WHEN BEST OF DEFENCES FAILED
How past breaches suggest unknown vulnerabilities and weaknesses in cyber hygiene practices can expose sensitive databases to breaches
1 US OFFICE OF PERSONNEL MANAGEMENT
DATA STOLEN: Personal data of current, former and prospective federal employees and their families
AFFECTED PEOPLE: 18-21 MILLION in two attacks between 2014-2015
HOW IT HAPPENED: Hackers compromised a contractor that was part of the network, before going to build in a backdoor into OPM systems to extract data over a long period of time
DATA INVOLVED: Biometrics, personally identifiable information of government staff, people who underwent background checks or those who obtained security clearances
SUSPECTS: Unidentified state-backed hackers
2 EQUIFAX
DATA STOLEN: Personal information of American citizens compiled for financial assessment
AFFECTED PEOPLE: 148 MILLION people between mid-May to July, 2017. Breached disclosed in Sept, 2017
HOW IT HAPPENED: Hackers broke into database framework that had known flaws that were not fixed, allowing for a backdoor to be created
DATA INVOLVED: Sensitive financial and personal information of individuals and companies. Equifax is one of three major American credit reporting agencies
SUSPECTS: The US has charged four individuals from the Chinese military for the hack
3 MARRIOTT HOTELS
DATA STOLEN: Hotel guest database
AFFECTED PEOPLE: 500 MILLION IN 2018 5 MILLION IN 2020
HOW IT HAPPENED: In the first breach, the network is believed to have been compromised. For the second breach, hackers obtained user-passwords of 2 employees to extract data
DATA INVOLVED: Names of guests, their employers, hotel account passwords, payment card information, passport or ID information
SUSPECTS: Not determined
4 ANTHEM INC
DATA STOLEN: Insurance product customer data
AFFECTED PEOPLE: 78.8 MILLION between 2014-2015
HOW IT HAPPENED: Cyber investigators determined the data breach began when an employee opened a phishing email containing malicious content. This gave hackers access to internal systems
DATA INVOLVED: Names, birthdays, social security numbers, addresses, e-mail addresses and employment information
SUSPECTS: State-based hackers from unidentified nation