When you entrust your personal information to a company or the state, you do so with faith that they’ve put adequate security in place to protect it. Unfortunately, reality often shatters that faith.
Sometimes the security system in use is laughably inadequate. At other times, the company simply wasn’t as smart as the people who breach them. At worst, the company deliberately does something on the wrong side of the law (or just on the line) and tries to hide it.
It hard to strictly define what qualifies as the “worst” privacy scandal. Many will simply list them by how many people are impacted. That’s one way to look at it, but we also have to look at the depth, ingenuity, and audacity of these breaches. After all, a minor leak that affects millions of people isn’t as serious compared to a deliberate breach that only affects a few thousand people. So in trying to decide what I think the worst breaches are, I tried to take more than just the size of the breach into account.
Let’s look at the contenders.
1. Cambridge Analytica and Facebook (2018)
We've covered the Cambridge Analytica scandal extensively on TechNadu. If you want to get all the juicy details and really understand what happened, go have a look at our own Novak Bozovic's excellent Cambridge Analytica Scandal Analysis.
In short, an independent company managed to scrape the personal info from about 50 million Facebook accounts using their API. Even worse, there's speculation that this information could have influenced the US elections where Donald Trump became the president.
This massive breach of data wasn't the result of a hack, but simply a weakness in the Facebook API. Apart from the breach itself, the CA scandal is likely to have far-reaching effects when it comes to privacy regulation. Facebook CEO Mark Zuckerberg has been called to testify multiple times already. It's no exaggeration to say that this scandal marks the end of the social media honeymoon!
2. Weeping Angel and Other CIA Tricks (2017)
In April of 2017 whistle-blowing organization, Wikileaks released documentation exposing a CIA tool named "Weeping Angel".
The name comes from a monster that features in Doctor Who. A long-running, popular British Sci-Fi show. In that show, the Angels only attack or move when you look away. The weeping Angel tool can apparently infect some smart TV and other consumer devices. These will then spy on you and relay the information back to the spooks. Weeping Angel is only one of a suite of similar tools. If it turns out to be true, this is one of the worst privacy breaches in history.
3. Sweden Outs Itself (2017)
Sweden is known as a trusting and generous nature. Something that has been both a blessing and a curse. To give you an idea of how the whole Swedish collectivist culture plays into security, consider that Sweden has an official Twitter account.
Not only that, but they give various Swedes control of the account in turns. As you can imagine this doesn't always turn out well.
So you could understand when their attitude to citizen privacy is basically a trust system. At least this is what it looked like when the Swedish transport agency shared their entire user database with contractors who did not have security clearance. This all happened in 2015, but the scandal only broke in 2017. Leading to the firing of two ministers.
4. The Equifax Credit Disaster (2017)
Continuing the horrible track record 2017 had for user privacy is the massive Equifax breach.
Equifax is a credit agency in the USA. One of three main market leaders. Their job is to keep track of the credit info for every US citizen. This makes them a major target and treasure trove of user data.
In September 2017 the company admitted that from around the middle of May throughout July 2017. The hackers found a weak spot in a web app and tapped into sensitive records. It's estimated that more than 145 million users could have been affected. This is pretty serious info as well. It includes social security information, addresses, birthdays, drivers licenses and more. As breaches go, this one is quite a corker.
5. The CCleaner Backdoor (2017)
CCleaner is a very popular computer maintenance tool that automatically removes the accumulated crud from your computer. It's a well-regarded package and has been reviewed through plenty of reputable outlets.
Which made it especially shocking when it came to light that CCleaner contained malware. Specifically, the Floxif trojan was detected in the software package. Floxif can install a "back door" which allows the hacker behind it to access and take over your computer. Just over two million computers were infected and a small number were loaded with a second stage infection meant to target specific companies. A clean version of CCleaner was quickly released, but this was one scary scandal.
6. Uber Gets Taken for a Ride (2016)
Uber gets a lot of flack for various reasons. Some people hate it because they say its unfair competition to traditional taxis. Others don't like the way the company treats its drivers. However, if you really want to dislike Uber, wait till you hear what they did after getting hacked!
