It's tempting to believe that important data breaches only happen in the US and the figures tend to bear that out – the US accounts for the overwhelming majority of the really big data breaches that have been made public, some of them absolutely vast. But US laws and regulations force organisations to admit to data breaches involving the customer, something which is not true in all countries.
In the UK, the most important piece of legislation organisations must worry about is the Data Protection Act and the possibility of fines by the information commissioner (ICO). Below we offer what we believe are the most significant data breaches to hit the globe, not in all cases because they were particularly large but because of the type of attack or vulnerability involved or the sensitivity of the data compromised.
Globally, the UK currently ranks a distant second behind the US for data breaches, which is no cause for complacency. Many of the breaches mentioned here happened in the last two years. Undoubtedly, larger and more serious breaches lie ahead.
This list is in chronological order.
A subsidiary of delivery and logistics multinational FedEx has stored extremely sensitive customer data on an open Amazon S3 bucket, essentially making all the information public.
The tranche of data was discovered by Kromtech security researchers on 5 February. The culprit looks like it was a company called Bongo International LLC, a package-forwarding business set up to make buying American goods easier for global customers, which was bought by FedEx in 2014.
It included thousands of scanned documents for citizens in America and globally – with passports, driving licences and security IDs all open for access in the bucket, as well as home addresses, postal codes and phone numbers.
Researchers pointed out that the data seems to have been from 2009 to 2012, before the company was bought out.
Kromtech's Bob Diachenko commented that anyone who used Bongo International during that era is at risk of having had their documents online for years.
"[It] seems like that bucket has been available for public access for many years in a row," Diachenko said. "Applications are dated within the 2009-2012 range and it is unknown whether FedEx was aware of that ‘heritage’ when it bought Bongo International back in 2014."
An open MongoDB-hosted database owned by custom keyboard app Ai.Type exposed 577GB of customer data and was available to anyone who cared to look, potentially revealing the information of 31 million customers.
Security researchers at Kromtech uncovered the breach in December 2017, putting it down to a Tel Aviv-based Ai.Type having misconfigured a MongoDB database.
Type.Ai provides keyboard themes for Android users, but as Bob Diachenko writes in MacKeeper, researchers were shocked to find the app requested full access to a personal device – including "all keyboard data past and present".
"This is a shocking amount of information on their users who assume they are getting a simple keyboard application," he writes.
The tranche of data included more than six million records from users' contact books including names and phone numbers, and more than 373 million records scraped from users phones in total, including contacts that were synced to the linked Google account.
Ai.type founder Eitan Fitusi seemed to dismiss the gravity of the leak. Speaking with the BBC, Fitusi said it was a "secondary database" and that IMEI information was not gathered and geo-location data wasn’t accurate. He also said user behaviour collected by the company was based only on ads that they clicked. The database has been shut down.
Click here for a potted history of MongoDB database leaks – including a spate of ransomware attacks earlier in the year, and a large cache of data hosted by a children’s toy company, CloudPets, that had no authentication and could be found on IoT search engine Shodan.
British shipbroker Clarksons has warned shareholders that it may face a data breach in the coming weeks following its refusal to pay a ransomware demand.
London-listed Clarksons, founded in 1852, brokers boats for cargo that ranges from petrochemicals, crude or petroleum, to dry cargo and gas, as well as serving offshore field development, offshore rigs, dry cargo and products like cars.
In its warning notice posted 29 November Clarksons said it was responding to a cybersecurity incident, and said: "As soon as it was discovered, Clarksons took immediate steps to respond to and manage the incident.
"Our initial investigations have shown the unauthorised access was gained via a single and isolated user account which has now been disabled.
"Today, the person or persons behind the incident may release some data.
"The data at issue is confidential and lawyers are on standby wherever needed to take all necessary steps to preserve the confidentiality in the information."
The statement went on to say it is working with security specialists for further investigation and that it was in the process of conducting a "wider review" of cybersecurity that began earlier in the year.
