The Biggest Cybersecurity Data Breaches of All Time / Part II

11. AT&T Data Breach Chain

A combination of cloud security and third-party risks cost the telecommunications giant dearly.

In 2024, AT&T exposed 110 million records due to a breach in its Snowflake environment combined with legacy leaks. The leakage of call metadata and location information made behavioral tracking of users possible. The company was forced to pay $177 million in settlements due to this critical vulnerability in vendor security and data management errors.

12. TJX Retail Security Crisis

The use of legacy encryption technologies in the retail sector led to the birth of modern security standards.

In 2007, TJX lost 94 million credit card records leaked from its store Wi-Fi network due to insecure WEP encryption. This event marked a turning point in retail security and accelerated the mandate for PCI DSS (Payment Card Industry Data Security Standard) compliance to protect credit card data.

13. Anthem Health Data Leak

The compromise of a single administrator account triggered the largest data breach in the healthcare sector.

In 2015, insurance giant Anthem lost the identity and social security information of 80 million customers to cybercriminals. Attackers accessed the entire data warehouse through a single compromised privileged account, proving the value of health data on the black market. The breach resulted in a record $16 million HIPAA fine due to security negligence.

14. Sony PSN Network Outage

The attack that stopped the gaming world revolutionized password storage methods.

In 2011, the PlayStation Network was out of service for 23 days following the theft of data belonging to 77 million users. When it was revealed that Sony stored passwords in plain text without encryption, the industry learned the importance of "salting" and "hashing" methods through a painful experience. The total cost of this negligence to the company exceeded $171 million.

15. JPMorgan Financial Cyber Attack

An attack on the financial giant led to an exponential increase in cybersecurity budgets.

In 2014, JPMorgan Chase put 76 million households and 7 million small business accounts at risk following the theft of an employee's digital identity. Although no money was directly stolen, the exposure of contact data and the scale of the attack forced the bank to make a massive annual cybersecurity investment of $250 million.

16. Home Depot POS Malware

A vulnerability in vendor security resulted in malware being installed on payment terminals.

In 2014, Home Depot could not prevent hackers, who infiltrated through a third-party vendor, from stealing 56 million credit card details. Malware planted in POS (point of sale) systems collected data undetected for five months. This supply chain attack cost the company a total of $180 million.

17. MySpace Legacy Data Exposure

Old-generation encryption algorithms jeopardized the security of hundreds of millions of dormant accounts.

In an attack targeting pre-2013 data, MySpace's use of the "unsalted" SHA-1 algorithm facilitated the cracking of 360 million passwords. Although the company invalidated the passwords, this event demonstrated that old and unused accounts are still a valuable mine for cybercriminals and highlighted the risks of legacy algorithms.

18. FriendFinder Sensitive Data Leak

An attack on networks with sensitive content exposed bureaucratic and military emails.

In 2016, FriendFinder Networks leaked 412 million accounts due to an LFI (Local File Inclusion) vulnerability and weak encryption. The presence of government and military email addresses in the database increased the severity of the leak. The incident proved that even sites appearing "non-sensitive" can pose blackmail and national security risks.

19. Marriott Starwood Integration Error

A lack of auditing during corporate mergers opened the door to a leak that lasted for years.

In 2018, Marriott failed to notice a vulnerability in the legacy system of the Starwood hotels it had acquired, resulting in the theft of data belonging to 500 million guests. It was understood that this leak, which included passport numbers, had been ongoing since 2014. The event emphasized how critical cyber risk analysis (Due Diligence) is during merger processes.

20. Adobe Source Code Theft

Security vulnerabilities during cloud transformation led to the theft of source codes.

In 2013, Adobe had 38 million credit card details stolen along with the source codes of products like Acrobat. Fundamental errors, such as using the same encryption key for all users, revealed architectural weaknesses during the transition to the cloud and the vital importance of Key Management.