In 2016 Uber found itself the victim of a hack that compromised the accounts of 57 million users. The data was breached via GitHub and contained plenty of pirate booties. Names, email addresses, phone numbers, license numbers and who knows what else.
OK, so far this is pretty typical, but then Uber apparently paid the hackers $100,000 to keep it quiet! This breach was exposed, but it makes you wonder how much we'll never know thanks to what amount to ransom payments.
7. Yahoo gets Ya-hacked (2013 and 2014)
Yahoo! used to be an equal contender with the likes of Google, but the modern company is a shadow of its former self. Nonetheless, Yahoo's mail service is still one of the most popular in the world, with literally billions of accounts.
Whether you consider the Yahoo data breach the biggest or not depends on whether you consider it one big breach or several smaller ones. In my view, it was one big continuous raid of Yahoo's systems and if you take it that way it's massive.
It's a story that just goes from bad to worse. The breaches themselves happened all the way back in 2013 and 2014. Yahoo only reported them in 2016! At first, Yahoo reported that a staggering 1 billion accounts had been affected. Not soon after that number was inflated to a mind-blowing 3 billion.
Yahoo has been rightly sued and various cases are going on as we speak. Can the company ever recover from this? I'm not betting on it. Oh, it turns out there was a Russian connection in this hack and one of those involved has been sentenced to five years in prison.
8. Ebay Gets Sold Out (2014)
eBay is still one of the largest and most influential online marketplaces in the world. It revolutionized the humble classified advert. Turning peer-to-peer selling into a multi-billion industry. Unfortunately, this also made it a major target for cybercriminals. In 2014 the company suffered a huge breach. Almost 150 million users had their passwords compromised.
To their credit, the company quickly forced a password reset for everyone. As far as anyone knows, no one actually lost any money or info through this breach, but it could have been much, much worse.
9. PSN Makes Sony Cry (2011)
The Sony PlayStation Network hack is the stuff of legends. It's going to be on lists like this for many years to come. It's not just famous because of how many users were affected, but because it's one of the biggest reparations ever made by a company for a data breach.
In April 2011, the PSN was hit with a major DDoS or distributed denial of service attack. This caused major service disruption but amounts to nothing more than an annoyance. However, about two weeks later hackers breach the PSN and gain access to personal info. Sony very quickly pulls the entire PSN offline. The service stays offline for about three weeks! Since PSN is so central to the PlayStation ecosystem, that creates a lot of angry gamers. To make things worse, when the PSN goes back online email system issues made password changes impossible for days.
Facing strong customer backlash, Sony voluntarily made reparations through their "Welcome Back" program. PS3 and PSP owners each got two free games per console from a set list. Sony also offered free membership to the premium PlayStation Plus service. In total, the estimated cost of this hack to Sony was 105 million GBP.
10. Stuxnet Makes the Damage Real (2005-2010)
Stuxnet had the lowest impact of any of the breaches listed here, but it's by far the scariest.
Imagine a piece of malware that doesn't just copy or delete your data. This software can cause physical destruction of equipment and potentially push an emerging society back into the dark ages.
Stuxnet was first talked about publicly in 2010 but has apparently been around since 2005. The software is ingenious and complex. So much so that everyone assumes it was created by a government. Apparently two governments: America and Israel. Neither will admit it though, so it's only speculation.
Stuxnet infiltrates and decimates infrastructure control systems. Think of the software that runs traffic systems, power plants, and factories. It can override the safety limits in these systems and overload mechanical and electrical systems. Actually making the equipment break. By some accounts, Iran's nuclear program was set back by years, all thanks to a very clever piece of software, delivered via USB drive.
Records Not Worth Breaking
While it's easy to be awed by the scope and audacity of these breaches, they are hard to be celebrated. In a perfect world, none of these breaches will ever be topped. We can only hope that security and privacy practices get to the point where major breaches are a thing of the past. Still, the hacker collective never sleeps and there's no such thing as an un-hackable system.