Shares dropped 2.71 percent in yesterday's afternoon trading following the announcement.
Uber concealed a hack that affected 57 million customers and drivers worldwide and 2.7 million users in the UK, the company has confirmed.
The breach - which took place in 2016 - was kept under wraps by the taxi-hailing firm, which paid hackers $100,000 (£75,000) to delete the data.
Uber confirmed that names, email addresses and mobile phone numbers of customers were exposed and of the 57 million impacted, 600,000 drivers had their names and licence details compromised.
And while the drivers have been offered free credit monitoring protection, the firm is yet to offer anything to affected customers.
According to Bloomberg, Uber's former chief executive Travis Kalanick knew about the breach over a year ago. The firm's chief security officer Joe Sullivan has left the company.
In a written statement, Uber CEO Dara Khosrowshahi said: "While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection.
"None of this should have happened, and I will not make excuses for it."
Uber confirmed to the Information Commissioner that 2.7 million - over half - of Uber's UK users had been affected. The National Cyber Security Centre suggested "vigilance" against email phishing or scam phone calls in light of the hack.
Pizza Hut has revealed that its website and app were hacked on 1 October, with personal information for an undisclosed amount of customers being jeopardised.
The hack is thought to have compromised billing information including delivery addresses, email addresses and payment card information containing account numbers, expiration dates and CVV numbers.
Pizza Hut has sent out emails to customers informing them of the breach, which reveal Pizza Hut knew of the breach two weeks before disclosing it.
In the email, the company said: "Pizza Hut has recently identified a temporary security intrusion that occurred on our website. We have learned that the information of some customers who visited our website or mobile application during an approximately 28-hour period (from the morning of October 1, 2017, through midday on October 2, 2017) and subsequently placed an order may have been compromised.
"Pizza hut identified the security intrusion quickly and took immediate action to halt it."
It's unclear how many customers have been affected by the hack, but a figure of 60,000 US customers has been reported by Slashdot.
Yahoo has disclosed that all of its 3 billion email users were likely compromised in a 2013 breach that it disclosed last year, breaking its own record for largest ever potential data breach.
The initial breach was disclosed in mid-2016 when Yahoo thought it had affected as many as 500 million accounts. This figure climbed to 1 billion by the end of the year, and as many as 3 billion today.
In a statement posted to a help page, Yahoo said: "Based on an analysis of the information with the assistance of outside forensic experts, Yahoo has determined that all accounts that existed at the time of the August 2013 theft were likely affected.
"It is important to note that, in connection with Yahoo's December 2016 announcement of the August 2013 theft, Yahoo took action to protect all accounts.
"The company required all users who had not changed their passwords since the time of the theft to do so. Yahoo also invalidated unencrypted security questions and answers so they cannot be used to access an account."
Yahoo previously said it believed hackers gained access by creating forged cookies, letting attackers into accounts without needing a password.
"We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft we disclosed on 22 September 2016," the company said.
One of the world's biggest accountancy firms, Deloitte, has been hit by a cyber attack, The Guardian revealed today (25 September 2017).
The hackers may have gained details from the organisation's blue-chip clients, including usernames, passwords, personal details and even confidential emails detailing private plans and documents.
The attack - which could have been going on unnoticed for months - is said to have compromised Deloitte's global email server and via an administrator's account, granting the hackers access to restricted areas and information.
It is also believed that Deloitte did not have two-step verification set up, with access requiring only a single password.
Six unnamed clients of Deloitte have been told their information was 'impacted' by the hack, according to The Guardian, although further details are bound to be revealed as the matter continues.
"In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte," a spokesman told The Guardian.
"As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.
"Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested."
Although the breach is thought to affect mainly US customers, the impact on the UK is yet to be revealed.
Global information solutions company, Equifax, reported a major cybersecurity incident, earlier this year, affecting 143 million consumers in the US.
The breach - initially discovered on 29 July - is thought to have revealed the names, Social Security numbers, birth dates and addresses of almost half the US population.
