“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it.” – Tim Cook, CEO of Apple Inc.
The entire digital landscape has evolved into a behemoth of sorts as the number of online attacks targeting individuals, businesses, and governments has risen steadily. And it’s not just money and cryptocurrencies they’re after. Customer or user data has evolved into a powerful tool for businesses to make crucial decisions, which has attracted the attention of cyber criminals all over.
As they continue to get more frequent and sophisticated, cyber attacks ranging from data breaches to account takeovers (ATOs) cost the global economy over $8 Trillion in 2023. Data theft has emerged as the leading problem with far-reaching consequences.
The 2023 IBM Cost Of A Data Breach report revealed that a data breach classified as ‘High Risk’ could cost a company over $4 Million. The Healthcare sector emerged as the most impacted, where the average cost of a data breach stood at around $10 Million. However, industry experts argue that reputational damage hurts organizations even more, especially publicly listed companies.
Hackers and malicious actors are continuously devising new ways to steal sensitive data that can be sold or used as bait for ransom.
With such towering repercussions, aren’t enterprises equipped with the latest solutions to combat these threats effectively? The answer – not quite. Below are some of the biggest data breaches that cost companies millions in the form of compensation, litigation, reputational damage and regulatory scrutiny.
1. Google
Date: February, 2024
Despite its reputation as the poster child for robust platforms, next-gen tech, and integrity in Silicon Valley, even Google couldn’t escape its fate of eventually succumbing to an API leak.
In an incident dating back to 2015, Google’s now-defunct social media platform Google+ allowed external applications and developers to access private user profiles via an API. Furthermore, Google was found to have misled investors in 2018 regarding the severity of the data leak, where 430+ third-party applications could access user profile data via the API. Last month, Google agreed to settle the dispute and settle its shareholders with a $350 million payout.
2. Progress Software
Date: June, 2023
The MOVEit episode at Progress Software was a zero-day vulnerability that affected some of the biggest organizations across the globe. Having originated from Progress’ file transfer application named MOVEit Transfer, the breach exposed the data of over 90 million users spread across 2,500 institutions, which has run up costs and liabilities to >$15 Billion.
The notorious cybercriminal syndicate Clop claimed responsibility for the attack in 2023. Some notable victims of this breach include the US Department of Energy, First National Bank, John Hopkins University, and the NYC Department of Education.
3. T-Mobile
Date: January, 2023
Due to its vast and distributed IT ecosystem, T-Mobile employs dozens of microservices that interact with each other and share sensitive data. With hundreds of APIs in use, the scope of API abuse increases exponentially. As a result, the telecom provider has suffered over five different data breaches in the last three years alone.
The latest cybersecurity gaffe came in January 2023, where a single compromised API exposed the sensitive data of over 37 million customers. Even though T-Mobile assured customers that no sensitive information was leaked, hackers can use this information to launch phishing scams and credential-stuffing attacks.
Still reeling from the 2021 data breach that led to $350 Million in payouts, T-Mobile’s cybersecurity woes continue to mount.
4. MGM Resorts International
Date: Oct, 2023
MGM Grand’s casino services were dealt a blow in 2023 as a ransomware attack aimed at the company disrupted operations in real time. Carried out by a subsidiary faction of the ALPHV ransomware gang, the group carried out an elaborate vishing scam where hundreds of employees were bombarded with calls aimed at extracting login credentials. Using the obtained credentials, the group deployed its ransomware to take control of their systems.
In the wake of this exposure, MGM had to shell out over $10 Million to resolve the breach. Furthermore, widespread disruptions across its slot machines, ATMs, online reservation portals, and PoS machines resulted in a quarterly net loss of over $100 Million for MGM Resorts International.
5. Microsoft
Date: January, 2021
In 2021, cyber-criminal syndicate Hafnium launched a sweeping attack on the Microsoft Exchange email servers and gained access to emails belonging to 60,000+ businesses, government bodies, and enterprises. By exploiting four different zero-day vulnerabilities, the hackers were able to break in and deploy malware, create backdoors to access other internal systems, and ultimately take control of the servers.
The incident is often referred to as the single largest cyber attack on US soil, as over half of the affected 60,000 entities were from the United States. Even though Microsoft was able to initiate remediation efforts by patching server vulnerabilities, those that haven’t upgraded their servers remain at risk.
6. First American Financial Corporation
Date: May, 2019
Although the First American Financial Corporation incident was classified as a data leak and not a breach (because data wasn’t exploited), the episode highlights the threat and risks associated with poor data security measures.
Caused by a website design error known as Insecure Direct Object Reference (IDOR), access to private and sensitive information was granted without authentication or authorization procedures. In the end, over 885 million file records containing information such as bank account numbers, bank statements, social security numbers, and wire transfer receipts were leaked. For ignoring red flags and violating established cybersecurity laws, First American Financial Corp. was slapped with a $500,000 fine by the Securities and Exchange Commission (SEC).
These are just a handful of the prominent data exposures recorded in history. What frightens experts is that most cyberattacks go unrecorded or undetected for years. And when discovered, it’s often too late! While the Fortune 500s may recover from malicious penetrations, data theft could mean the end of SMEs as the financial toll on them will be too high.
Organizations must constantly monitor and enhance their cybersecurity measures at all times as the transmission of sensitive information such as social security numbers, financial records, personal health data, and Personally Identifiable Information (PII) via web applications and APIs continues to rise.
The ideal API and App cybersecurity solution for businesses is as follows:
– Cloud-native and platform-agnostic for seamless integration across applications and microservices
– Capable of protecting APIs & web applications across the entire ecosystem regardless of protocols
– Able to assess weaknesses and automate remediation to protect your systems against further breaches
Check out Wallarm’s comprehensive solution that helps you detect and block attacks in real time significantly reducing costs.