, Joe Sullivan, was also complicit in the cover-up, causing him to be fired by Khosrowshahi in 2017. Sullivan was consequently charged with obstruction of justice for trying to hide a data breach from the FTC and Uber management. His case is due to go to trial in September 2022.

6. Adobe cyberattack – 2013

Software maker Adobe was the victim of a cyberattack that compromised about 38 million active users. The company had originally declared that 2.9 million accounts had been affected.

The attackers had also accessed data from an unspecified number of accounts that were unused or deactivated.

The hackers stole not only user data but also part of the source code of the popular photo-editing software Photoshop, as well as Acrobat PDF Editor.

In May of the same year, Adobe shifted several of its products to a subscription model. Its users now need to register an account and provide their payment card details.

The consequences of this cyberattack were comparatively minor. Adobe had to pay just $1m to settle a lawsuit filed by 15 state attorneys general. Furthermore, the hacker – a 39-year-old man from The Netherlands – also avoided jail time.

Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.

Read more: Big banks badly need a cyber security overhaul