Also compromised was the credit card numbers of 209,000 consumers and the personal identifying information of 182,000.
Equifax, with investments in 23 other countries worldwide, initially reported that some customers in the UK were also affected, estimating around 400,000.
However, the company admitted today (11 October 2017) that the data of some 694,000 UK customers was compromised.
The credit firm went on to say that up to 15,000 UK customers have had their financial information and passwords stolen, including partial credit card information.
Equifax had previously denied that any UK customers personal and financial information was stolen.
"This is clearly a disappointing event for our company and one that strikes at the heart of who we are and what we do," said CEO Richard F. Smith in a statement after the initial breach. "I apologise to consumers and our business customers for the concern and frustration this causes."
Equifax, shared with other credit monitoring companies Experian and TransUnion, have assigned a dedicated website and phone line for victims and free identity theft insurance for all US consumers.
Perhaps an understatement considering the company's share price visibly plummeted 13 percent and is expected to fall further.
Three Equifax executives sold their shares soon after the incident, before the company's disclosure, for a combined $1.8 million. The breach put victims at a high risk of identity theft and consumers were told to watch their credit score and stay alert.
One of Britain's largest retail franchises, CEX, disclosed it has been hit by a data breach that could have compromised the information of as many as 2 million customers – including personal details like names and addresses.
In a statement posted to its website, CEX said that despite its best efforts at "robust security" a "sophisticated" attack compromised the data of up to 2 million customers. These details included names and surnames as well as email addresses and phone numbers.
A "small number" of encrypted credit card details were thought to be at risk as well, but the company, which owns the WeBuy.com website, noted that these would only be expired cards as the business stopped storing financial data in 2009.
CEX advised affected customers – who were notified by email – change their passwords as a precautionary measure.
Commenting on the breach, chief scientist at McAfee Raj Samani said: "Given the increasing amount of reported data breaches, it would be simple to shrug off the news as just another in a long line of companies impacted by digital crime.
"However, two million people will now be wondering just what the lasting impact of their personal data being disclosed will have on them. This concept of breach fatigue is a very real issue, and until further data becomes available that will determine whether CEX implemented the appropriate controls, we should be careful before apportioning any blame."
CEX did not disclose any further details of the breach but said it had introduced additional security measures and is working with the appropriate authorities, including the police.
A security researcher in Paris has unearthed an open web server hosted in the Netherlands that contains as many as 711 million usernames and passwords.
Infosec researcher and blogger Troy Hunt was contacted by cybersecurity researcher Benkow who pointed Hunt towards a machine that the "Onliner Spambot" was making use of to deliver the Ursnif banking malware. The data on the server is a mixture of email addresses on their own, which are used to send spam to, and email addresses with passwords, which are designed to get into an SMTP server to send out the spam, as Benkow goes into depth about here.
Troy Hunt runs the Have I Been Pwned (HIBP) website, where users can crosscheck their email address with known breaches to see if their accounts might have been compromised.
The 711 million figure is by far the largest data dump that's been pulled into HIBP.
"Just for a sense of scale," Hunt writes, "that's almost one address for every single man, woman and child in all of Europe."
The data is likely to contain considerably fewer 'real' emails than 711 million, as the data also includes addresses with junk prefixes, poorly formed emails, or otherwise fake addresses that could have been scraped from the web. Nevertheless, the amount of potentially compromised accounts is enormous.
Bupa has suffered a data breach (13 July 2017) affecting 500,000 customers on its international health insurance plan.
The London-based private healthcare group said a Bupa employee inappropriately copied and removed information including names, dates of birth and some contact information, however no medical information was compromised.
In a written statement, Bupa said that 43,000 of the total number affected had a UK address and that those that bought their medical insurance abroad could also be affected.
"A thorough investigation is under way and we have informed the FCA [Financial Conduct Authority] and Bupa's other UK regulators," said Sheldon Kenton, managing director of Bupa Global. "The employee responsible has been dismissed and we are taking appropriate legal action."
