5 Examples of Security Breaches

Data breaches continue to dominate headlines, causing serious consequences for organisations globally. Recent worldwide events have reshaped how we live and work, creating an environment highly vulnerable to cyber attacks and security breaches.

Each year, hundreds of millions of cyber attacks occur, exposing billions of sensitive records. While all sectors face threats, industries like healthcare remain particularly vulnerable, often accounting for a large portion of reported data breaches.

Sensitive data is an extremely valuable asset, and cybercriminals constantly exploit system vulnerabilities to steal information for financial gain and fraudulent activities. Research indicates that most breaches are financially motivated, with phishing, ransomware, malware, and stolen credentials as the top attack vectors.

Below, we explore five of the most notable recent security breaches and their impact.

Top 5 Security Breaches

1. Marriott

In March 2020, Marriott disclosed a significant security breach affecting more than 5.2 million guests. Hackers accessed data through the login credentials of two employees, targeting a third-party application. Exposed information included names, addresses, emails, phone numbers, loyalty account details, company affiliations, gender, birth dates, linked airline loyalty numbers, and guest preferences.

The breach did not affect payment information, passports, national IDs, or driver’s licences. This was Marriott’s second major breach within two years; in 2018, the personal data of up to 500 million guests was exposed. The ICO fined Marriott $124 million for security deficiencies, and this latest incident may further undermine consumer trust.

2. EasyJet

In May 2020, EasyJet confirmed a cyber attack compromising email addresses and travel details of nine million customers, with 2,208 having their credit card details accessed. Initially, the airline reported no evidence of data misuse, but Action Fraud received reports of identity theft following the breach.

Despite the attack occurring in January, EasyJet disclosed it four months later. Under GDPR, breaches must be reported within 72 hours. The delay was attributed to the attack’s complexity. The ICO may assess the breach with a proportionate approach due to pandemic pressures on the aviation sector.

3. MGM Resorts

In July 2019, MGM Resorts experienced a major breach when a hacker accessed one of its cloud servers. In February 2020, personal data of 10.6 million guests, including names, addresses, emails, phone numbers, and dates of birth, appeared on the dark web. High-profile guests affected included Justin Bieber, Twitter CEO Jack Dorsey, and government officials.

The full scale of the leak involved over 142 million guests’ records, available for $2,900 on a cybercrime marketplace. MGM Resorts confirmed no financial or password data were compromised and notified affected individuals.

4. Nintendo

In April 2020, Nintendo reported a breach affecting 160,000 accounts, caused by a suspected credential stuffing attack. Hackers used previously stolen credentials to access accounts, purchasing digital items and viewing sensitive user information such as name, email, date of birth, gender, and country.

Later, an additional 140,000 accounts were compromised, totalling 300,000 affected accounts. Nintendo reset all passwords and urged users to avoid reusing passwords across services.

5. Zoom

In April 2020, Zoom suffered a breach exposing login credentials for over 500,000 users. Hackers used credential stuffing, exploiting combinations obtained from previous breaches. Stolen data included login credentials, emails, personal meeting URLs, and Host Keys, enabling unauthorised access to meetings.

Learn More About MetaCompliance’s Cybersecurity Solutions

• Human Risk Management Platform
• Automated Security Awareness
• Advanced Phishing Simulations
• Risk Intelligence & Analytics
• Compliance Management

If you’re interested in a personalised demo, contact us here.