8 Compromised Security Examples to Help You Learn From Others’ Mistakes
Individuals, companies, and governments continue to underestimate the dangers of lax or non-existent cybersecurity. Most times, the attackers’ attempts fail, or they get away with scraps. However, sometimes they succeed so spectacularly that the whole world takes note.
Here are but eight real-world examples of the damages compromised security can cause. We focus more on different factors that led to the compromises than on the most prominent cases. Still, you’ll find some of the most infamous ones here, too. Keep in mind that no matter how high the numbers seem, these examples are a drop in the bucket.
8 Best Compromised Security Examples to Help You Learn From Others’ Mistakes
Outdated Security Practices – Yahoo
Failure to adapt its cybersecurity to emerging threats caused Yahoo to be the victim of the largest recorded set of data breaches to date. In a series of incidents that spanned several years, hackers were able to expose an astonishing 32 million user accounts.
These included information ranging from usernames & and passwords to answers to security questions. The culprits used a vulnerability that allowed them to gain access through cookies while bypassing login requirements.
Yahoo’s negligent use of an outdated encryption method made cracking part of the passwords easy. This was among the final nails in the former search engine giant’s coffin and contributed to a substantially lower offer when Verizon finally bought it in 2017.
Undiscovered Vulnerabilities – Microsoft
A data breach doesn’t need to affect millions to be devastating. Microsoft learned that lesson well in 2021 when cybercriminals exploited four undiscovered vulnerabilities to hack the Microsoft Exchange.
The incident let culprits access and wreak havoc on any client using the service in combination with local servers. Microsoft Exchange is a popular business solution, and the aftermath affected around 60,000 businesses worldwide.
Poor Website Design – First American Corporation
Malicious intent isn’t always the cause of data compromise. In the case of the First American Corporation’s 2019 data leak, inadequate website design was to blame.
Anyone could have looked up almost 900 million records showing SSNs, driver’s licenses, or wire transfers just by visiting a webpage and inputting different numbers at the end of the URL to get to other records. Luckily, there was no compromise since the company identified and addressed the issue in time.
Phishing – OCBC
Phishing is among the most widespread and devastating cyberattacks, as our next example proves. Hackers targeted customers of Singapore’s OCBC bank during the 2021 holiday season. They followed the phishing playbook, sending official-looking emails that claimed they were from the bank.
Clients were coerced to click on links inside the emails. These took them to phony sites made to look like the real deal. Once clients entered their banking details, the hackers gained access to 400+ accounts and stole $8.5 million.
Spear Phishing – FACC
Phishing casts a wide net in hopes of snagging less than one in a thousand victims. Spear phishing is more sophisticated since it targets specific individuals through credible emails.
One of the best-known examples comes from Austrian aeronautics manufacturer FACC. After receiving what he thought was an email from the CEO, an employee transferred more than 60 million dollars to the scammer’s bank account. He was fired, but the company also sued the CEO and CFO for failing to take cybersecurity seriously.
Ransomware – Colonial Pipeline
Perhaps the most destructive incident on our list comes courtesy of ransomware. Colonial Pipeline is a Texas-based oil & fuel supplier that services much of the Southeastern United States.
A ransomware attack crippled its pipeline network in 2021, forcing the company to halt operations and pay 75 bitcoins ($4.4 million at the time) to get a decryption key that would let them resume operation. Even though CP acted quickly, it couldn’t provide services for days. There are no official accounts of total damages, but they might reach billions.
In this case, hackers were able to access the network by obtaining an employee’s password. Indeed, poor password security is a common denominator for most of these attacks.
Users can’t prevent cyberattacks targeting companies, but they can minimize the damage by keeping their passwords long, complex, and unique. The best and most streamlined way to do so is by using a secure business password manager.
Mobile Ransomware – Flocker
Just because ransomware primarily attacks computer systems doesn’t mean smartphones and other devices are safe. Flocker is a Trojan discovered in 2016 that can infect Android smartphones and smart TVs alike.
It first detects the infected device’s IP address and activates 30 minutes thereafter if the address indicates a favorable location. Flocker denies phone access, but it was also among the first of its kind that renders smart TVs unusable unless one pays the $200 ransom or deletes it through other means.
Malicious Insiders – Cash App
Hackers aren’t the only ones to blame for cybersecurity incidents. Disgruntled (or ex) employees have clear access and the most comprehensive knowledge of a company’s systems. That makes them exceptionally dangerous if safeguards aren’t in place that revoke their privileges and retire their accounts.
Cash App was the victim of one such former worker. The culprit stole records containing the names and activities of more than 8 million users participating in the app’s investment portfolio services. There was no PII to tie to these records, and nothing leaked, so no one was affected. Even so, the incident highlights the importance of strong internal cybersecurity measures.