Zomato, which provides users with an online guide to restaurants, cafes and clubs, reported that data from 17 million users had been stolen, including email addresses and hashed passwords.
The Indian firm said that it had discovered the breach "recently" and subsequently logged affected users out of their accounts, as well as resetting passwords on the app and the website.
Zomato said in a security notice to customers that users logging in via OAuth services such as Facebook or Google were not at risk, meaning that 60 percent of Zomato customers won't be affected by the breach.
'Eddie' reveals over 560 million passwords
The recent WannaCry ransomware infected 47 NHS England Trusts and hundreds of companies across the world. You'd think things couldn't get any worse. Well, you're wrong. While this isn't a UK company, its effects could have a big impact here.
Security researchers at theKromtech Security Research Center discovered a massive database of 560 million login credentials which is believed to come from up to 10 popular online services such as LinkedIn and Dropbox, obtained during previous data breaches.
The database was run on the 'Have I Been Pwned' site, which lets users see if their accounts and personal information have been revealed in previous data breaches.
And while the author of the database is unknown, researchers are calling them 'Eddie' after a user profile discovered in the data.
Kromtech researcher Bob Diachenko, told Gizmodo that the database was running an insecure version of MongoDB's open-source database software. He said it still remains active and unprotected.
Payday loan company Wonga has fallen victim to a large data breach that could have hit as many as 245,000 of its customers including bank account numbers and sort codes.
In a customer help page Wonga said it is "urgently working to establish further details and contacting those who we know have been impacted". Along with the bank account number and sort codes, Wonga believes that full names, email addresses, home addresses, phone numbers, and the last four digits of debit card numbers have also gone amiss. The company thinks passwords are safe but recommends customers change these regardless.
It advises customers notify their banks and request that their accounts are put on alert for unusual activity. But Wonga also states that it believes accounts are now secure and no action is required. At the same time, it recommends being "extra vigilant" across "other accounts and online activity".
Wonga's statement finishes: "We take issues of customer data and security extremely seriously. Cyber attacks are, unfortunately, on the rise. While Wonga operates to the highest security standards, these illegal attacks are unfortunately increasingly sophisticated. We sincerely apologise for the inconvenience and concern this has caused."
Commenting on the attack, James Thompson, regional director for EMEA at authentication company SecureAuth, said that it will serve as a "hefty reminder" to any organisation holding personal and financial data to "continually innovate security and authentication to keep ahead of attackers."
"Recognising user behaviours that are out of character for an account is key to protecting against actors staying undetected within your network," Thompson said. "Businesses need to be able to identify and flag deviations in user behaviour."
A major breach of Three's customer upgrade database revealed last November is worse than the network operator initially thought, it was disclosed this week.
The original hack - revealed in November 2016 - occurred when Three's upgrade database was accessed using an employee login. At the time the company said that no financial information was stolen, but names, phone numbers, addresses and dates of birth were taken.
Three said that of its 9 million customers it believed the data of 133,827 people was compromised.
This week Three said 76,373 more customers had been breached. The investigation is ongoing but the company claimed no further customer breaches are expected.
Commenting on the disclosure, IT security specialist at ESET, Mark James, said: "As always with this type of data breach the focus seems to be on financial information not being obtained, but when you look at names, addresses, dates of birth and methods of payment, the bank details are the easiest to change.
"The type of information we either would not or could not change is being sold, traded, stored or accessed online by cybercriminals to build a profile of you, the victim. It is then reused much later down the line, often to get more information that can be used either for financial gain or identity theft."
Sportswear retailer Sports Direct failed to tell its entire workforce that they might have had their personal credentials stolen in an internal security breach.
The Register reports that Sports Direct noticed its systems had been compromised in September 2016, but it wasn't until December that they discovered the data breach – including names, email addresses and phone numbers.
The attacker reportedly gained access through an unpatched content management system running on the open source DNN platform.
