It’s always news when corporations have security breaches. This is especially true whenever malicious hackers gain access into a company’s internal databases to steal information— such as credit card or bank details, personal health information (PHI), personally identifiable information (PII), trade secrets of corporations or intellectual property. Often, these data breaches can lead to lawsuits and other legal action against the victim company.
Over the past few years, a few data breach lawsuits have stood apart from the rest, both for their financial penalties and the importance of the information stolen. Each of these situations has its own important lessons that can teach businesses how to care for their private data.
These are four of the most noteworthy data breaches of the last decade, each of which has its own unique lesson to learn.
1. The 2017 Equifax Case
As one of the top three providers of credit reporting in the U.S., almost half of all Americans were affected by the 2017 Equifax breach. A jarring 143 million consumers had their personal information exposed, according to the Federal Trade Commission (FTC).
This data breach was important because credit reports — and the companies that generate them — contain a wealth of private information. The bad actors who hacked Equifax's interface gained access to millions of names, social security numbers, birth dates, addresses, and credit card numbers.
Equifax faced major public backlash for not only being hacked, but also for how they handled the attack.
In court, the company was found guilty of not fixing a known vulnerability that was created in a software patch. This vulnerability is what allowed the data breach. Then, once Equifax discovered they were breached, they withheld that information for weeks after the attack happened.
In July 2019 Equifax paid $575 million in a settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and all U.S. states and territories over the company’s “failure to take reasonable steps to secure its network,” according to CSO.
Lesson Learned:
The main lesson from the Equifax case is to pay attention to software vulnerabilities, even when they’re in a simple patch.
In addition, it’s important to own the fact that your company has been breached by notifying all affected individuals. Equifax marred its reputation by keeping the breach a secret, which led to the expensive court ruling and a permanently-scarred reputation.
2. The 2018 British Airways Case
British Airways (BA) had its website compromised in June 2018. Hackers edited the website to redirect users to another lookalike site that covertly capturing user data. This hack gave the hackers access to flyers’ login and traveling booking details, according to BCC.com.
The hackers also used card skimming scripts to collect names and credit card information, including numbers, expiry dates, and three-digit CVV codes of roughly 500,000 customers over a two-week period.
BA was fined $230 million by the UK’s data protection authority, according to CSO. The General Data Protection Regulation (GDPR) had recently increased their penalty for breaches like this before the attack occurred, which resulted in higher fines for the airline.
Lesson Learned:
Hackers can use clever tactics to redirect users to lookalike websites that capture user data. Even worse, they may do this in such a way that the company’s website looks like it never changed.
In other words, the hackers aren’t just tricking the consumers — they’re also tricking the company for days or even months at a time.
The BA data breach lawsuit is a prime example of the importance of increasing measures to monitor your company’s website and protect cardholder data. Learn more about how you can avoid breaches to your website and database here.
3. The 2016 Uber Case
Uber took serious flak for the way it handled a breach of its customer database in 2016. In October, hackers breached Uber’s interface and stole 57 million riders’ personal information, including names, emails, and phone numbers.
Since no social security numbers, credit card information, or location details were compromised, Uber attempted to handle the breach internally without disclosing it to the public.
The ride-share company paid the hackers $100K to delete the data and keep the hack secret, but news of the attack still made it to the authorities and media.
After a two-year class action lawsuit over the data breach, Uber was fined $148 million, making it the biggest fine for a data breach in the U.S. before the Equifax fine, according to CSO.
Lesson Learned:
By law, any consumer data that’s stolen from a company’s database needs to be reported — even if it’s not social security or credit card numbers.
Uber’s fine would have been substantially less if they publicized the breach and informed those affected. Instead, they tried to sweep the case under the rug. In the end, they paid dearly both financially and in terms of broken trust with their customers.
In the end, Uber owned up to their mistakes in an email from their new CEO. Even though they dropped the ball by not reporting the breach initially, they took measures to console their customers and own their mistakes.
While this does not justify their actions, it’s at least recognition that the company did something wrong while holding themselves accountable. Accepting that responsibility — and expressing it to customers — is an excellent way to show dedication to customers’ privacy, however that may look in the future.
4. The 2019 Canva Case
The Australian graphic design company Canva is one of the country’s largest tech companies. It’s used throughout the world, and it has millions of both paying and free users.
Unfortunately, that made it a target for ambitious hackers. In 2019, a data breach led to the theft of roughly 4 million customer details, according to Canva.
GnosticPlayers, one of the world’s most infamous groups of hackers, claimed responsibility for the data breach in addition to more than a dozen others in 2019.
GnosticPlayers stole Canva customer usernames, real names, email addresses, location information, and Google authorization tokens, according to ZDnet.
While this trove of user information didn’t include financial details, the stolen Google tokens were problematic. They allowed users to sign up for Canva without setting passwords, potentially giving GnosticPlayers direct access to 78 million Google accounts.
Canva did the right thing upon learning about the breach and told the world about it. Regardless, at the time of publication, they’re still in court battling a class action lawsuit that may result in heavy fines.
Lesson Learned:
Single sign-on technology may make it easier for users to sign up for services with popular accounts like Google, but that means those companies have to protect those authorization tokens as they would any other login information. In the wrong hands, those tokens could wreak havoc on consumers who use Google accounts to store all kinds of personal information.
If you allow single sign-on through Google, Facebook, or another account, it’s imperative that you protect it as thoroughly as possible.
Facing a Data Breach Class Action Settlement?
If your company or client fell victim to a data breach and is being brought to court, the right expertise can reduce your chances of costly penalties and fines.
Here at Mitnick Security, we determine how leaked data could be abused to harm to the victims of the breach. We always provide a written report of our findings, detailing how the stolen data could be leveraged by an attacker, or appear in court to present our expert findings.