Sports Direct did notify the Information Commissioner's Office but avoided sharing details of the breach with staff – because there was no evidence that the data had been copied.
Sports Direct did not comment on the breach.
Three, one of Britain's largest mobile operators has revealed it has had a major data breach that could put millions of its customers at risk.
According to The Telegraph, hackers accessed Three's customer upgrade database by using an employee login.
Three said that the data accessed did not include any financial information but did say that names, phone numbers, addresses and dates of birth of its customers were obtained.
Since the announcement of the breach (the evening of 17th November), police have arrested three men in connection with the breach.
Late last year, Tesco Bank, the consumer finance wing of the British supermarket giant, froze its online operations – after as many as 20,000 customers had money stolen from their accounts.
Chief executive Benny Higgins said in a statement published on the Tesco Bank website that 40,000 accounts had been compromised – and half of those had money stolen from them. Customers will be able to use their cards for cash withdrawals, direct debit and chip and pin, but will not be able to make online transactions until the situation is under control.
The bank only confirmed that it was subject to criminal activity, and did not describe the attack.
Tesco Bank, which has over seven million customer accounts, has said it will cover any financial costs of the breach. Higgins said: "Any financial loss that results from this fraudulent activity will be borne by the bank. Customers are not at financial risk."
But one customer, Kevin Smith, from Blackpool, told the BBC that he had lost £500 from one of his accounts, while another claimed to have lost £600 and left without emergency funds from the bank.
Adrian Davis, Managing director for EMEA (ISC)2, the independent body for infosec professionals, the breach is evidence of Tesco Bank losing control of operational risk.
"I believe we are at a point where, despite growing awareness of the issues, business leaders are losing control and visibility of core business risk," Davis said. "They have not realised just how much their organisations have changed in the digital age and how this is leaving them vulnerable. They have not treated cyber risk as anything more than an IT problem, and now they, and we, are paying the price."
As a FTSE-100 firm, the apparent insider attack admitted by accounting and HR software firm Sage could turn out to be one of the most important in UK data breach history if its scale is confirmed.
According to the firm, the employee data of up to 280 UK customers representing a large number of individual users could be at risk. "We are investigating unauthorised access to customer information using an internal login," the firm said in a vague statement that will inevitably re-ignite the contentious issue of insider access.
Online child products retailer Kiddicare was forced to admit it had exposed real customer data when testing a new website in 2015.
In this case, the mistake was only noticed when customers started receiving suspicious SMS text messages asking them to take an online survey and an investigation eventually uncovered to error.
As with many UK breaches, the company played down the fact it had let names, addresses and contact details of up to 800,000 people fall into malevolent hands with the excuse that no credit card data had been compromised (which would have been its liability had it done so).
Publicised in October 2015, TalkTalk initially struggled to confirm how many of its four million customers were affected after hackers exploited a reported weakness in the firm's website.
TalkTalk CEO Baroness Dido Harding sounded disquietingly vague about the attack's scale when interviewed on TV, and it later transpired that a 'mere' 157,000 personal records had been compromised.
Shockingly, the incident was the second (and possibly third) data breach affecting the company in under a year, which could mark it as the moment when dissatisfaction over the rising number of breaches becomes both political and mainstream in the UK.
Another biggie, a software flaw in the firm's Android app let a researcher access the records of any Moonpig account holder he tried, in theory compromising a total of three million people.
As serious, the researcher reported the issue to the firm 18 months before going public in early 2015 after receiving an inadequate response. Significant partly because it involved a mobile app rather than the more common website breach.
Think W3 Limited
A serious attack in which a hacker was able to get his or her hands on 1,163,996 credit and debit card records from online holiday firm Think W3 by using an SQL injection attack to exploit a weakness on its website. The ICO described the incident as a "staggering lapse" and fined it £150,000.
A direct victim of the infamous and widespread Heartbleed SSL software flaw, the compromise allowed hackers to access anything up to 1.5 million user accounts on the hugely popular site, its owners revealed.
Although the data inside these accounts was less sensitive than for some of the other accounts, the hack revealed both the potency of big but undiscovered software issues affecting multiple sites and that even big brands could be affected.
A re-run on the lost laptop theme that people assumed had been consigned to history, this time involving 125,000 students and applicants on a computer stolen from a car. But the files had been password-protected said the University, plaintively. That wouldn't have been much of a barrier to the name, address, telephone number and email data.
Included this incident as a reminder that just because times have moved on doesn't mean the old problems go away.
An unusual example of the insider attack, the attacker published details of the firm's entire workforce database online, 100,000 employees in all. An employee was eventually arrested for the incident and will presumably come to court at some point which could reveal more details of how the firm's security was bypassed. Inside events are rare but particularly feared because they abuse privileged access that is hard to lock down. Some employees later launched legal action against Morrison's.
It seems hard to pin down just one data breach spawning from Yahoo's 22 years in business. Last year appeared to unearth a mammoth lack of security on Yahoo's part with reports uncovering a breach affecting over 500 million Yahoo user accounts during 2014.
Another data breach was reported dating back to 2013, in which an unprecedented 1 billion user accounts were thought to have been affected, creating the largest ever recorded information breach. It's believed that names, email addresses, telephone numbers, security questions (both encrypted and unencrypted) and their answers were exposed during the breach.
Yahoo is now facing numerous lawsuits after being criticised for not disclosing this information sooner, impacting its sale to Verizon, which reduced its bid by $350 million from the initial $4.8 billion price tag.
Most recently, Yahoo revealed this week that 32 million user accounts were compromised in the last two years. The accounts were said to have been accessed using forged cookies which enable an intruder to access an account without its password.
And while it's not a UK-based company, Yahoo has a large number of UK customers, which its data breaches have impacted.
Brighton and Sussex University Hospitals NHS Trust
The Information Commissioner (ICO) ended up imposing a fine of £325,000 after sensitive patient data of thousands of people was discovered on hard drives sold on eBay.
An investigation found that at least 232 de-commissioned drives that should have been deep cleaned and destroyed by a contractor ended up being sold second hand.
Sony PlayStation Network
The largest data breach in history at the time, Sony's disastrous 2011 breach saw hackers make off with the customer records of 77 million people relating to its PlayStation Network, including a small number revealing credit card numbers.
Apart from downing the company's systems for an extraordinary 23 days, the breach crossed national frontiers, affecting people from all over the world, including the UK.
Britain's ICO eventually issued a £250,000 fine for what will go down as the first big data breach to affect people across the globe.
Sales staff were caught selling customer records to brokers who used the information to market them as their contracts were coming to an end. It was never clear how many records were involved in this murky insider trade but it was believed to run from half a million to millions. Initially, the ICO refused to name the firm but was forced to after rival networks said they were not involved, leaving only one name.
In 2011, the two employees involved were fined £73,000 by the courts.
HM Revenue & Customs
Probably the most infamous large data breach ever to occur in the UK, two CDs containing the records of 25 million child benefit claimant in the UK (including every child in the country) went missing in the post.
There was never any indication that these password-protected discs had fallen into the wrong hands but the incident underlined how valuable data was being handled by poorly trained junior employees.
Nationwide Building Society
The moment date breaches entered consciousness in the UK, the Nationwide incident involved an unencrypted laptop stolen from a company employee that put at risk the personal data of 11 million savers. The UK's poor disclosure rules made it difficult for outsiders to get information on what had occurred.
The Financial Services Authority (FSA) eventually fined Nationwide £980,000, still the largest sum ever imposed for data loss in the UK, seen at the time as a warning shot for other firms that might have similar incidents. Not everyone noticed.
It took six weeks after credit reporting agency Equifax found out it had been hacked for the company to notify the 143 million customers whose private data was at risk. Following what might be the worst data breach of the past decade, such a long delay is shocking — but given the lack of regulation it’s not all that surprising.
Companies have often taken liberties with time when notifying customers of a hack. But doing so brazenly puts their customers at risk while these companies avoid consequences. Such situations illustrate exactly how certain companies can easily prioritize their bottom line over customers’ financial security and privacy, especially when industry-wide standards for safety are largely unmet or simply nonexistent as more personal data becomes digitally accessible.
What sets Equifax’s latest breach apart has less to do with numbers — Yahoo’s data breach last year affected 500 million accounts — than the value of the data stolen. Still-unknown hackers gained access to a trove of names, birth dates, Social Security numbers, and addresses of Equifax users. With so much personal information, criminals can easily apply for fraudulentloans, open bank accounts or credit cards, make scams feel more convincing, and more.
It hasn’t helped that Equifax has handled the situation incredibly poorly. High-level executives sold off almost $2 million of the company’s stocks after finding out about the breach in late July, weeks before they went public about the hacks, which prompted the company’s stock to fall 18 percent as of this week.
To crown it all, Equifax sought to make good with customers by offering free credit monitoring and identity theft protection. But any customers who took advantage of the deal might waive their right to join a class action lawsuit against the company. After public outrage, the company made clear that the clause did not apply to the latest hack. Some 30 lawsuits against the company have already been filed.
A breach of this proportion serves as a warning for what may lie ahead. Hacks will only grow more sophisticated and prevalent. As our world continues to migrate to digital spaces, our data becomes more valuable — and more at risk — than ever.
But companies are not incentivized to prioritize our privacy. They need to be pressured. “The only good way for these things to be stopped is for the giant organizations holding this information to be better regulated,” said Jessy Irwin, a cyber security consultant.
Companies have legitimate reasons to delay informing consumers about a hack. But the decision can also driven by self-interest.
Right now, there is little national oversight on how companies handle data privacy. When it comes to notifying consumers that their data has been stolen, laws vary state to state and differ in how much time and how much information companies are required to divulge. Equifax is based in Georgia, a state where there is no timeline specified for when a company must notify customers about a breach.
There are legitimate reasons why a company would choose to wait before going public. Sometimes they are cooperating with law enforcement who don’t want to sabotage their investigation into the source of the hack. Companies also might not be aware of the extent of the damage, requiring time to investigate before letting users know. Some cybersecurity experts believe it’s best to assess the full scope of the hack before letting consumers know and causing panic.
That doesn’t mean that these companies aren’t also driven by self-interest. Data breaches look bad for a company’s reputation. “On the one hand, companies certainly would have a PR incentive to not report breaches to the affected individuals,” said Beth Givens, executive director of California advocacy group Privacy Rights Clearinghouse. In the case of Equifax, the company’s slowness combined with the executives who sold off their stocks prior to the public announcement make the company look like it was minimizing responsibility for a serious consumer problem. The Wall Street Journal also reported Monday that Equifax spent $1.1 million last year lobbying against regulatory laws, including data security and breach notification.
Last year, Yahoo faced criticism for waiting to go public about the data breach for potentially more than a year after itfirst discovered signs of an attack. In 2014, Target and Neiman Marcus were hit with similar criticism for not going public about credit card data breaches until a third-party cybersecurity blog needled the retailers into coming forward.
“I think it’s really necessary for someone to step up, especially a federal regulator,” Irwin said. “Having to just trust an organization when they have demonstrated that they’re completely untrustworthy, especially in figuring out if you’ve been affected or not, that’s not a viable solution.”
Equifax has yet to disclose why it waited so long to inform customers about the breach. A spokesperson told the Washington Post that the company’s executives had no knowledge of the breach when they sold their stocks. In a company press release last week, Chair and Chief Executive Officer Richard F. Smith said, “We pride ourselves on being a leader in managing and protecting data, and we are conducting a thorough review of our overall security operations.”
But security risks are not isolated to Equifax. The other two main credit monitoring agencies TransUnion and Experian could also be the targets of future breaches. The companies have been criticized before for lack of oversight — including regular security audits — that other financial institutions are required to have.
Customers need to know if their data has been hacked to protect themselves
An enormous number of people have been left exposed from this breach. In addition to the 44 percent of the US population affected by this hack, an unknown number of customers in the United Kingdom and Canada were implicated.
Some individuals have used Equifax whether they’ve made the choice to sign up for it or not. Any credit report that gets pulled, such as for background checks for loans or to get approved to rent an apartment, could be from one of the big three credit agencies, including Equifax.
The Federal Trade Commission, charged with regulating credit bureaus like Equifax, has declined to state whether it will launch an investigation after the hack. “We’re trying to get a handle on the scope of all of this. We’re certainly taking this very seriously,” FTC Chair Maureen Ohlhausen told reporters at an antitrust conference, Reuters reported.
Anyone concerned that they were affected by the hack should check their credit accounts immediately for any suspicious activity, set up a fraud alert, and watch their credit card and bank accounts. You could also freeze your credit account to prevent anyone from fraudulently applying for your credit. It’s also a good idea to set up two-factor authentication on important financial accounts to deflect hackers with stolen information.(There are several good guides on what to do if you’ve been hit by this attack, including these suggestions from CNN and CNET.)
One of the most important factors is timing. Customers need to make changes and set up alerts as quickly as possible to prevent harm. There is likely a time lapse between when a company is first hacked and when they find out. In that time, it’s possible that the stolen data has already been sold to the highest bidder on the black market. That’s why it’s so crucial for people to be notified as soon as possible if their data has been hacked.
Demanding that companies come forward about breaches — and suffer the hit to their reputation — could also incentivize companies to take security more seriously. Greater transparency also provides more information to cybersecurity researchers who can use this information to prevent more hacks in the future.
Logistics aside, there’s the principle behind this: People have a right to know if their personal data is secure. Our digital identities are extensions of ourselves, and we have a right to know if we are physically and financially secure.
National data breach notification laws, explained
Rep. Lou Correa, a Democratic representative from California, announced on Tuesday he would introduce legislation to regulate data breach notification. House committees including the Judiciary Committee and Financial Services Committee also expressed interest in holding hearings about the issue. But this isn’t the first time there’s been interest in passing such a law. In 2015,Congress failed to pass a bill introduced by Obama mandating companies notify customers 30 days after first indication of a data breach.
Meanwhile, regulations continue to be left up to the states. Currently, 48 states require some sort of disclosure, though timing is only specified in eight states and varies anywhere from 15 to 90 days. For comparison, the European Union has a law going into effect next year requiring companies to notify customers 72 hours after discovering a hack.
But privacy activists aren’t necessarily in favor of a national law. Some, like Givens at Privacy Rights Clearinghouse, fear that federal regulation would be considerably weaker than what some states, including her home state California, require. “Congress is not known for strong consumer protection laws,” she said, adding that the technical world changes fairly quickly and that she has little confidence that federal law would be able to keep up to date.
There’s also the push for data security safeguards that take aim at deeper problems. Companies regularly collect data simply because they might want to use it sometime in the future — there needs to be laws that force them to only collect the bare minimum of data necessary. There should also should be limits to how long a company can store data, requirements to encrypt anything they collect, and regular security audits. Data breach legislation, Givens argues, should also include regulations like these.
Givens warns that putting the onus on consumers to protect their identity can only go so far. “It’s not fair to blame the victim,” she said. “In order to open up a bank account, rent an apartment, or apply for a job, you have to reveal a lot of personal information. It’s up to those entities that collect that information to protect it.”
Big hacks like the Equifax fiasco put into context just how much control companies have over our personal information. And as the digital world increasingly dictates where we work, play, and live our lives, we need to have control — or at the very least, basic knowledge — over how our digital identities exist in this space.
Companies aren’t incentivized to put their customers first. Whether it’s minimizing how much of our information they collect, fortifying security, or simply telling us they’ve been breached, we can’t depend on these companies in good faith. It’s up to government regulators to keep them in check.